question

sivapokuri-4462 avatar image
0 Votes"
sivapokuri-4462 asked sivapokuri-4462 commented

Azure AD claim transformation to find and replace

I found another thread with same requirement and so just pasting the requirement from that thread as there is no option to reply in that thread to check on latest status-

I am trying to customize the claims issued in the SAML token by Azure AD for single sign on. I am using the following Microsoft documentation:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

On one claim, I want to perform a Find and Replace transformation. For example:

I need to extract guest user email address from UPN attribute.

I don't see how to do this with the available claims transformation rules in the Azure portal.

How could I perform a Find and Replace in Azure AD for SAML token claims?

Please share any thoughts.

Thanks
Siva Pokuri.

azure-ad-saml-ssoazure-ad-single-sign-on
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@sivapokuri-4462 Thanks for using Microsoft Q&A !!
What do you mean by find and replace transformation ? Are you not able to get the required transformation using ExtractMailPrefix(user.userprincipalname) ?
68792-image.png


0 Votes 0 ·
image.png (46.9 KiB)

I tried using that ExtractMailPrefix transformation function it's giving "pokuri86_gmail.com#EXT#" but we want to transform to "pokuri86@gmail.com"

As mentioned in my question.

We have requirement to extract email address from userprincipalname attribute for guest accounts..

One thing I see its not available is replace _ character with @ to transform the upn of guest accounts.

if we can transform upn value with a regular expression also that would be great.

I don’t find both the options to transform upn value to the guest email address.

Please advice if there is any other way to extract email address from upn and pass it as claim to application.

Thanks
Siva Pokuri

0 Votes 0 ·

1 Answer

AlfredoRevilla avatar image
0 Votes"
AlfredoRevilla answered sivapokuri-4462 commented

Howdy, UPN won't always match the email address, less in this case since it's an external (guest) user account. The best you can do is to just output the mail attribute.

@amanpreetsingh-msft

If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dear AlfredoRevilla,

Thanks for your response.

I can not go with mail attribute as I have set of internal users with different email address in UPN and mail attributes and it flips my issue to internal users. So, I will have rely on UPN attribute. And some how to read and transform UPN attribute value to email and pass as a claim.

Thanks
Siva Pokuri.

0 Votes 0 ·

Hello All,

Found solution for SAML based applications with below transformation. Thanks to Microsoft support!

But, still have to find similar solution for Open ID applications. Appreciate any inputs.

73248-samltransformation.png


0 Votes 0 ·