locked
Send Custom attributes in SAML token, SSO RRS feed

  • Question

  • We have AzureAD/Salesforce SSO integration and need to send Azure custom (not extension) attributes to Salesforce side. The problem is that Azure application configuration page does not allow to enter custom attributes to send in SAML token. Once entered Azure adds quotes and send attributes names instead of values. How to send custom attributes values in SAML token? This was possible to configure using old Azure portal.
    • Edited by anlims Tuesday, May 29, 2018 11:46 PM
    Tuesday, May 29, 2018 12:39 PM

All replies

  • Suggest you refer below link for better understanding.

    • Customizing claims issued in the SAML token for pre-integrated apps in Azure Active Directory

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

    --------------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on  your forum experience, click here

    • Proposed as answer by Sandeep BR Tuesday, May 29, 2018 7:06 PM
    Tuesday, May 29, 2018 7:06 PM
  • thank you for your reply. The question is that this customizing does not allow to set Azure custom attributes as

    user.custom1 (extension_11111111111111111111111111111111_custom1)

    Tuesday, May 29, 2018 11:45 PM
  • Hello,

    It seems that you want to use Directory Extensions as claims in Azure AD. You should able to see all your directory extension attributes like extension_11111111111111111111111111111111_custom1 when you are adding the custom claim. You cannot configure these claims today in the NameID but you can use them in other claims. 

    You should able to see all these claim values in the drop down. Please use Enterprise Apps -Your application  -> Single sign on page to add the claims as needed.

    Thanks,

    Jeevan Desarda


    Azure AD Program Manager - App Integration

    • Proposed as answer by Sandeep BR Thursday, May 31, 2018 6:57 PM
    Thursday, May 31, 2018 6:41 PM
  • Addition to Jeevan,

    If you wish you may leave your feedback here. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    --------------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on  your forum experience, click here


    • Edited by Sandeep BR Thursday, May 31, 2018 7:22 PM
    • Proposed as answer by Sandeep BR Thursday, May 31, 2018 7:22 PM
    Thursday, May 31, 2018 7:21 PM
  • the question that custom attributes are not present in the drop down list.

    And if you try just to enter them they appear in quotes and sent as attributes names instead of values

    • Edited by anlims Thursday, May 31, 2018 7:41 PM
    Thursday, May 31, 2018 7:40 PM
  • When adding a claim, you can specify the attribute name (which doesn’t strictly need to follow a URI pattern as per the SAML spec). Set the value to any user attribute that is stored in the directory.

    For example, you need to send the department that the user belongs to in their organization as a claim (such as, Sales). Enter the claim name as expected by the application, and then select user.department as the value.

    Note: If for a given user there is no value stored for a selected attribute, then that claim is not being issued in the token.

    --------------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on  your forum experience, click here

    • Proposed as answer by Sandeep BR Friday, June 1, 2018 5:26 PM
    Friday, June 1, 2018 5:26 PM
  • yes, that works but only for predefined attributes. Custom attributes are taken with quotes and send as attribute name. So, you specified custom4 attribute , it will look as  "user.custom4" and the same value will be  in the SAML token.
    Friday, June 1, 2018 5:29 PM
  • The attributes from which you source the NameID and UPN values, and the claims transformations that are permitted, are limited. Suggest you refer below links.

    Refer: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/active-directory-claims-mapping.md#exceptions-and-restrictions

    https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/develop/active-directory-optional-claims.md

    https://aadguide.azurewebsites.net/claims/

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    --------------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on  your forum experience, click here

    • Proposed as answer by Sandeep BR Saturday, June 2, 2018 6:23 PM
    Saturday, June 2, 2018 6:23 PM
  • Hello

    I am trying to achieve the same thing as OP. I have a custom directory extension in Azure AD and I wish to use this value as a claim in a SAML token. I have followed this article:

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-custom-claims-via-directory-extensions

    I modified the app manifest and I can see the custom attribute is in the SAML response but as per the article it is emitted in the following format "http://schemas.microsoft.com/identity/claims/extn.CUSTOMATTRIB" which is no good to me.

    As the OP has stated, the custom defined attributes do not appear the drop down list under Enterprise Apps -Your application  -> Single sign on page. If you try to enter user.CUSTOMATTRIB as the value, it sends it as a string literal.

    Any ideas how to fix this?

    • Proposed as answer by ross.at.ormo Thursday, August 30, 2018 8:30 AM
    • Unproposed as answer by ross.at.ormo Thursday, August 30, 2018 8:31 AM
    Wednesday, August 29, 2018 12:33 AM
  • I believe the solution is to use a new Azure AD feature called claims mapping:

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-claims-mapping

    I have successfully implemented the custom claims. Here is an example I was using for Meraki Dashboard SSO:

    $map = @{
       "ClaimsMappingPolicy" = @{
           "Version" = 1
           "IncludeBasicClaimSet"= "true"
           "ClaimsSchema" = @(
               @{
                   "Source" = "user"
                   "ID" = "userprincipalname"
                   "SamlClaimType" = "https://dashboard.meraki.com/saml/attributes/username"
                   "JwtClaimType" = "username"
               },
               @{
                   "Source" = "user"
                   "ID" = "extension_xxxxxxxxxxxxxxxxxx_MerakiRole"
                   "SamlClaimType" = "https://dashboard.meraki.com/saml/attributes/role"
                   "JwtClaimType" = "role"
               }
           )
       }
    }
    New-AzureADPolicy -Definition @(($map | ConvertTo-Json -Depth 10 -Compress)) -DisplayName 'MerakiClaims' -Type 'ClaimsMappingPolicy'

    You must use the public preview Azure AD module in order to use these commandlets:

    https://www.powershellgallery.com/packages/AzureADPreview/

    Hopefully this helps someone.

    • Proposed as answer by ross.at.ormo Thursday, August 30, 2018 8:37 AM
    Thursday, August 30, 2018 8:37 AM