Issue
-
Usually I can work without problems in Jenkins but suddenly after I have succesfully logged in Jenkins via Microsoft Entra ID (formerly Azure AD) the following
user is missing the overall/read permissionerror appears in the UI. -
We have migrated our IdP to Microsoft Entra ID (formerly Azure AD), but some users after a successful login in Jenkins the following
user is missing the overall/read permissionerror appears in the UI.
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
Resolution
There is no resolution on this topic. This issue happens because, as mentioned in the Microsoft Entra ID official documentation, when the hard limit of 150 Groups assigned to a user is reached, Microsoft Entra ID instead of providing a complete list of all the Groups in the SAML Response, provides a link to Graph.
This explained behaviour is not in the official SAML 2.0 scope, so the CloudBees CI SAML plugin is not prepared to consume this Graph link where all the Groups assigned to the user are listed, as mentioned in this issue.