I am using Kibana/Elasticsearch with Oidc (Microsoft Azure) for authentication.
Currently I have the problem that not all defined role mappings are working correctly.
We are using Azure groups in role mappings to assign users to specific Kibana roles.
9 out of 10 users can log in and work without any problems. However, user 10 is problematic. Some users in our organization are in many AD groups >250
And then the JWT token in the groups section is empty and points to another endpoint to retrieve all groups this user is assigned to.
Microsoft Entra ID limits the number of groups that it will emit in a token to 150 for SAML assertions and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted. A link to the Microsoft Graph endpoint to obtain group information is included instead.
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#options-for-applications-to-consume-group-information
And I think Kibana does nothing with this information and thinks this user is not a member of any group.
I have also addressed this as a support case but almost a year later nothing happenend: #01312479 (5008X00002J8locQAB)