question

coaxke avatar image
0 Votes"
coaxke asked ·

Azure AD SAML - Claim Conditions on nameidentifier (required Name ID) claim

Hi Azure AD Team,

I just deployed an application in my tenant with some crazy claim transforms but ran into an issue when attempting apply claim conditions on a required NameID claim:

In my application for some users I want to emit a static value if the user is a member of a group - this works fine if the claim is of type "Additional" - to example the following claim emits a static role if the user is a member of a specific group:

7384-additionalclain.png

The above works great!

If i attempt to do the same for the NameID claim the value is not re-written (i know this is a strange scenario). The only work around is do create a Claim condition of type transform instead of attribute - Consider the following examples:

This will not work:

7364-wontwork.png

This will work:

7394-willwork.png

Is this perhaps a known issue or am I doing something unsupported here?

Hopefully my description is understandable :)

Thanks, Patrick

azure-active-directory
additionalclain.png (37.0 KiB)
wontwork.png (8.3 KiB)
willwork.png (20.4 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@coaxke Thanks for the clarification. When you select Attribute, the value has to be the name of an attribute. You cannot pass static value in that case. To pass static value, Transformation option needs to be used.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks again for your reply - Two things

1) I have used static values for the non Name-ID claims just fine, so this is a limitation for a required claim? Kind of strange that a transform which is essentially setting a static value is okay. 2) For testing purposes i'm sure I tried the user.mail attribute and didn't find it worked - I'll go back an re-try I guess.

0 Votes 0 · ·

Hi @amanpreetsingh-msft I just tried a claim condition of type attribute and you're right, it worked - I dont know why I had issues earlier. I'll mark this answer as accepted, thanks for the help.

-Patrick

0 Votes 0 · ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@coaxke I just tested the same settings for Name ID in my tenant and it worked perfectly fine for me.

7442-capture.jpg

Below is the snip from token with the same value being passed as name ID:

7324-capture2.jpg

If you are not getting the specified static value in the token, what do you get in the token as Name ID?

With the information that you have shared, the only thing that I can think of which might be causing the issue in your case is, if the user account that you are testing with doesn't have an email address. In that case, the condition will not match and the rule will not apply.


Please Accept as answer wherever the information provided helps you to help others in the community.


capture.jpg (20.3 KiB)
capture2.jpg (18.9 KiB)
· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft ,

I mean the inverse of what you tried - The transform works, an attribute claim condition does not I have found:

7396-attribute.png

-Patrick

0 Votes 0 · ·
attribute.png (3.4 KiB)