Issues with setting up SSO

Question

Issues with setting up SSO

Jordan Hart 0

TWO PARTS:

We're having an issue with our SSO enterprise application in the Attributes & Claims section. Any additional attributes we create and scope to a specific group, are incorrectly showing the groups when editing. We're having issues getting our Stripe SSO to correctly provision other user roles and are assuming this may have something to do with it.

For example, I have an accounting group in Azure that should be given "read only" access within Stripe. The claim is set up so that if the user exists within "External - Accounting", it will assign "read-only" to these users. Unfortunately, when I go to check the groups -- it's showing the incorrect group being assigned (see screenshot). On the right, you can see the correct group, but from the dropdown it has "Accounting" selected, and no other group can be clicked. This is also occurring with a separate claim as well.

User's image

The second issue is that the claims do not seem to be working as expected. We have a claim for 'members' to be provisioned in Stripe as "admins", and "guests" (who belong to the External - Accounting group) to be provisioned as "view_only". All of the users in the External Accounting group are still being added as Stripe admins despite the claim for guests. User's image

James Hamil 27,211 Reputation points Microsoft Employee Moderator

2024-09-27T18:47:56.4+00:00

Hi @Jordan Hart , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2024-10-31T02:43:38.6066667+00:00

Hi @Jordan Hart , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James

1 answer

Your answer

James Hamil 27,211 Reputation points Microsoft Employee Moderator

2024-09-27T18:47:56.4+00:00

Hi @Jordan Hart , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2024-10-31T02:43:38.6066667+00:00

Hi @Jordan Hart , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James

Answer 1

James Hamil 27,211 Microsoft Employee Moderator

Hi @Jordan Hart , How large is your organization? In larger organizations, the number of groups a user is a member of might exceed the limit that Microsoft Entra ID will add to a token. Exceeding this limit can lead to unpredictable results:

"The number of groups emitted in a token is limited to 150 for SAML assertions and 200 for JWT, including nested groups. In larger organizations, the number of groups where a user is a member might exceed the limit that Microsoft Entra ID will add to a token. Exceeding a limit can lead to unpredictable results. For workarounds to these limits, read more in Important caveats for this functionality."

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims

Jordan Hart 0 Reputation points

2024-11-01T14:03:32.8+00:00

I don't believe this would be causing the issue -- we only utilize a handful of Microsoft groups and the users in question only belong to 1-3 groups.

Share via

Issues with setting up SSO

1 answer

Your answer