Retrieving roles in SAML response

ricflair_wcw 1 Reputation point
2022-09-20T14:27:58.317+00:00

Good afternoon,

My plan is to use the roles assigned to user in Azure AD for authorization. In my application there is mapping to map the http://schemas.microsoft.com/ws/2008/06/identity/claims/role attribute in SAML response to the permission value that is used in my web application.
My problem is that the role attribute (http://schemas.microsoft.com/ws/2008/06/identity/claims/role) doesn't appear in SAML response that comes from Azure AD.

	...  
		  
   ...  
  

As per the document https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-claims-mapping-policy-type (search for the text These claims are restricted by default) a custom signing key has to be used. I set a signing key (please see the image attached) but still no joy.

243004-azuread-saml-certs.jpeg

I even tried to set the acceptMappedClaims to true, just check if I can see more attributes in SAML response but no success.

This question of mine relates to https://stackoverflow.com/questions/73709624/authorization-with-azure-ad-roles-in-django but the real problem is that I cannot make Azure send the role attributes in SAML response.

I'd appreciate any help please!
Thank you!

Microsoft Entra
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 19,026 Reputation points Microsoft Employee
    2022-09-21T06:10:55.797+00:00

    @ricflair_wcw

    Thank you for posting your question in Microsoft Q&A.

    I have tested this in my lab and it working as expected. To pass the user role as claim you don't have to specifically create additional claim. Roles that will be passed in SAML tokens are defined in application. Azure AD roles cannot be passed in SAML token. Only roles that are defined in application and the roles which are assigned to users when you assign users to application can be sent as a claim in SAML token.

    243167-image.png

    If you have these roles already defined in application and if you have already assigned these roles to users while assigning them to application, only then you will be able to see roles claim in SAML token.

    I tested this in my lab and below are the claims that I can see in SAML token (I have not configured any additional claims for roles under Single sign-on >> Attributes & claims)

    243198-image.png

    If you do not have any application roles defined, then you can refer below article to create roles using graph explorer
    https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management

    Do let us know if you have any further questions on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.