Does this help?
Does anybody have a working example for calling the Graph service after receiving the SAML assertion data from SSO?
In our case the claims/groups data from a user is not included in the SAML response because the user has more than 150 groups, so no "<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"><AttributeValue>Internet</AttributeValue>...” are returned but only a URL to the Graph service like “<Attribute Name="http://schemas.microsoft.com/claims/groups.link"><AttributeValue>https://graph.windows.net/abcdfe11-2815-4dce-8bc8-813bb8202a4c/users/12cba651-24d9-4af8-9a3d-b718e7230e17/getMemberObjects</AttributeValue>”.
We need to receive the claims/groups data using a seperate REST call to the Graph service to be able to assign the correct roles.
Offcourse the workaround (solution?) would be to limit the number of groups sent by ADFS by using some filtering so that we do not receive more than 150 groups. But in case we might receive more than 150 groups, we need a solution to get the claims/groups using Graph service then too.
I have the same problem.