MS Entra AD: SAML Group Attribute Renaming due to Limitation
search cancel

MS Entra AD: SAML Group Attribute Renaming due to Limitation

book

Article ID: 277995

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Certain or all users are not being assigned the correct role based on Cloud SWG SP mappings when utilizing Azure AD's SAML.

Upon closer examination of the SAML XML Assertion POST request to the Cloud SWG SP, it becomes evident that the groups' attribute has been renamed to groups.link.

Environment

Cloud Secure Web Gateway

Microsoft Entra IdP (Azure)

Cause

The issue arises due to Azure AD's limitation on the number of objects included in the groups' claims.

If a user is a member of more than 150 groups for SAML, Azure AD omits the groups' claim in the SAML Assertion.

Instead, it substitutes the group attribute (typically named http://schemas.microsoft.com/claims/groups) with a group.link attribute (http://schemas.microsoft.com/claims/groups.link), which contains a link back to h[t][t]ps://graph.windows.net/<IdentityProviderID>/users/<UserObjectID>/getMemberObjects.

If a user is a member of a larger number of groups, the groups are omitted. This alteration renders the role mapping on the Cloud SWG platform ineffective for the user to whom the assertion applies.

Resolution

Microsoft has provided 3 options:

  1. Limit the group membership of Azure AD users connecting to less than 150 individuals each.

  2. Implement Azure Application Roles instead of Azure AD Groups for authorization: Configure the role claim

  3. Use the Azure group filtering options in the Enterprise Web Security Service app you created.
    1. Add the security groups that you want to give access to the Enterprise Web Security Service app in users and groups
    2. Go into Single-signon
    3. Click edit Attributes and Claims.
    4. Click on the first claim option that was automatically created usually user.groups [SecurityGroup]
    5. Change from "Security groups" to "Groups assigned to the application".

      Reference: Configure group claims for applications by using Microsoft Entra ID

Since this limitation is enforced by the Identity Provider (IdP), it is recommended to contact Azure AD Support to explore other options to disable the group summarization or implement filtering to limit the number of groups passed in the SAML Assertion.

Additional Information

Using Application Roles

Configure the role claim

Configure group claims for applications by using Microsoft Entra ID

Azure Active Directory, now with Group Claims and Application Roles