Support Groups Overage Indicator of AzureAD SAML implementation

[hokuda]

Description

As mentioned in [1], AzureAD returns a link to a service to get groups. (Please see the example of Attribute [2]) We need a feature to access Groups Overage Indicator link and parse a response to get actual groups in SAML adapter.

[1] https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens

[2]

    <Attribute Name=" http://schemas.microsoft.com/claims/groups.link">
        <AttributeValue>
            https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects
        <AttributeValue>
    </Attribute>

Discussion

No response

Motivation

No response

Details

No response

[MiGrandjean]

It's the same for OIDC and JWT Tokens: https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#group-overages

We use an additional group claim and an attribute mapper to get the group memberships of Azure AD users and add them to the user object in Keycloak. Those group memberships are then used to grant permissions/rights in 'downstream' applications (clients that use Keycloak as IdP).

If a user is in a lot of groups (including nested groups), Microsoft doesn't add the groups to the JWT Token, but instead just an "overage" indicator and a link to Microsofts Graph API. Now, the users don't get the groups added to their Keycloak account and in turn don't get any permissions in our downstream applications.

Reducing the number of groups isn't an option in all cases :/ We need a way to follow the Graph API link and retrieve the actual groups from there.