question

muralidharanrajendran-0007 avatar image
0 Votes"
muralidharanrajendran-0007 asked GregBrown-1558 commented

Azure AD NameID Claim transformation/Customization for a SaaS applicaiton

I am in the process of configuring/Integrating a SaaS-based application with Azure AD.

This application is currently configured with ADFS and has a Claim rule to append the alphabet character "hr" in front of the employeeID. eg "hr00000"

We are trying to achieve the same claim issuance from Azure AD. Is there a way to accomplish this in the Azure AD?

"Join" transformation rule is limited only with the verified domain name.

And I tried other transformation rules with no luck.

Thanks

azure-ad-saml-ssoazure-ad-tenantazure-ad-enterpriseappsazure-ad-app-development
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@muralidharanrajendran-0007


I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

1 Answer

shashishailaj avatar image
1 Vote"
shashishailaj answered GregBrown-1558 commented

Hello @muralidharanrajendran-0007 ,

I think you are referring to the Special Claims - transformations section of the article Customize app SAML token claims which describes one way to use the Join() function. The claim transformation section below provides more details.

64528-image.png

If you need a custom claim like you have specified , you will need to manually type the claim . Please find the screenshots for more clarifications.

64631-image.png
64620-image.png
64519-image.png
64520-image.png
64632-image.png

This should return your claim in the below format .

 <Attribute Name="http://schemas.microsoft.com/identity/claims/Hrclaim">
  <AttributeValue>hr123453</AttributeValue>
 </Attribute>

Hope this helps. I have written another answer with details on similar issue and would encourage you to check the same as well. In case this does not help you or I have misunderstood your query , please do let me know more details in comments and we will continue the conversation . If this worked for you , please do accept this as answer so that it helps other members searching for similar queries.

Thank you.





image.png (29.2 KiB)
image.png (21.6 KiB)
image.png (16.3 KiB)
image.png (17.2 KiB)
image.png (8.4 KiB)
image.png (9.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the detailed answer. Let me try configuring it as you suggested. So I need to create a new additional claim rule to achieve this. Also, clarify how I can set the new additional claim as the NameID? As we cannot edit the Unique User Identifier (NameID) to set this transformation, as the separator option will be in a frozen state while using the join function when transforming the NameID. The join function is limited to the verified domain for the NameID. Please correct me if I am wrong.

0 Votes 0 ·

Hi Shashi - I too have questions about claim transformations and wondered if you can comment on this use case?

Step 1: Determine whether user.mail contains specific text (a domain for instance). Return user.mail.
Step 2: ExtractMailPrefix() from user.mail.
Step 3: Join ExtractMailPrefix + '@' + 'alternate domain.com'

You can see i have three transformations and seem to be limited to two. I am stumped - is there another combination of steps I am missing? Is the last step a manifest addition?

Any insight is appreciated.

Greg

0 Votes 0 ·