Azure Enterprise applications - send multi-value claim in SAML

Question

We have a vendor that expects us to send a string array in the SAML response. https://cloudinary.com/documentation/saml_sso (see the table at the bottom).

Basically, we can send a custom claim as Role, Subaccount and User Group in the claims, but the number of combinations that exist for what we can send is 50+. Looks like Azure can return only a single value from the "Additional claims".

How can I return multiple values based on group membership? In my case (screenshot) only one value gets returned and if I have to create a value e.g. "brand1-nora-read,brand2-emea-write" multi-value combination it will be a nightmare to manage.

Answer 1

Hi @Kliment Andreev

Thank you for posting your query on Q&A.
I understand that you want to send multiple values in the SAML response based on group membership.
Unfortunately, at the moment, Microsoft Entra ID can't provide a claim with multiple values.
Which means you can only send one piece of information for each claim, and you're not able to use a string array as a value.
Alternatively, you can use the "Azure AD App Roles" feature. This enables you to add specific roles to your application. Afterwards, you can assign these roles to individual users or groups. If a user is a member of multiple groups, each with different roles assigned, Azure AD can include all these roles in the claims. This makes it possible to have multiple values for this attribute.
For more details, please refer the article https://learn.microsoft.com/en-us/entra/identity-platform/enterprise-app-role-management
I hope this answer helps! If you have any further questions, please feel free to ask.

Thanks,
Akhilesh,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.