What is the maximum number of Additional Claims that can be configured for the SSO setup in an Enteprise App.

Andrew Frazer 0 Reputation points
2024-11-26T20:27:47.5533333+00:00

When configuring an Enterprise application using SSO, is there a limit to the number of additional claims that can be made? I want to be able to setup conditional claims, that will be emittedd if a user is a member of a particular group. ( they will get membership of the group via PIM ).

Owing to restrictions in the Application, ( AWS Indentity Center ) I can't access the the group attribute. And i want to be able to map these attributes to principal tags, to authorize actions. becuase these are only single values, i need one for access group that may be configured.

Is there a limit to the number of claims that can be configured? I've gone to 16 by hand, but i think i will need somewhere between 200 and perhaps 1000 eventually.

claims

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 20,921 Reputation points Microsoft Employee Moderator
    2024-11-27T12:00:38.6133333+00:00

    @Andrew Frazer

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to know how many maximum number of claims that can be configured in token returned by Entra ID.

    Microsoft Entra ID limits the number of object IDs that it includes in the groups claim to stay within the size limit of the HTTP header. If a user is a member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Microsoft Entra ID doesn't emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Microsoft Graph API to retrieve the group membership of the user.

    Let me know if this answers your query.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.