Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-2337

Add ability to Azuread Authentication Method to utilize Overage Claim Link

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      If utilizing Azure AD as an authentication source, to ensure that the token size doesn't exceed HTTP header size limits, the number of object IDs that it includes in the groups claim is limited. If a user is a member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), the groups claim isn't included in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Microsoft Graph API to retrieve the user's group membership.

      https://learn.microsoft.com/en-us/entra/identity-platform/reference-saml-tokens

       

      This is what the payload looks like

       

      {
  ...
  "_claim_names": {
   "groups": "src1"
    },
    {
  "_claim_sources": {
    "src1": {
        "endpoint":"[Url to get this user's group membership from]"
        }
       }
     }
  ...
}

       

       

      https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim

              rh-ee-rreed Ron Reed
              rhn-ssp-adworjan Alexander Dworjan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: