Azure AD SAML Transformation

Question

Azure AD SAML Transformation

Mahesh Aralelemath 386

Hi,
We are in process of migrating application SSO from on-prem ADFS to Azure AD SSO.
One of the application in ADFS is configured with claim Transformation rule to concatenated specific string with Employee id.

Ex: Deptname+Emp ID

In Azure AD could not find any similar claim Transformation rule to migrate the application from ADFS.

Pls suggest if any alternate or feasible solution to integrate the application with Azure AD.

Regards
Mahesh

VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee

2021-02-26T14:18:25.103+00:00

@Mahesh Aralelemath

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Accepted answer

2 additional answers

Your answer

VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee

2021-02-26T14:18:25.103+00:00

@Mahesh Aralelemath

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 1

@Mahesh Aralelemath ,

You should be able to setup the claims transformation for a SAML app. As you have mentioned that your app is a SAML application and you would like to migrate it from ADFS to Azure AD SSO . I am assuming that you are not modifying the application code to support oAuth/OpenID connect with azure AD but rather want to use SAML with Azure AD . If the application is a custom LOB application you should be able to integrate it using SAML through the portal as below . You can read more about claim customization in the customize app SAML token claims article in the adding application specific claims section .

As you have mentioned that you already have tried finding the claim transformation , I am assuming you already have an app registered using the Enterprise application blade in Azure AD through the portal .

You can add a new claim using the Add new claim option and you will see the transformation option in the source section here . I have used hyphen as a separator with Join options as per your requirement .

In order for this to work the users employee ID and department fields must be populated . So you would need to check your sync engine (AD connect sync rules) that they allow the syncing of department and EmployeeID attribute to Azure AD from your on-premise environment . Once you have setup the transformation it will be seen as below.

As per the comments in case you would like to provide department name as a constant value like "sales" etc. and without any separator then you can use the option like below. here you can type the department name explicitly as well as shown in parameter 1 for below screenshot and ignore the optional separator field. .

Once the claims are set , they would be returned in the token like below.

Thus the details could be returned. I hope this helps. You can add the users to the application for it to function for the users. Hope the information provided was helpful. Should this answer be helpful , please do accept this as answer so that the relevancy of the answer improves and it helps other members of the community with similar questions. In case you still have any further queries or if you feel we may have misunderstood your scenario , please provide more details about the application and the error details screenshot and we will surely help you further. I would strongly recommend you to go through the linked articles and they should also provide you more clarity on this matter.

Thank you .

Mahesh Aralelemath 386 Reputation points

2021-02-04T17:50:32.667+00:00

Hi Shashi,
Thanks for the detailed explanation and effort put it.
However this is slightly different from what we are looking and might be i was not able to put in that issue/requirement clearly.

We have Employee id attribute populated with Employee id
Now to generate a custom claim, we are adding prefix to Employee id and this prefix is fixed string.

Ex:
Fixed String is "Sales"
Employee id : 12345
Output from Transform rule expected is : Sales12345
This is possible in ADFS Servers using Transformation rule to concatenate fixed string with any attribute and generate new claim. But this capability is missing in Azure AD SAML claim rule.
It will be great if any one can help to achieve this using Azure AD SAML integration.

Regards
Mahesh
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator

2021-02-05T14:24:44.12+00:00

@Mahesh Aralelemath ,
Hello Mahesh,
As per your explanation , i think you would need to statically type the details rather than selecting an attribute there and ignore the separator value which would return something like Sales12345 as output claim. I have updated my answer with details . Please check and let me know in case that helps. If you still have queries , please do let us know.
thank you.
shashi
Mahesh Aralelemath 386 Reputation points

2021-02-05T19:00:08.697+00:00

Hi Shashi,
Thanks for the details but how do we map this to "name identifier".
We need to pass this attribute/value as name identifier to application.
When i try to create this in name identifier attribute, join function has a limitation of joining value to verified domain only.

Regards
Mahesh

Answer 2

Mahesh Aralelemath 386

Hi Shashi, All

Thanks for your support.
Would like to share the update and approach we decided to move forward as below.
We understand that there is no feasible option in Azure AD to create custom transform rule mapping to name identifier.
It is only possible to map the attributes in user object to name identifier.

Hence working with application team to map it to any of the existing attribute.

Thanks to all supported

Regards
Mahesh

Answer 3

Geoff 6

Hi Shashi,

I have a similar issue with creating a transform rule mapping to name identifier. I used the "Join" function to add a static test with employee id. However, how do i pass this attribute on as a NameID.

Couldn't find this info any where.

Any help would be appreciated.

Thanks

Geoff

Anonymous

2022-06-22T22:37:31.77+00:00

Hi Geoff -- I know this post is very late, but I wanted to respond incase it would help anyone else.

If you want to do a transformation and pass it as the default Name ID , you do not want to create a new attribute as suggested above in the screenshots, but instead simply click into the default "Unique User Identifier (Name ID)" that exists on all new SAML apps. Edit the existing claim and once you click into it, then you can change the 'source' to transformation. Then follow the screenshots above to use the Join() action to join "Sales" with employee ID.

You can then use the Test Sign-In functionality of the Azure SAML ocnfiguration to see what data it is passing in the SAML responses.

Share via

Azure AD SAML Transformation

2 additional answers

Your answer