locked
Azure Active Directory - User Attribute Mapping Issue RRS feed

Answers

  • Hi Ram,

    Now this explains your issue. The mail attribute, given name and surname are not populated for the user. 

    So Azure AD instead of sending null values will skip these claims in the SAML token. Populate these values using PS / Graph /Portal and then try to authenticate to JIVE. 

    I am confident you will get the claims in the token and post that JIVE should be able to consume the token.

    • Marked as answer by Cheekoti Ram Tuesday, March 12, 2019 2:18 PM
    Tuesday, March 12, 2019 11:04 AM

All replies

  • Hello Ram,

    Based on the error and the JIVE integration tutorial available here, it looks user assignment to the application is mandatory. 

    Can you assign a test user to the Jive application from Azure Portal > Enterprise Applications > Jive > users and groups tab  and then try to sign in with the same user ?


    Monday, March 11, 2019 3:18 AM
  • Hi Manoj,

    Thanks for the response.

    I already did that, I have gone through the provided that link earlier, but no luck I have created test user in AD and assigned to that for JIVE APPLICATION, after which I am getting the error.



    Thanks, Ram Ch

    Monday, March 11, 2019 3:25 AM
  • Hello Ram,

    In your first post you mentioned SAML trace errors, have you captured a SAML trace while logging in ?

    Do you see a SAML response being sent from Azure AD to Jive ? Can you decode it and see if the email address claim is being sent in the SAML response or not ?

    Monday, March 11, 2019 3:55 AM
  • Hi Manoj,

    Find the below saml trace and azure user attribute settings and let me know.


    Thanks, Ram Ch

    Monday, March 11, 2019 5:29 AM
  • Hello Ram,

    The status code "Success" indicates Azure AD sent a SAML response and probably the error is from Jive side which explains the error missing claim in your original post.

    Now I can see email address being sent as the NAME ID but do you see the email address explicitly being sent as a claim along with given name , surname etc ?

    If you see email address being sent in the SAML assertion, I would recommend approaching JIVE support. 

    Monday, March 11, 2019 6:45 AM
  • Hi Manoj,

    If you look at the logs "User did not have the required attributes sent from the identify provider." IDP is not sending the proper attribute name, because of which JIVE is throwing error.

    At jive side the configuration in terms of attribute mapping which is configured based on MS Azure and SSO documentation

    https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp

     

    https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jive-tutorial#configuring-azure-ad-single-sign-on

    I believe the attribute name that is mentioend in the MS documentation is not correct .can you please check 


    Thanks, Ram Ch

    Monday, March 11, 2019 9:29 AM
  • Hi Ram,

    I agree , the error message from Jive is quite clear and is basically mentioning that a claim (email address is missing). 

    This is the reason I requested you to check the complete SAML response to see if Azure AD is sending email address claim along with other claims. Can you find attribute statement section in the SAML response sent by Azure AD and check if we are passing the claims ?

    The syntax is correct and it's working in many of my applications. 

    snippet of SAML attribute statement  from the SAML response sent to my application

    <AttributeStatement>

    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> <AttributeValue>K N Manoj</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"> <AttributeValue>Reddy</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>xyz@domain.com</AttributeValue>


    Monday, March 11, 2019 11:06 AM
  • Hi Manoj,

    Can you see the below saml attribute statement and let me know based on the below.

    


    Thanks, Ram Ch

    Monday, March 11, 2019 1:38 PM
  • Hi Manoj,

    It is not solved yet. can you help.

    Please can you mark it as not answered fully.


    Thanks, Ram Ch

    Monday, March 11, 2019 6:03 PM
  • Hello Ram, 

    I see that a lot of claims are missing (surname, given name, mail etc) in the attribute statement. 

    Get-AzureADUser -ObjectId <ramcheekoti@jivedev.com> | fl 

    Can you send me the complete output of the following command from powershell ? 

    Tuesday, March 12, 2019 4:57 AM
  • Hi Manoj,

    Please find the below output of the above command :

    At present I am only focusing on email attribute


    Thanks, Ram Ch


    • Edited by Cheekoti Ram Tuesday, March 12, 2019 10:25 AM forgot
    Tuesday, March 12, 2019 10:24 AM
  • Hi Ram,

    Now this explains your issue. The mail attribute, given name and surname are not populated for the user. 

    So Azure AD instead of sending null values will skip these claims in the SAML token. Populate these values using PS / Graph /Portal and then try to authenticate to JIVE. 

    I am confident you will get the claims in the token and post that JIVE should be able to consume the token.

    • Marked as answer by Cheekoti Ram Tuesday, March 12, 2019 2:18 PM
    Tuesday, March 12, 2019 11:04 AM
  • Great,it worked, the email is not assigned to the user in Azure AD. Thanks so much for your help.

    Thanks, Ram Ch

    Tuesday, March 12, 2019 2:18 PM