The core requirement is to map device attribute and send in SAML token along with all other user attributes.

Question

The core requirement is to map device attribute and send in SAML token along with all other user attributes.

Bishnu Baliyase 130

We need to send one of the computer attribute (device.divison) to the SAML claim along with other user attributes in one of the enterprise application in Entra ID. The device is Azure AD hybrid joined and available in the Entra ID (Devices). In the Enterprise application Attribute & Claim mapping, it only gives the option to map user attributes not a computer attribute. The application requirement is such that it should get the device division attribute value in the claim during the authentication process along with other claims in the SAML assertion. Please help how this can be achieved. Also suggest any alternative methods.

(Note:- device.divison attribute is default attribute of computer and it is not an ExtensionAttribute)

Thanks you in advance.

0 comments

1 answer

Your answer

Answer 1

Anonymous

Hi @Bishnu Baliyase,

Thank you for reaching out to Microsoft Q&A.

I understand that you would like to populate, device attribute in SAML token along with all other user attributes.

Unfortunately, there is no SAML attribute that Azure is parsing to fetch device attribute. By default, the Microsoft identity platform issues a SAML token to an application that contains a claim with a value of the user's username (also known as the user's principal name), which can uniquely identify the user. The SAML token also contains other claims that include the user's email address, first name, and last name. SAML attribute claims include user attributes and directory extension attributes.

For more information: https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization

Hope this helps. Do let us know if you any further queries.

Thanks & Best Regards

Janaki Kota

Bishnu Baliyase 130 Reputation points

2025-02-03T13:32:43.0866667+00:00

Hello @Anonymous Thank you for your answer.

Directory extension supports only User & Group attributes and not the Device attribute as of today. Also, as I mentioned device.divison attribute is default attribute of computer object.

Please let me know if any alternate ways /work-around to send the device.division attribute in the claim.

Thanks
Anonymous

2025-02-03T17:48:43.0566667+00:00

Hi @Bishnu Baliyase,

Thanks for the prompt response.

After checking with the internal team, we got to know that the there are no alternative methods to send the device.division attribute in the claim. These claims are not intended for public use, such as with third-party applications. Unfortunately, as of now there are no public documents available for these claims, as they aren't used in the public domain. However, if we get to know any updates regarding this feature, we will keep you posted.

Appreciate if you could share the feedback regarding this feature on our feedback portal which is closely monitored by our product team.

Feedback Link: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

Thanks & Best Regards,

Janaki Kota

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
Anonymous

2025-02-04T10:55:16.8166667+00:00

Hello @Bishnu Baliyase,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Anonymous

2025-02-05T08:43:51.97+00:00

Hello @Bishnu Baliyase,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Bishnu Baliyase 130 Reputation points

2025-02-25T05:50:53.1466667+00:00

Hello @Anonymous Thank you for your answer.

One method that vendor is suggesting us to use. Let me know if this is possible-

Application will fetch device.division attribute from user machine during AuthN process and send back to identity provider (via user) in the HTTP header. Then Identity provider will fetch /parse the divison value from the HTTP header and send it as SAML claim.

(Note- This is possible in ADFS, please confirm if this can be done through Entra ID)

Thanks
Anonymous

2025-02-26T10:03:36.5733333+00:00

Hello @Bishnu Baliyase,

Thank you for reaching out to us again.

After checking with the internal team, we got a confirmation that this approach is not yet supported in Entra ID as these claims are not intended for public use, such as with third-party applications.

Appreciate if you could share the feedback regarding this feature on our feedback portal which is closely monitored by our product team.

Feedback Link: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

Hope this helps. Do let us know if you any further queries.
Anonymous

2025-02-27T15:01:35.75+00:00

Hello @Bishnu Baliyase,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Anonymous

2025-02-28T10:35:47.92+00:00

Hello @Bishnu Baliyase,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Share via

The core requirement is to map device attribute and send in SAML token along with all other user attributes.

1 answer

Your answer