<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00006v9g0aCAAOkta Classic EngineSingle Sign-OnAnswered2025-01-22T09:00:28.000Z2021-04-14T06:24:47.000Z2021-05-26T11:08:10.000Z

z7orx (z7orx) asked a question.

April 14, 2021 at 6:24 AM
Workaround for limitations on group functions in claims

Is there a workaround for the limit of 100 groups in group functions with Custom Auth Server?

Presently when we add a group claim with a group function Groups.contains("ldap","okta",100), If there are more than 100 groups that match this filter, an error is returned.

 

I am seeking a solution where we can change the behaviour to return a string like "too many groups" /omit the claim altogether, instead of user facing an error. Will this be possible via Token Inline hook or may be a simple filter?

 

I have tried using the filter as below:

Array.size(Groups.contains("ldap", "okta",11))>11? "Too Many Groups": Groups.contains("ldap", "okta",11)

But this does not seem to work.

 

Any ideas?

  • 1 answer
  • 2.95K views

  • DanSacui (Vendor Management)

    Hello Susmita,

     

    The only way around this limitation is to create a filter that doesn't return more than 100 groups

     

    https://developer.okta.com/docs/reference/api/oidc/#scope-dependent-claims-not-always-returned

    Be aware of the following before you work with scope-dependent claims:

    • To protect against arbitrarily large numbers of groups matching the group filter, the groups claim has a limit of 100. If more than 100 groups match the filter, then the request fails. Expect that this limit may change in the future.

     

    Best Regards,

    Dan

    Expand Post
    Selected as Best

  • DanSacui (Vendor Management)

    Hello Susmita,

     

    The only way around this limitation is to create a filter that doesn't return more than 100 groups

     

    https://developer.okta.com/docs/reference/api/oidc/#scope-dependent-claims-not-always-returned

    Be aware of the following before you work with scope-dependent claims:

    • To protect against arbitrarily large numbers of groups matching the group filter, the groups claim has a limit of 100. If more than 100 groups match the filter, then the request fails. Expect that this limit may change in the future.

     

    Best Regards,

    Dan

    Expand Post
    Selected as Best
This question is closed.
Loading
Workaround for limitations on group functions in claims