25,081 questions
Set up a SAML-based sign-on using both default user.userprincipalname OR email aliases/domains
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 30%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Ryan Voloch
0
Reputation points
Hi,
I have custom Enterprise Applications SAML SSO with apps working for users who previously set up accounts within the app using the email address that matches their user.userprincipalname. (see screenshot example below)
My challenge is that users have created accounts in apps using different domains/email aliases making SSO migration difficult. When we go to enable SAML SSO, it's a challenge to get users to change their email address/user account in the app to match their user.userprincipalname. Users have no idea how to find it, the app doesn't support changes, the app only supports one SAML connection, etc...
The good news is that all usernames in our environment are typical ******@domain.com standard with about 5 possible email domains that are all managed within via exchange online of the same tenant.
My question is, is it possible to configure SAML SSO to utilize one of a user's email aliases or a listing of domains?
I think the answer to my question lies within this article but I don't know how to best apply it:
https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization
Example of custom enterprise app SAML claim setup working with userprinciplename but does not allow login via other email aliases/domains:
Thank you in advance!
Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2023-11-28T00:35:39.3433333+00:00 Have you tried implementing a "Transform an Incoming Claim" rule to transform the user's email address to match the email address used in the application? For example, "Incoming claim type" as "user.mail" and "Outgoing claim type" as "email" set to the value first.lastname@yourdomain2.com
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator2023-11-29T11:23:19.47+00:00 @Ryan Voloch
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help. -
Ryan Voloch 0 Reputation points
2023-11-30T19:44:59.0066667+00:00 Thank you so much for your response. Yes, we need the user in the app as ******@domain1.com allowed to authenticate as ******@domain2.com and vice versa for a few other domains. We are trying to interpret your statements and the referenced article. We think we need to update our primary claim under "Attributes and Claims". We have been testing with transformations attribute name, value, output parameter and attribute name. It seems like EndWith("domain1.com") and ExtractMailPrefix()+Join "@domain2.com" or using a RegExReplace might work but nothing we are testing seems to work. Since we have several domains used in our userprincipalname, how do we get this to work? Can you give us more direction on how this should be configured? Thank you, Ryan
Sign in to comment
Sign in to answer