Users are unable to successfully authorize via SAML-based Single Sign-On (SSO) when their account belongs to a large number of Active Directory (AD) groups.
During authentication, users with extensive group memberships fail to complete the authorization process and cannot access Jenkins. The same SSO configuration works correctly for users with fewer AD groups.
Environment
Plugin: SAML Plugin
Plugin Version: 4.595.vec7523b_5d543
Authentication Method: SAML 2.0
Issue Details
Users with a large number of AD groups encounter authorization failures when logging in via SAML SSO. Authentication may succeed, but group-based authorization does not work, preventing access to Jenkins resources.
This appears to occur only for users with a higher number of AD group memberships.
Expected Behavior
Users should be able to authenticate and be authorized via SAML SSO regardless of the number of AD groups they belong to.
Actual Behavior
SSO login fails or users are not properly authorized.
Group-based permissions are not applied.
Users may receive access errors or missing permission errors after login.
Steps to Reproduce
Configure Jenkins SAML authentication using the SAML plugin.
Map Jenkins roles/permissions to AD groups.
Attempt login with a user belonging to a large number of AD groups.
Observe authorization failure.
Possible Cause
Some identity providers (such as Microsoft Entra ID / Azure AD) impose limits on the number of groups included in a SAML assertion. When the limit (often around 150 groups) is exceeded, the IdP may return a reference link instead of the full group list, which some applications or plugins may not process correctly. ()
Workarounds Attempted
Reducing group memberships and it worked.
Additional Context
This issue impacts users with extensive AD group memberships and prevents them from accessing Jenkins through SSO, even though authentication works for other users.
Users are unable to successfully authorize via SAML-based Single Sign-On (SSO) when their account belongs to a large number of Active Directory (AD) groups.
During authentication, users with extensive group memberships fail to complete the authorization process and cannot access Jenkins. The same SSO configuration works correctly for users with fewer AD groups.
Environment
Plugin: SAML Plugin
Plugin Version: 4.595.vec7523b_5d543
Authentication Method: SAML 2.0
Issue Details
Users with a large number of AD groups encounter authorization failures when logging in via SAML SSO. Authentication may succeed, but group-based authorization does not work, preventing access to Jenkins resources.
This appears to occur only for users with a higher number of AD group memberships.
Expected Behavior
Users should be able to authenticate and be authorized via SAML SSO regardless of the number of AD groups they belong to.
Actual Behavior
SSO login fails or users are not properly authorized.
Group-based permissions are not applied.
Users may receive access errors or missing permission errors after login.
Steps to Reproduce
Configure Jenkins SAML authentication using the SAML plugin.
Map Jenkins roles/permissions to AD groups.
Attempt login with a user belonging to a large number of AD groups.
Observe authorization failure.
Possible Cause
Some identity providers (such as Microsoft Entra ID / Azure AD) impose limits on the number of groups included in a SAML assertion. When the limit (often around 150 groups) is exceeded, the IdP may return a reference link instead of the full group list, which some applications or plugins may not process correctly. ()
Workarounds Attempted
Reducing group memberships and it worked.
Additional Context
This issue impacts users with extensive AD group memberships and prevents them from accessing Jenkins through SSO, even though authentication works for other users.