Azure AD login fails for users in many (150+) groups

[oshati]

Expected behavior:

SSO user should be able to login successful regardless of the number of groups they are members of.

Current behavior:

SSO user logins are failing with the below error:

"Failed to calculate user attributes."
"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tNo roles mapped from claims. 
The mappings may contain typos."

This issue is faced only by users who are part of more than 150+ AD groups. Hence, the Issue is fixable after getting the users removed from a few of the SSO groups - which isn't sustainable as user access is built around this.

Further research shows a specific limitation on Microsoft Azure AD for only 150 groups to be sent as values in the attribute of SAML response.

Per the doc at: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted and a link to the Graph endpoint to obtain group information is included instead.

Is there any workaround to fix this? or Perhaps a need for possible improvement on Teleport side?

Per the same doc, when this limit is hit, the saml response from azure will include a reference to the Microsoft Graph group API endpoint that will include the full list of group membership beyond the 150 limit.

Applications can call the Microsoft Graph group's endpoint to obtain group information for the authenticated user. This call ensures that all the groups where a user is a member are available, even when a large number of groups is involved. Group enumeration is then independent of limitations on token size.

Bug details:

➜  ~ tsh version               
Teleport v10.0.1 git:v10.0.1-0-gac7323277 go1.18.3
Proxy version: 10.2.2
teleport version
Teleport Enterprise v10.2.2 git:v10.2.2-0-gdd70f8a02 go1.18.6

• Debug logs (auth)

Feb 06 05:11:38 ip-10-208-105-83.ec2.internal /usr/local/bin/teleport[28985]: 2023-02-06T05:11:38Z INFO [AUDIT] user.login attributes:map[http://schemas.microsoft.com/claims/authnmethodsreferences: [http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509 http://schemas.microsoft.com/claims/multipleauthn] http://schemas.microsoft.com/claims/groups.link:[https://graph.windows.net/8a791446-xxxx-41af-be7d-470e2f985275/users/610b1389-1129-xxxx-937e-05ae9a6f7ff9/getMemberObjects] http://schemas.microsoft.com/identity/claims/displayname:[test-user] http://schemas.microsoft.com/identity/claims/identityprovider:[https://sts.windows.net/xxxxxxxx-3f74-41af-be7d-470e2f985275/] http://schemas.microsoft.com/identity/claims/objectidentifier:[610b1389-xxxx-421e-937e-x9] xxxxhttp://schemas.microsoft.com/identity/claims/tenantid:[8a791446-3f74-41af-be7d-xxxxxxx] http://schemas.microsoft.com/ws/2008/06/identity/claims/wids:[xxxxx-3ef9-4689-8143-xxxxxx] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress:[test-user@example.com] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname:[test] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:[test-user@example.com] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname:[test] username:[test-user]] cluster_name:teleport.example.com code:T1001W ei:0 error:[No roles mapped from claims. The mappings may contain typos.] event:user.login message:"Failed to calculate user attributes.\n\tFailed to calculate user attributes.\n\t\tFailed to calculate user attributes.\n\t\t\tFailed to calculate user attributes.\n\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributesNo roles mapped from claims. The mappings may contain typos." method:saml success:false time:2023-02-06T05:11:38.472Z uid:a58xxxxc-933c-xxxxx events/emitter.go:263

[zmb3]

@nklaassen can login rules be used to work around this?

[nklaassen]

@nklaassen can login rules be used to work around this?

@zmb3 I don't think so, it sounds like a limitation in Azure before we even get the response

[zmb3]

Ah, right. So we'd have to make some updates to fetch the full set of group memberships in a separate request.

At that point, you might still need login rules because we'd probably exceed some limit for what we can encode in a cert.

[programmerq]

@zmb3 / @nklaassen - I just edited the description to include info about the behavior where azure will include a link to the Microsoft Graph group API when there are more than 150 groups. It looks like azure will send that link in lieu of any groups.

<Attribute name="http://schemas.microsoft.com/claims/groups.link">
        <AttributeValue>https://graph.windows.net/.......</AttributeValue>
</Attribute>

(Found on a forum post discussion the same limitation in another context here)

[programmerq]

After speaking to our devs, they pointed out that OIDC as a protocol supports workflows in protocol. It would be worth investigating Azure's oidc support to see if that is not affected by the same limit that their SAML implementation has.

[zmb3]

Microsoft also provides some other suggestions:

• Add only the groups assigned to the application
• Configure a group filter to get the number of groups down under the limit

[pschisa]

+1 seeing > 200 groups failing

[tunguyen9889]

This happens not only in Teleport, but also for other applications which using Azure AD SSO. Our current working solution is creating the Azure groups with a naming convention, then create a group filter based on that. Example: