question

SouthAfricanIdentityFederation-2571 avatar image
1 Vote"
SouthAfricanIdentityFederation-2571 asked SouthAfricanIdentityFederation-2571 commented

Azure AD, SAML SSO and multi-valued attribute

the above title refers.

We've created a new Enterprise Application in Azure AD, and enabled SSO using SAML based auth.

We'd like for the SSO to assert a multi-valued attribute to the SP - we have got as far as setting up a transformation rule, that asserts a single value easily enough, but the definition of the destination attribute is that it can be multi-valued (eduPersonScopedAffiliation).

Is there perhaps some syntax to the transformation's output parameter assert a multi-valued attribute?

Apologies if we have missed it in other Q&A's or documentation - if someone can provide some info, or point me in a direction to documentation that helps solve this, it would be appreciated.

azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered SouthAfricanIdentityFederation-2571 commented

Hello @SouthAfricanIdentityFederation-2571,

Thanks for reaching out.

Unfortunately, Azure AD can't issue a multivalued claim (assertion) at this time (Example proxy addresses is one of the Multi-valued attribute).

Alternatively, you could use "Azure AD App Roles" feature. With that you can able to add the Roles to the application. Then you can use them to assign the roles to users and/or groups. If the user is part of multiple groups and these groups have different role assigned then Azure AD can provide those multiple roles in the claims. So it can be a multi-valued attribute.

We have a detailed article published on this here https://docs.microsoft.com/en-us/azure/active-directory/active-directory-enterprise-app-role-management

Please let us know if this works or you need something different than this.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank You kindly - I will look into it.

0 Votes 0 ·
sikumars avatar image sikumars SouthAfricanIdentityFederation-2571 ·

Sure, if you have any additional queries, feel free to reach out to us. Thanks for leveraging Microsoft Q&A forum.

0 Votes 0 ·
Divya-9647 avatar image
0 Votes"
Divya-9647 answered

@sikumars-msft By any chance, do we have support for the multi valued attribute like proxy addresses in SAML claims now?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KartikSubbarao-8557 avatar image
1 Vote"
KartikSubbarao-8557 answered KartikSubbarao-8557 commented

Azure SSO does support multi-valued attributes in claims, at least as of February 2022. I have tested this successfully with proxyAddresses as well as otherTelephone (a typically unpopulated multi-valued attribute suitable for testing):

<Attribute Name="othertelephone_test">
<AttributeValue>test-long-value-group-1234</AttributeValue>
<AttributeValue>7890-long-value-group-5678</AttributeValue>
</Attribute>

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KartikSubbarao-8557 is there a full list of other attributes that support the multi-value?

Those 2 fields (proxyAddresses and otherTelephone) are somewhat of a pain to update systematically

0 Votes 0 ·

Yes, it's possible to pull a list of multivalued attributes in the AD schema, for example: https://stackoverflow.com/a/49129485

However, you can also create a custom multi-valued attribute in AD, so you don't have to deal with the quirks of existing attributes:

https://www.windowstechno.com/how-to-create-custom-attributes-in-active-directory/
(make sure to check the Multi-Valued checkbox in the "Create New Attribute" window)

And then sync it to Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

As part of this you'll need to refresh the schema in Azure AD Connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-installation-wizard


1 Vote 1 ·