Open hokuda opened 1 year ago
It's the same for OIDC and JWT Tokens: https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#group-overages
We use an additional group claim and an attribute mapper to get the group memberships of Azure AD users and add them to the user object in Keycloak. Those group memberships are then used to grant permissions/rights in 'downstream' applications (clients that use Keycloak as IdP).
If a user is in a lot of groups (including nested groups), Microsoft doesn't add the groups to the JWT Token, but instead just an "overage" indicator and a link to Microsofts Graph API. Now, the users don't get the groups added to their Keycloak account and in turn don't get any permissions in our downstream applications.
Reducing the number of groups isn't an option in all cases :/ We need a way to follow the Graph API link and retrieve the actual groups from there.
Description
As mentioned in [1], AzureAD returns a link to a service to get groups. (Please see the example of Attribute [2]) We need a feature to access Groups Overage Indicator link and parse a response to get actual groups in SAML adapter.
[1] https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens
[2]
Discussion
No response
Motivation
No response
Details
No response