SAML fails due to too many groups

MartinT 3 years ago updated 1 year ago 6

Environment to reproduce:

Have a SAML server setup and working.

Using ADFS as a backend server.


SAML works for all users with other applications, like ITGlue.

SAML works for most users using Control.

Have user who is a member of 170 AD groups. 


User can't login with SAML to Control. Just acts like he never pushed the button. Address bar URL ends with errorcode 6 after he clicks login with SAML.

SAML reply when replicating the issue comes through as expected.


Remove user from 40 groups and now it works expected.


SAML fails when user a member of too many groups

ConnectWise Control Version:
Server Affected:
Host Client Affected:
Guest Client Affected:

Thanks for the detailed report. This is a registered issue, but we weren't able to replicate it before. We'll take another look at it in light of this information.

I can provide an demo of this bug if that would help.

Hi Team,

Second member in my team got hit this week by this. I did a remote session with Control support 6 months ago and provided detailed information at that time. Any news on a fix for this?


I see that the affected Control version is 20.3, but it should be fixed in that version. If you're already running that version, could you confirm that you're still seeing the issue? (The fix was to just filter out roles returned in the SAML response that aren't defined in Control, if that clarifies anything. If you still have too many roles defined in Control, you might still see the issue. We're limited by cookie size.)

Not sure why it says 20.3 as affected version. I reported this a year+ ago and it was the latest version at that time.

I'll upgrade from 20.2 to 20.3 when it goes stable

Commenting disabled