Azure AD, SAML SSO and multi-valued attribute

Question

Azure AD, SAML SSO and multi-valued attribute

South African Identity Federation 26

the above title refers.

We've created a new Enterprise Application in Azure AD, and enabled SSO using SAML based auth.

We'd like for the SSO to assert a multi-valued attribute to the SP - we have got as far as setting up a transformation rule, that asserts a single value easily enough, but the definition of the destination attribute is that it can be multi-valued (eduPersonScopedAffiliation).

Is there perhaps some syntax to the transformation's output parameter assert a multi-valued attribute?

Apologies if we have missed it in other Q&A's or documentation - if someone can provide some info, or point me in a direction to documentation that helps solve this, it would be appreciated.

Accepted answer

2 additional answers

Your answer

Answer 1

Siva-kumar-selvaraj 15,721

Hello @South African Identity Federation ,

Thanks for reaching out.

Unfortunately, Azure AD can't issue a multivalued claim (assertion) at this time (Example proxy addresses is one of the Multi-valued attribute).

Alternatively, you could use "Azure AD App Roles" feature. With that you can able to add the Roles to the application. Then you can use them to assign the roles to users and/or groups. If the user is part of multiple groups and these groups have different role assigned then Azure AD can provide those multiple roles in the claims. So it can be a multi-valued attribute.

We have a detailed article published on this here https://learn.microsoft.com/en-us/azure/active-directory/active-directory-enterprise-app-role-management

Please let us know if this works or you need something different than this.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

South African Identity Federation 26 Reputation points

2021-06-01T12:21:07.813+00:00

Thank You kindly - I will look into it.
Siva-kumar-selvaraj 15,721 Reputation points

2021-06-01T18:28:13.007+00:00

Sure, if you have any additional queries, feel free to reach out to us. Thanks for leveraging Microsoft Q&A forum.

Answer 2

Kartik Subbarao 11

Azure SSO does support multi-valued attributes in claims, at least as of February 2022. I have tested this successfully with proxyAddresses as well as otherTelephone (a typically unpopulated multi-valued attribute suitable for testing):

<Attribute Name="othertelephone_test">
<AttributeValue>test-long-value-group-1234</AttributeValue>
<AttributeValue>7890-long-value-group-5678</AttributeValue>
</Attribute>

Sean Sullivan 1 Reputation point

2022-02-25T18:40:05.68+00:00

@Kartik Subbarao is there a full list of other attributes that support the multi-value?

Those 2 fields (proxyAddresses and otherTelephone) are somewhat of a pain to update systematically
Kartik Subbarao 11 Reputation points

2022-02-26T00:14:24.89+00:00

Yes, it's possible to pull a list of multivalued attributes in the AD schema, for example: https://stackoverflow.com/a/49129485

However, you can also create a custom multi-valued attribute in AD, so you don't have to deal with the quirks of existing attributes:

https://www.windowstechno.com/how-to-create-custom-attributes-in-active-directory/
(make sure to check the Multi-Valued checkbox in the "Create New Attribute" window)

And then sync it to Azure AD:

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

As part of this you'll need to refresh the schema in Azure AD Connect: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-installation-wizard
gurinder 0 Reputation points

2024-06-06T16:07:27.1333333+00:00
Following up on this ,

can you help me crafting something simple using ms graph explorer? populating multiple values for a single parameter (in this case 'FavIceCreamFlavors')

I create a extension attribute called FavIceCreamFlavors

POST https://graph.microsoft.com/v1.0/applications/d74460c9-27d2-4dc9-bcba-49087063c360/extensionProperties { "name": "FavIceCreamFlavors", "dataType": "string", "targetObjects": [ "User", "Group" ] }

Now I want to add values of 'vanilla,chocolate,mint' to this parameter.

I can do a single value using the below

POST https://graph.microsoft.com/v1.0/users/e600712c-2132-455f-8d9f-ae0fc5ac9abe { "extension_cde0e9a5d3f44a81b81097334dbb9f66_FavIceCreamFlavors": "Vanilla" }

How do i do it to add multiple values??

Answer 3

Divya 1

@sikumars-msft By any chance, do we have support for the multi valued attribute like proxy addresses in SAML claims now?

Share via

Azure AD, SAML SSO and multi-valued attribute

2 additional answers

Your answer