Certain or all users are not being assigned the correct role based on Cloud SWG SP mappings when utilizing Azure AD's SAML.
Upon closer examination of the SAML XML Assertion POST request to the Cloud SWG SP, it becomes evident that the groups' attribute has been renamed to groups.link.
Cloud Secure Web Gateway
Microsoft Entra IdP (Azure)
The issue arises due to Azure AD's limitation on the number of objects included in the groups' claims.
If a user is a member of more than 150 groups for SAML, Azure AD omits the groups' claim in the SAML Assertion.
Instead, it substitutes the group attribute (typically named http://schemas.microsoft.com/claims/groups) with a group.link attribute (http://schemas.microsoft.com/claims/groups.link), which contains a link back to h[t][t]ps://graph.windows.net/<IdentityProviderID>/users/<UserObjectID>/getMemberObjects.
If a user is a member of a larger number of groups, the groups are omitted. This alteration renders the role mapping on the Cloud SWG platform ineffective for the user to whom the assertion applies.
Microsoft has provided 3 options:
Since this limitation is enforced by the Identity Provider (IdP), it is recommended to contact Azure AD Support to explore other options to disable the group summarization or implement filtering to limit the number of groups passed in the SAML Assertion.