question

RituRaj-6477 avatar image
0 Votes"
RituRaj-6477 asked RituRaj-6477 commented

Add restricted claim UPN to saml

I am trying to setup SSO with an app via saml. The app expects upn in the claim but sadly upn attribute is not being passed in the claim.
Since upn is a restricted attribute I can not add it to the custom attribute way . Adding it as an optional attribute via Manifest is also not working.

Is it possible to pass upn attribute at all via the saml token?

azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered RituRaj-6477 commented

@RituRaj-6477,

The following Namespace URI "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" is part of the SAML restricted claim set for Azure AD and this is expected behavior.

A workaround is to use claims mapping policy where this behavior is not enforced, but this feature is still in preview.

Steps:

Please find below detailed steps for creating AzureAD policy and then assigning them to service principal objects.

•You must have AzureAD module installed because this can be only done through PowerShell way. If not installed already refer this article to install AzureAD Module.

•Use this cmdlet to create New Azure AD Policy, this would define Basic Claims "userprincipalname" and "mail".

 New-AzureADPolicy -Definition('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"user","ID":"userprincipalname","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"},{"Source":"user","ID":"mail","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"}]}}') -DisplayName UPN -Type "ClaimsMappingPolicy"

• Run the following command to see your newly created policy and copy the policy ObjectId,

Get-AzureADPolicy

• Assign the policy to your service principal. You can get the ObjectId of your service principal from Enterprise applications blade as shown below screenshot.

Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

66393-image.png


• Once policy has successfully assigned, then enable the AcceptMappedClaims to true in the App as shown in the following image:
66404-image.png

Now you should see Basic Claims "userprincipalname" and "mail" appears in SAML token. Please find below screenshot from my lab for your reference:

SAML Token:
86992-image.png

Hope this helps.

Note:
*On the same application, if you customize claims using the portal in addition to the Graph/PowerShell method detailed in this document, tokens issued for that application will ignore the configuration in the portal. Configurations made through the methods detailed in this document will not be reflected in the portal and you see below notification.

86930-image.png



Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.








image.png (75.0 KiB)
image.png (40.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks a lot for detailed answer.

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered sikumars edited

Hello @RituRaj-6477,

Thanks for reaching out.

Could you please try adding "new claim" set from "User Attributes & Claims" section from Azure AD Enterprise Application as shown below:

Steps:
1.Under User Attributes & Claims, click the edit symbol
86808-image.png

2.Click Add new claim
86810-image.png


3.Write displayname in the Name field
4.Leave Namespace as empty
5.Choose Attribute as Source
6.Select user.userprincipalname as Source attribute and Save it.


86861-image.png


Here is an example of UPN claim in SAML token. Hope this helps.

86768-image.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.





image.png (155.0 KiB)
image.png (72.8 KiB)
image.png (61.2 KiB)
image.png (40.1 KiB)
image.png (38.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RituRaj-6477 avatar image
0 Votes"
RituRaj-6477 answered

Hi @sikumars-msft ,

This is not with the namespace that the upn should have. The configured application does not identfy as a valid upn. This should have a valid namespace like the ones :
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Do you have any trick for that.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.