25,081 questions
How to transform a multi-value attribute claims into a single string claim in AAD
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 92%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
Zak M
15
Reputation points
Using the multi-values users.AssignedRoles attribute as a claim, creates a saml response like below
<Attribute>
<Attribute Name="AssignedRoles">
<AttributeValue>Sales</AttributeValue>
<AttributeValue>Orders</AttributeValue>
</Attribute>
Is it possible to transform this multi-valued attribute into a custom claim, where the values of the multi-valued attribute have been concatenated or joined into a single string, such as below.
<Attribute>
<Attribute Name="CustomAssignedRoles">
<AttributeValue>Sales:Orders</AttributeValue>
</Attribute>
This is something that is possible in ADFS using claim issuance transform rules. I'm hoping similar functionality is available in AAD.
e.g. of ADFS Claim issuance policy https://aws.amazon.com/blogs/big-data/federate-access-to-amazon-redshift-query-editor-v2-with-active-directory-federation-services-ad-fs-part-3/
- Follow the same steps as in the previous section to create the rule
Marketing, using the following code for the custom rule:
c:[Type == "http://temp/variable", Value =~ "(?i)^RSDB-marketing"]
=> add(Type = "http://temp/marketing", Value = RegExReplace(c.Value, "RSDB-", ""));
```
1. Create the rule `MarketingNotExists` using the following code:
NOT EXISTS([Type == "http://temp/variable", Value =~ "RSDB-marketing"]) => add(Type = "http://temp/marketing", Value = "");
```
- Create the rule
salesusing the following code:
c:[Type == "http://temp/variable", Value =~ "(?i)^RSDB-sales"]
=> add(Type = "http://temp/sales", Value = RegExReplace(c.Value, "RSDB-", ""));
```
1. Create the rule `SalesNotExists` using the following code:
NOT EXISTS([Type == "http://temp/variable", Value =~ "RSDB-sales"])
=> add(Type = "http://temp/sales", Value = ""); ```
- Create the rule
RedshiftDbGroupsusing the following code:
c:[Type == "http://temp/marketing"] && c2:[Type == "http://temp/sales"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/customAssignedRoles", Value = c.Value + ":" + c2.Value);
```
Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator2023-04-18T15:07:01.29+00:00 @Zak M I am looking into this issue and will revert back to you post my research on this.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 96%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Kirby Stuart 0 Reputation points2023-05-30T17:07:10.5333333+00:00 Any updates on this?
-
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator
2023-06-07T04:14:12.2766667+00:00 Let's try to work on this issue offline.
Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:
Link to this thread/post
We can connect offline and discuss further on this.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 25%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
Kyle Huston 0 Reputation points2023-06-14T12:50:58.0566667+00:00 We've run into the same limitation and are interested in the outcome.
There is a Join function in App Provisioning that transforms a multivalue attribute into a colon-delimited string as required.
However, the Join function for custom SAML claims is different and underpowered, only able to join two attributes.
My only thought was to somehow use the flexible Join function available for attribute mapping in App Provisioning, but instead use it simply for custom SAML claims. However, there isn't a way to do this as best I can tell.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 47%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Martin Kreis 1 Reputation point2024-02-21T08:15:40.37+00:00 Has anyone here already found a solution for the, sorry, abnormal AWS requirements?
Sign in to comment
Sign in to answer