Check for graph link for Azure AD

clegaspi / saml_reader

A tool to parse and verify SAML response data for MongoDB Cloud.

MIT License

7 stars 2 forks source link

Open clegaspi opened 2 years ago

clegaspi commented 2 years ago

Azure AD can refuse to send memberOf if the number of groups exceeds 150. See this article: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims. It includes an attribute named http://schemas.microsoft.com/claims/groups.link if this substitution is made. We should check for this and report on it.

clegaspi commented 2 years ago

Until #8 can be fleshed out with heuristic data, we can just add a test to check for this field name.