After successful login with SAML in Azure AD, Groups and permissions are not properly set.

Article ID:4855810066587
1 minute readKnowledge base

Issue

  • Usually I can work without problems in Jenkins but suddenly after I have succesfully logged in Jenkins via Azure AD the following user is missing the overall/read permission error appears in the UI.

  • We have migrated our IdP to Azure AD, but some users after a successful login in Jenkins the following user is missing the overall/read permission error appears in the UI.

Resolution

This explained behaviour is not in the official SAML 2.0 scope, so the CloudBees CI SAML plugin is not prepared to consume this Graph link where all the Groups assigned to the user are listed, as mentioned in this issue.

Workaround

Review your Groups assignment process to reduce the amount of Groups, for example, combining some groups into one with equivalent permissions, splitting controllers if there are several jobs in one controller…​