After successful login with SAML in Azure AD, Groups and permissions are not properly set.

Issue

  • Usually I can work without problems in Jenkins but suddenly after I have succesfully logged in Jenkins via Azure AD the following user is missing the overall/read permission error appears in the UI.
  • We have migrated our IdP to Azure AD, but some users after a successful login in Jenkins the following user is missing the overall/read permission error appears in the UI.

Environment

Resolution

There is no resolution on this topic. This issue happens because as mentioned in the Azure AD official documentation when the hard limit of 150 Groups assigned to a user is reached, Azure AD instead of providing a complete list of all the Groups in the SAML Response, provides a link to Graph.

This explained behaviour is not in the official SAML 2.0 scope, so the CloudBees CI SAML plugin is not prepared to consume this Graph link where all the Groups assigned to the user are listed, as mentioned in this issue.

Workaround

Review your Groups assignment process to reduce the amount of Groups, for example, combining some groups into one with equivalent permissions, splitting controllers if there are several jobs in one controller…

Have more questions?

0 Comments

Please sign in to leave a comment.