What is the maximum number of Additional Claims that can be configured for the SSO setup in an Enteprise App.

Question

When configuring an Enterprise application using SSO, is there a limit to the number of additional claims that can be made? I want to be able to setup conditional claims, that will be emittedd if a user is a member of a particular group. ( they will get membership of the group via PIM ).

Owing to restrictions in the Application, ( AWS Indentity Center ) I can't access the the group attribute. And i want to be able to map these attributes to principal tags, to authorize actions. becuase these are only single values, i need one for access group that may be configured.

Is there a limit to the number of claims that can be configured? I've gone to 16 by hand, but i think i will need somewhere between 200 and perhaps 1000 eventually.

claims

Answer 1

@Andrew Frazer

Thank you for posting this in Microsoft Q&A.

As I understand you want to know how many maximum number of claims that can be configured in token returned by Entra ID.

Microsoft Entra ID limits the number of object IDs that it includes in the groups claim to stay within the size limit of the HTTP header. If a user is a member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Microsoft Entra ID doesn't emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Microsoft Graph API to retrieve the group membership of the user.

Let me know if this answers your query.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.