Wrong SAML Claims for AppRoles

Fraczek, Rafal SW/WRO-DCDZA 121 Reputation points
2024-04-17T06:43:27.99+00:00

Hello,

I am configuring the SAML claims for Enterprise Application in Azure.

For the moment I have configured them like that:

User's image and I have tested connection to target app. Everything is fine and app can read custom_roles.

Unfortunately additionally to 'custom_roles' claim we also have same values in claims called 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role'.

I have tried to use that value in 'custom_roles' Namespace, but then I instead of 'custom_roles' I have 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role/custom_roles'.

Any idea from where 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' comes from and how to remove it from SAML claims?

Regards

Rafal Fraczek

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,519 questions
Accepted answer
  1. Sandeep G-MSFT 14,491 Reputation points Microsoft Employee
    2024-04-18T04:24:47.2333333+00:00

    @Fraczek, Rafal SW/WRO-DCDZA

    Thank you for your patience. I have reproduced this issue in my lab.

    The behavior is, once you configure any custom roles to the application in Entra ID enterprise apps, by default there is a app role claim that gets added for application. You don't need to add the custom claim separately for app roles.

    I have reproduced this behaviour in my lab and this is by design.

    As per your query above you wanted to know on how you can remove the "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claim from application?

    I have reached out to our PG team to get information on the same as we are not sure if there is any way to remove some of the default claims.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest