How to get saml2 token from MS Azure Active Directory and use it for third party SAML authentication?

Xu, Zaili 0 Reputation points
2023-09-06T19:00:07.87+00:00

We have created an app registration and configured it for saml authentication with a third party vendor, that is, Cloudera CDP. We wonder how to retrieve a saml token from this app registration and used it to programmatically authenticate with the vendor

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,365 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 18,691 Reputation points Microsoft Employee
    2023-09-11T08:53:52.1333333+00:00

    @Xu, Zaili

    When you register your application in Azure under app registration, there is a service principal also that gets created in the Azure AD tenant.

    You can configure claims on the service principal. When there is authentication that get's triggered against the application, while getting the token, there are claims that gets added to token and token is sent back to application.

    You can capture the token and use it.

    To configure claims on the service principal you can follow below steps,

    You can follow the steps mentioned below:

    1. Create an AzureADPolicy. New-AzureADPolicy -Definition @('{
      "ClaimsMappingPolicy": {
      "Version": 1,
      "IncludeBasicClaimSet": "true",
      "ClaimsSchema": [{
      "Source": "user",
      "ID": "employeeid",
      "SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid",
      "JwtClaimType": "employeeid"
      },
      {
      "Source": "user",
      "ID": "mail",
      "SamlClaimType": "http://schemas.microsoft.com/identity/claims/emailaddress",
      },
      {
      "Source": "user",
      "ID": "onpremisessamaccountname",
      "SamlClaimType": "samaccountname",
      },
      {
      "Source": "user",
      "ID": "department",
      "SamlClaimType": "http://schemas.microsoft.com/identity/claims/department",
      }
      ]
      }
      }') -DisplayName "CustomClaimsPolicy1" -Type "ClaimsMappingPolicy"
      1. Attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.
      Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}
        1. To check if the policy is successfully added to the ServicePrincipal or not:
      
        ***Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"***
      

    This will send additional claims in token to application

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.