Issue Description
With SAML-based single sign-on configured in Jamf Pro, some users in a security group receive:
"Access Denied
Contact your administrator to request access to the Jamf Pro server."
Understanding Group Claims and Tokens
When you request all groups in your token, you can't rely on the token having the groups claim in your token. There are size limits on tokens and on groups claims so that they don't become too large.
When the user is a member of too many groups, your app needs to get the user's group membership from Microsoft Graph. The limits for groups in a groups claim are:
200 groups for JSON web tokens (JWT).
150 groups for Security Assertion Markup Language (SAML) tokens.
Example Assertion Entry found in debug JAMFSoftwareServer.log after failed attempt:
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="" IssueInstant="" Version="2.0">
<Issuer>https://sts.windows.net//</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> </NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="" NotOnOrAfter="" Recipient=""/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="" NotOnOrAfter="">
<AudienceRestriction>
<Audience>https://amgen.jamfcloud.com/saml/metadata</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue></AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue></AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue></AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/groups.link">
<AttributeValue>https://graph.windows.net/ /users/ /getMemberObjects</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/ /</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids">
<AttributeValue></AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue> </AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue> </AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue> </AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue> </AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="" SessionIndex="">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
Should look like:
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="" IssueInstant="" Version="2.0">
<Issuer>https://sts.windows.net//</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> </NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="" NotOnOrAfter="" Recipient=""/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="" NotOnOrAfter="">
<AudienceRestriction>
<Audience>https://amgen.jamfcloud.com/saml/metadata</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue></AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue></AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue></AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>https://graph.windows.net/ /users/ /getMemberObjects</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/ /</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids">
<AttributeValue></AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue> </AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue> </AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue> </AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue> </AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="" SessionIndex="">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
Avoiding Group Overage Claims
One way to avoid hitting a group overage claim is to select Groups assigned to the application on the Edit groups claim screen instead of All groups.
