Azure Enterprise applications - send multi-value claim in SAML

Kliment Andreev 30 Reputation points
2023-12-03T16:15:26.83+00:00

We have a vendor that expects us to send a string array in the SAML response. https://cloudinary.com/documentation/saml_sso (see the table at the bottom).

Basically, we can send a custom claim as Role, Subaccount and User Group in the claims, but the number of combinations that exist for what we can send is 50+. Looks like Azure can return only a single value from the "Additional claims".

How can I return multiple values based on group membership? In my case (screenshot) only one value gets returned and if I have to create a value e.g. "brand1-nora-read,brand2-emea-write" multi-value combination it will be a nightmare to manage.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes

Accepted answer
  1. Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator
    2023-12-04T11:13:32.8033333+00:00

    Hi @Kliment Andreev

    Thank you for posting your query on Q&A.
    I understand that you want to send multiple values in the SAML response based on group membership.
    Unfortunately, at the moment, Microsoft Entra ID can't provide a claim with multiple values.
    Which means you can only send one piece of information for each claim, and you're not able to use a string array as a value.
    Alternatively, you can use the "Azure AD App Roles" feature. This enables you to add specific roles to your application. Afterwards, you can assign these roles to individual users or groups. If a user is a member of multiple groups, each with different roles assigned, Azure AD can include all these roles in the claims. This makes it possible to have multiple values for this attribute.
    For more details, please refer the article https://learn.microsoft.com/en-us/entra/identity-platform/enterprise-app-role-management
    I hope this answer helps! If you have any further questions, please feel free to ask.

    Thanks,
    Akhilesh,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.