azure-active-directorycloudfoundry-uaa

Does CloudFoundry UAA support graph endpoints for group claim information?


We use CloudFoundry UAA for our applications authentication system. We use Microsoft Azure AD as the Identity Provider.

We've run across an issue where users with over 150 AD groups stop getting their groups passed in the SAML token due to Microsoft having a 150 AD group limitation in Azure (We're also ensuring we only send SecurityGroups in the claims info.) Microsoft converts the group claims to a graph endpoint in the SAML token if a user has over 150 AD groups. Microsofts term for this is "overage claim". Our UAA does not appear to know how to handle graph endpoints or "overage claims".

Does UAA support SAML graph endpoints for group claims information? We use this to auto map users from their AD groups to our UAA groups and it's critical to get this working. For now we manually add our UAA groups to our users Shadow profiles as a workaround.

I cannot find information on if UAA supports this and how to enable it.


Solution

  • As of the date of this response UAA does not support graph endpoints. Pivotal has now entered the feature into their tracker. No ETA on delivery.

    For a workaround solution you can use AD roles. As noted on this guide: https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps

    tracker reference: https://www.pivotaltracker.com/n/projects/997278/stories/168080479

    Git issue: https://github.com/cloudfoundry/uaa/issues/1082