Multitenant SAML signing certificate and claims

bmewburn 1 Reputation point
2022-06-16T06:26:04.66+00:00

I have configured a (non gallery) enterprise application for SAML multitenant SSO by following the guide here https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

It works somewhat but there are some irregularities.

  1. When I sign in with a user from the tenant where I registered the app, the signing certificate that is used to sign the SAML response is the one from https://login.microsoftonline.com/[APP_TENANT_ID]/federationmetadata/2007-06/federationmetadata.xml?appid=[APP_ID] . However, if I sign in with a user from a completely unrelated tenant , the signing certificate is the one at https://login.microsoftonline.com/[APP_TENANT_ID]/federationmetadata/2007-06/federationmetadata.xml . Why is it not the certificate for the app itself?
  2. I have configured custom claims in the app registration. When I sign in with a user from the tenant that I registered the app in, my custom claims are sent in the SAML response. When I sign in with a user from an unrelated tenant the custom claims are missing and only the AD default claims are sent in the SAML response. I have attempted to configure the claims in the other tenant but the SSO section says that it is being managed from my original tenant. How do I get my custom claims to be sent when signing in from the other tenant?
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,442 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 14,326 Reputation points Microsoft Employee
    2022-07-20T07:29:55.16+00:00

    @bmewburn

    When you try to access the multitenant application, there is a service principal that gets created in your tenant.
    For example, Tenant A has multitenant application registered. Now when user from Tenant B tries to access the multitenant application, there is one service principal that gets created in tenant B.

    If you have configured custom claims for application in tenant A then these claims are passed only when users from tenant A are accessing the application.
    If you want tenant B users also to get the custom claims, then you will have to configure these custom claims in tenant B as well.
    The certificate that is used in the token will be tenant B certificate.

  2. PushTech 0 Reputation points
    2023-02-02T13:55:15.1533333+00:00

    I working on this for weeks and I have exactly the same problem as you. Don't know why there are no way to configure a certificate in Tenant B > Enterprise Applications > My application

    And SAML Request always returns the same certificate...

    For the part of the claims, I think I can help you, you need to grant Ownership to one admin of the Tenant B then this user can configure claims in Single Sign-On section of your Enterprise Application.

    0 comments