Area: Deployment Issues
Sub-Area: SSO / OIDC Configuration
Issue
When configuring Single Sign-On (SSO) with an OIDC provider such as Azure AD, users are able to authenticate successfully but are not assigned to the expected DataHub groups. This occurs because the OIDC token returned by the identity provider does not include a groups claim, meaning DataHub receives no group membership information during the login flow and cannot map users to the appropriate roles or policies.
Error Messages
Failed to extract groups from OIDC token: claim 'groups' not presentNo group claims found in ID tokenOIDC token missing required claim: groups
You Might Be Asking
- Why can users log in via SSO but not see any group memberships in DataHub?
- Why are OIDC group claims not appearing in the token even though groups are configured in my identity provider?
- How do I configure Azure AD (or another OIDC provider) to include group information in the token sent to DataHub?
- Why does DataHub show users with no roles after SSO login?
Solution
The root cause is that the OIDC application registration in your identity provider has not been granted permission to read group membership, and/or the application is not configured to emit the groups claim in the ID token. Follow the steps below to resolve this.
-
Grant Group Read Permission in Your Identity Provider
In your identity provider's application registration (e.g., Azure AD App Registration), ensure the application has the necessary API permissions to read group membership. For Azure AD, this typically means adding the
GroupMember.Read.All(or equivalent) permission and granting admin consent.- Navigate to your Azure AD App Registration → API Permissions
- Add permission: Microsoft Graph → Delegated → GroupMember.Read.All
- Click Grant admin consent to apply the permission tenant-wide
-
Configure the Groups Claim in the Token
Explicitly configure your identity provider to emit group membership as a claim in the ID token or access token.
- In Azure AD App Registration, navigate to Token configuration
- Click Add groups claim
- Select the group types to include (e.g., Security groups, All groups)
- Under ID Token, ensure the groups claim is enabled
- Save the configuration
-
Update DataHub OIDC Configuration
Ensure your DataHub deployment is configured to extract the
groupsclaim from the OIDC token. In your DataHub environment configuration, verify the following properties are set:# datahub-frontend application.conf or environment variables AUTH_OIDC_GROUPS_CLAIM=groups AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true AUTH_OIDC_SCOPE=openid profile email groupsIf using a
docker-composeor Helm-based deployment, the equivalent environment variables are:# Environment variables for datahub-frontend container AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true AUTH_OIDC_GROUPS_CLAIM=groups AUTH_OIDC_SCOPE="openid profile email groups" -
Verify the Token Contains the Groups Claim
Before restarting DataHub, validate that your identity provider is now including the groups claim in the issued token. You can decode a sample ID token using a tool such as jwt.io and confirm the payload contains a
groupsfield similar to the following:{ "sub": "<user-subject-id>", "email": "user@example.com", "name": "Example User", "groups": [ "<group-object-id-1>", "<group-object-id-2>" ], "iat": 1700000000, "exp": 1700003600 } -
Map Group Identifiers to DataHub Policies
If your identity provider returns group object IDs (e.g., GUIDs in Azure AD) rather than human-readable group names, ensure that DataHub group mappings reference the correct identifier. You may need to configure group name mapping or use display names by selecting the appropriate option in the Token configuration (Emit groups as display names in Azure AD).
-
Restart DataHub Frontend
After making configuration changes, restart the
datahub-frontendservice to apply the new settings:# Docker Compose docker-compose restart datahub-frontend # Kubernetes / Helm kubectl rollout restart deployment/datahub-frontend -n <your-namespace> -
Test the Login Flow
Log out and log back in via SSO. Navigate to your DataHub user profile and confirm that group memberships are now populated correctly. Verify that policies associated with those groups are being applied as expected.
Additional Notes
This issue applies to any OIDC-compliant identity provider (Azure AD, Okta, Google, Keycloak, etc.) that does not emit group claims by default. The specific steps for granting permissions and configuring token claims will vary by provider — consult your identity provider's documentation for the exact procedure. In Azure AD specifically, if a user belongs to more than 200 groups, Azure AD may omit the groups claim entirely and instead include a _claim_names overage indicator; in this case, additional configuration using the Microsoft Graph API or group filtering is required. Ensure that the AUTH_OIDC_SCOPE includes any custom scopes required by your provider to expose group claims. Changes to API permissions in Azure AD require admin consent before they take effect for any user in the tenant.
Related Documentation
- Configure OIDC Authentication in DataHub
- DataHub Frontend OIDC Configuration Reference
- DataHub Groups and Policies
- OIDC Group Membership Mapping
Tags: SSO, OIDC, Azure AD, group claims, authentication, authorization, group mapping, identity provider, login, policies