This article explains why the error below occurs when a Groups claim is processed for a user who is a member of more than 100 groups.
The groups claim matched too many groups and must be configured to match fewer groups
- Group Claims
- Expression Language
- Implicit Flow
In most flows, the Groups claim can return only up to 100 groups that a user is a member of. If a user belongs to more than 100 groups, the system cannot return the full list in a single claim, which triggers the error.
To prevent this issue, distribute the user's groups across multiple claims instead of returning them in a single claim. For each claim, use a claim expression that includes a pattern check to filter the groups and return a specific subset. This will help ensure that each individual claim remains below the 100-group limit.
For example, an administrator could create three separate claims:
- Claim 1 Name: ad_groups
- Expression Logic:
Groups.startsWith("active_directory","ad_",100)
- Expression Logic:
- Claim 2 Name: finance_groups
- Expression Logic:
Groups.contains("OKTA","finance",100)
- Expression Logic:
- Claim 3 Name: sales_groups
- Expression Logic:
Groups.contains("active_directory","sales",100)
- Expression Logic:
For more information on available functions, refer to the Okta Expression Language overview documentation.
NOTE: Authorization Code Flow and Interaction Code Flow do not have this limitation, so another option may be to switch to one of those flows instead.
