Azure AD SAML Transformation

Mahesh Aralelemath 386 Reputation points
2021-02-03T17:39:17.233+00:00

Hi,
We are in process of migrating application SSO from on-prem ADFS to Azure AD SSO.
One of the application in ADFS is configured with claim Transformation rule to concatenated specific string with Employee id.

Ex: Deptname+Emp ID

In Azure AD could not find any similar claim Transformation rule to migrate the application from ADFS.

Pls suggest if any alternate or feasible solution to integrate the application with Azure AD.

Regards
Mahesh

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote

Accepted answer
  1. Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator
    2021-02-04T15:20:40.423+00:00

    @Mahesh Aralelemath ,

    You should be able to setup the claims transformation for a SAML app. As you have mentioned that your app is a SAML application and you would like to migrate it from ADFS to Azure AD SSO . I am assuming that you are not modifying the application code to support oAuth/OpenID connect with azure AD but rather want to use SAML with Azure AD . If the application is a custom LOB application you should be able to integrate it using SAML through the portal as below . You can read more about claim customization in the customize app SAML token claims article in the adding application specific claims section .
    64054-image.png
    64082-image.png

    As you have mentioned that you already have tried finding the claim transformation , I am assuming you already have an app registered using the Enterprise application blade in Azure AD through the portal .

    64057-image.png

    You can add a new claim using the Add new claim option and you will see the transformation option in the source section here . I have used hyphen as a separator with Join options as per your requirement .

    64083-image.png
    64084-image.png
    64039-image.png

    In order for this to work the users employee ID and department fields must be populated . So you would need to check your sync engine (AD connect sync rules) that they allow the syncing of department and EmployeeID attribute to Azure AD from your on-premise environment . Once you have setup the transformation it will be seen as below.

    64094-image.png

    As per the comments in case you would like to provide department name as a constant value like "sales" etc. and without any separator then you can use the option like below. here you can type the department name explicitly as well as shown in parameter 1 for below screenshot and ignore the optional separator field. .

    64605-image.png
    64611-image.png

    Once the claims are set , they would be returned in the token like below.

    64596-image.png

    Thus the details could be returned. I hope this helps. You can add the users to the application for it to function for the users. Hope the information provided was helpful. Should this answer be helpful , please do accept this as answer so that the relevancy of the answer improves and it helps other members of the community with similar questions. In case you still have any further queries or if you feel we may have misunderstood your scenario , please provide more details about the application and the error details screenshot and we will surely help you further. I would strongly recommend you to go through the linked articles and they should also provide you more clarity on this matter.

    Thank you .

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Mahesh Aralelemath 386 Reputation points
    2021-02-26T17:19:01.16+00:00

    Hi Shashi, All

    Thanks for your support.
    Would like to share the update and approach we decided to move forward as below.
    We understand that there is no feasible option in Azure AD to create custom transform rule mapping to name identifier.
    It is only possible to map the attributes in user object to name identifier.

    Hence working with application team to map it to any of the existing attribute.

    Thanks to all supported

    Regards
    Mahesh

    1 person found this answer helpful.
    0 comments No comments

  2. Geoff 6 Reputation points
    2021-11-02T03:36:13.003+00:00

    Hi Shashi,

    I have a similar issue with creating a transform rule mapping to name identifier. I used the "Join" function to add a static test with employee id. However, how do i pass this attribute on as a NameID.

    Couldn't find this info any where.

    Any help would be appreciated.

    Thanks

    Geoff

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.