When a user first loads the application, the claim mapping can take a few minutes to resolve. After that initial mapping, it’s speedy until the cache is cleared.
Is there a way to speed of that mapping by having the authentication only look for a few select groups when using Active Directory? This is a problem in organizations with thousands of groups but only a few are used for the application.
I did find that changing hostingModel from “InProcess” to “OutOfProcess” feels like it has made it quicker. The default web.config file had “InProcess”
Resolved by changing the role script from a policy to a claim value
Old
New-PSURole -Name "Administrator" -Description "Administrators can manage settings of UA, create and edit any entity within UA and view all the entities within UA." -Policy {
param(
$User
)
$UserName = ($User.Identity.Name)
$UserName = $UserName.Split('\')[1]
$IsMember = $false
$GroupMember = Get-ADGroupMember -Identity PSU_Administrators -Server $ADServer" | Where-Object Name -eq $UserName
if ($GroupMember) {
$IsMember = $true
}
return $IsMember
}
New
New-PSURole -Name "Administrator" -Description "Administrators can manage settings of UA, create and edit any entity within UA and view all the entities within UA." -ClaimType 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' -ClaimValue "$Admin_SID"