Open oshati opened 1 year ago
@nklaassen can login rules be used to work around this?
@nklaassen can login rules be used to work around this?
@zmb3 I don't think so, it sounds like a limitation in Azure before we even get the response
Ah, right. So we'd have to make some updates to fetch the full set of group memberships in a separate request.
At that point, you might still need login rules because we'd probably exceed some limit for what we can encode in a cert.
@zmb3 / @nklaassen - I just edited the description to include info about the behavior where azure will include a link to the Microsoft Graph group API when there are more than 150 groups. It looks like azure will send that link in lieu of any groups.
<Attribute name="http://schemas.microsoft.com/claims/groups.link">
<AttributeValue>https://graph.windows.net/.......</AttributeValue>
</Attribute>
(Found on a forum post discussion the same limitation in another context here)
After speaking to our devs, they pointed out that OIDC as a protocol supports workflows in protocol. It would be worth investigating Azure's oidc support to see if that is not affected by the same limit that their SAML implementation has.
Microsoft also provides some other suggestions:
+1 seeing > 200 groups failing
This happens not only in Teleport, but also for other applications which using Azure AD SSO. Our current working solution is creating the Azure groups with a naming convention, then create a group filter based on that. Example:
Expected behavior:
SSO user should be able to login successful regardless of the number of groups they are members of.
Current behavior:
SSO user logins are failing with the below error:
This issue is faced only by users who are part of more than 150+ AD groups. Hence, the Issue is fixable after getting the users removed from a few of the SSO groups - which isn't sustainable as user access is built around this.
Further research shows a specific limitation on Microsoft Azure AD for only 150 groups to be sent as values in the attribute of SAML response.
Per the doc at: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
Is there any workaround to fix this? or Perhaps a need for possible improvement on Teleport side?
Per the same doc, when this limit is hit, the saml response from azure will include a reference to the Microsoft Graph group API endpoint that will include the full list of group membership beyond the 150 limit.
Bug details:
Feb 06 05:11:38 ip-10-208-105-83.ec2.internal /usr/local/bin/teleport[28985]: 2023-02-06T05:11:38Z INFO [AUDIT] user.login attributes:map[http://schemas.microsoft.com/claims/authnmethodsreferences: [http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509 http://schemas.microsoft.com/claims/multipleauthn] http://schemas.microsoft.com/claims/groups.link:[https://graph.windows.net/8a791446-xxxx-41af-be7d-470e2f985275/users/610b1389-1129-xxxx-937e-05ae9a6f7ff9/getMemberObjects] http://schemas.microsoft.com/identity/claims/displayname:[test-user] http://schemas.microsoft.com/identity/claims/identityprovider:[https://sts.windows.net/xxxxxxxx-3f74-41af-be7d-470e2f985275/] http://schemas.microsoft.com/identity/claims/objectidentifier:[610b1389-xxxx-421e-937e-x9] xxxxhttp://schemas.microsoft.com/identity/claims/tenantid:[8a791446-3f74-41af-be7d-xxxxxxx] http://schemas.microsoft.com/ws/2008/06/identity/claims/wids:[xxxxx-3ef9-4689-8143-xxxxxx] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress:[test-user@example.com] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname:[test] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:[test-user@example.com] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname:[test] username:[test-user]] cluster_name:teleport.example.com code:T1001W ei:0 error:[No roles mapped from claims. The mappings may contain typos.] event:user.login message:"Failed to calculate user attributes.\n\tFailed to calculate user attributes.\n\t\tFailed to calculate user attributes.\n\t\t\tFailed to calculate user attributes.\n\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributes.\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFailed to calculate user attributesNo roles mapped from claims. The mappings may contain typos." method:saml success:false time:2023-02-06T05:11:38.472Z uid:a58xxxxc-933c-xxxxx events/emitter.go:263