Join Two Attributes in Azure AD Custom Claims Mapping Policy

asked 2022-12-29T20:29:31.87+00:00
Ian H 1 Reputation point

I have an enterprise application set up with custom user attributes and a custom claims mapping policy. In the portal version of claims configuration, you're able to join two user attributes into a single claim, but because I'm using custom user attributes I have to use a custom claims policy. The documentation for creating policies says the join transformation is supported, but I get an error that my policy has an invalid value when I try to set it with PowerShell. Below is my policy, it's definitely something to do with the transformation because I am able to set the policy when I remove that:

{
"ClaimsMappingPolicy":
{
"Version": 1,
"IncludeBasicClaimSet": "true",
"ClaimsSchema":
[
{
"Value": "string",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/AttributeFormat"
},
{
"Source": "user",
"ExtensionID": "extension_db7875a6407b48c7b417020bc42727cf_UAT_LeafLogixRoles1",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/LeafLogixRoles"
},
{
"Source": "user",
"ExtensionID": "extension_db7875a6407b48c7b417020bc42727cf_UAT_LeafLogixLocations1"
},
{
"Source": "user",
"ExtensionID": "extension_db7875a6407b48c7b417020bc42727cf_UAT_LeafLogixLocations2"
},
{
"Source": "transformation",
"ID": "DataJoin",
"TransformationId": "JoinTheData",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/LeafLogixLocations"
},
{
"Source": "user",
"ID": "userprincipalname",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/userprincipalname"
},
{
"Source": "user",
"ID": "userprincipalname",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
},
{
"Source": "user",
"ID": "userprincipalname",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
},
{
"Source": "user",
"ID": "givenname",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
},
{
"Source": "user",
"ID": "surname",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
},
{
"Source": "user",
"ID": "userprincipalname",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
],
"ClaimsTransformation":
[
{
"ID": "JoinTheData",
"TransformationMethod": "Join",
"InputClaims":
[
{
"ClaimTypeReferenceId": "extension_db7875a6407b48c7b417020bc42727cf_UAT_LeafLogixLocations1",
"TransformationClaimType": "string1"
},
{
"ClaimTypeReferenceId": "extension_db7875a6407b48c7b417020bc42727cf_UAT_LeafLogixLocations2",
"TransformationClaimType": "string2"
}
],
"InputParameters":
[
{
"ID": "separator",
"Value": ","
}
],
"OutputClaims":
[
{
"ClaimTypeReferenceId": "DataJoin",
"TransformationClaimType": "outputClaim"
}
]
}
]
}
}

Can someone please provide a working example of joining two string attributes or let me know what I'm doing wrong? Thank you for the help!

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,591 questions
{count} votes