PROBLEM

When Azure AD is the SAML identify provider, the group attribute is missing from the user's SAML assertion.

Last Published: September 11, 2021

Description

When an Azure Active Directory (AD) based Security Assertion Markup Language (SAML) user logs in to ArcGIS Online or ArcGIS Enterprise and is a member of more than 150 groups, the user's group claim is missing from the SAML assertion.  As a result, that user is not added to any SAML-based enterprise groups in ArcGIS Online and/or ArcGIS Enterprise.

Cause

Azure AD limits the number of groups that can be sent in a SAML assertion response to 150.  For more information, please see the Microsoft article titled "Configure group claims for applications with Azure Active Directory ".

Solution or Workaround 

Note:
Due to an update to AzureAD in late 2020, this is no longer a viable workflow. The limit of 150 groups is now a hard maximum leading to renewed demands for ArcGIS Enterprise to support the Microsoft Graph API for organizations with expansive group structures. 

ENH-000142837: "Add support for retrieving SAML groups, when Azure AD is the SAML IDP and a user’s group membership exceeds 150." If you are affected by this limitation, please log a case with Esri Support Services and request to be added to this record.

Note: 
For performance and reliability, it is not recommended to send a large number of groups in the SAML assertion. A better alternative to using SAML-based enterprise groups is to use groups managed by ArcGIS Online or ArcGIS Enterprise.

With an Azure AD premium subscription, it is possible to  increase the number of groups sent in a SAML assertion response from 150 to 500 by following these steps:

  1. Login to Azure Active Directory using an administrator account.
  2. Open Enterprise Applications, click on your ArcGIS application in the list, and select the Single Sign On configuration.
  3. Click the edit icon next to User Attributes & Claims and then click on the claim that returns a user's group membership.
  4. On the Group Claims page, in the Advanced Options section, enable the option Allow more than 150 groups IDs to be sent in SAML Token

Article ID:000022190

Software:
  • ArcGIS Online
  • ArcGIS Server

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Discover more on this topic

Esri Community

Search for related information

Training

Find training related to this topic

ArcGIS Ideas

Explore ideas and give feedback