Docs update required for Azure AD SAML Enterprise App Auth using Dex

[kmanchik]

Summary

What change do you think needs making?

• Update below lines in the documentation as highlighted

• Add group claim | Which groups: Groups assigned to the application| Source attribute: Group ID | Customize: True | Name: Group | Namespace: | Emit groups as role claims: False

What is the issue?

• Unable to do Argo SSO

<Attribute Name="http://schemas.microsoft.com/claims/groups.link">

<AttributeValue>

https://graph.windows.net/48d6943f-580e-40b1-a0e1-c07fa3707873/users/ba9b7081-e2a8-4427-9cdc-92afd7099833/getMemberObjects

</AttributeValue>

</Attribute>

• level=error msg="Failed to authenticate: no attribute with name \"Group\":

Why the change is required?

• The number of user groups that Azure Active Directory adds to a SAML token is limited to 150. If this limit is exceeded, a link to the Graph API endpoint is returned instead of a group list

Helpful documents:

• https://community.dynatrace.com/t5/Dynatrace-Open-Q-A/Dynatrace-SAAS-SSO-with-Microsoft-Azure-using-claims-groups-link/td-p/127385

[Jellyfrog]

If I make this change (from "All Groups") I just get the following error;

Failed to authenticate: no attribute with name "Group": [http://schemas.microsoft.com/identity/claims/tenantid http://schemas.microsoft.com/identity/claims/objectidentifier http://schemas.microsoft.com/identity/claims/displayname http://schemas.microsoft.com/identity/claims/identityprovider http://schemas.microsoft.com/claims/authnmethodsreferences http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name email]

[Jellyfrog]

...But It might be because we got the "free" Azure AD, that doesnt support groups in applications

[JohnLBevan]

...But It might be because we got the "free" Azure AD, that doesnt support groups in applications

What do your AAD App's SSO/SAML settings look like? Do you have user.groups mapped?

Also, how many AAD groups are you in? Documentation implies that this issue kicks in at 150 groups (if you're in AD-AAD Hybrid, not sure how the synced AD groups/any nesting there impacts this number).. But it looks like you can get a count by visiting Graph Explorer and running Groups > all groups I belong to (direct or indirect membership) with count (uri: https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group?$count=true) then checking the count attribute.

[andrewhibbert]

I have also needed to change the group claim from "All Groups" to "Groups assigned to the application" to get this to work