Closed phi0x closed 1 year ago
cf-gitbot
commented
5 years ago We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/168080479
The labels on this github issue will be updated when the story is started.
phi0x
commented
5 years ago Our Predix UAA development team reviewed the issue internally as well. They noted UAA does not support graph endpoints as of yet. They don't have a timeline as to when they'll be able to implement the feature - I'm guessing they will wait till CloudFoundry UAA integrates it first.
Any updates on this on the Pivotal side? The Pivotal tracker shows the PM has reviewed the ticket but no update as to when this will be worked on. Update would be greatly appreciated - we are currently looking to use the 'AD roles' implementation method as a workaround and hoping that works.
phi0x
commented
4 years ago Any updates to this?..
strehle
commented
1 year ago Hi, if you have a commercial support for your CF, please ask here. This is the community UAA where we can have improvements (if you see a gap in UAA features) via PR but we cannot provide support really
What version of UAA are you running?
Predix UAA (uses CloudFoundry UAA, not sure exact version, believe it's up to date.)
What did you do?
Setup Azure AD SAML as an IDP with our UAA. Setup group mappings so that seamless SSO capabilities would be enabled so that users can login and be auto mapped to UAA groups based on their AD groups.
What did you expect to see? What goal are you trying to achieve with the UAA?
Users should seamlessly be able to sign in via their Azure AD SSO credentials regardless of how many AD groups they're a part of. Users who are a part of 150 or less groups can sign in and be auto mapped just fine.
What did you see instead?
Users that are a part of 150+ AD groups have their group claim information passed in the SAML token as a "graph endpoint" or as microsoft likes to call this feature "overage claim". These users do not get auto mapped, a shadow user profile is generated but no groups are auto mapped based on the fact that Microsoft does this "overage claim" graph endpoint conversion when it notices a user has 150+ AD groups.
See Microsoft posts: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
https://azure.microsoft.com/it-it/resources/samples/active-directory-dotnet-webapp-groupclaims/
I'd like to know if graph endpoints are supported in UAA and if so, what needs to be done to enable support? I have tried adding the graph attribute to the IDP's config external_groups but that did not make it work.