Getting Started with Identity Broker

Home 

Using Group/Role filters for Identity Providers

When a user logs in, the Identity Provider returns a list of Active Directory Groups that the user belongs to. If the user is a member of many groups, depending on the length of the group names, a "Request too long" error can occur. This is an IIS limitation.

To prevent this issue, Identity Broker provides the ability to filter the groups that are returned to the Consumer. The filter is configured on each Identity Provider separately.
There are several options for the type of filter:

  • Contains: The Provider returns groups that contain the specified text. This comparison is not case-sensitive and the match can start at any position within the group name.
  • NotContains: The Provider returns groups that do not contain the specified text. This comparison is not case-sensitive and the match can start at any position within the group name.
  • StartsWith: The Provider returns groups that start with the specified text. This comparison is not case-sensitive.
  • NotStartsWith: The Provider returns groups that do not start with the specified text. This comparison is not case-sensitive.
  • EndsWith: The Provider returns groups that end with the specified text. This comparison is not case-sensitive.
  • NotEndsWith: The Provider returns groups that do not end with the specified text. This comparison is not case-sensitive.
  • IsAnyOf: Specify a comma-separated list of group names to match. The Provider returns groups that are part of the list. This comparison is not case sensitive.
  • NotIsAnyOf: Specify a comma-separated list of group names to match. The Provider returns groups that are not part of the list. This comparison is not case sensitive.
  • RegEx: Specify a valid regular expression in .Net syntax. The Provider returns groups that match the expression.

It is best practice to create a filter that will only return groups that are needed for authentication on Identity Consumers.


Was this article useful?