Share via

How to define custom claims and attributes in Azure AD SAML 2.0 for user's Cluster Region.

rb 0 Reputation points
2024-05-09T08:14:30.13+00:00

How to define custom claims and attributes in Azure AD SAML 2.0 for user's Cluster Region. Our goal is to capture user's login details during SAML Assertion. I would like to know how to configure in SAML attributes and Claims and get the value of user's Cluster Region. All I know is to add custom attributes for "ClusterRegion" but I do not know how to get the value of every user's Cluster Region.

Our expected result in SAML Response should be like below details.

<attributevalue>Asia East</attributevalue>

MicrosoftTeams-image (1)

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,772 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 14,911 Reputation points Microsoft Employee
    2024-05-13T11:23:11.17+00:00

    @rb

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to send "Cluster Region" attribute as custom claim in your SAML token.

    If you already have defined custom attribute in Entra ID for users, then you can follow below steps to configure SAML claims to give you output of "Cluster Region" in your SAML token.

    In the below example we are sending custom attribute EmpoyeeID as part of SAML claim while accessing an application.

    You can add custom attributes to the claims and send it within an access token.

    You can follow the steps mentioned below:

    1. Create an AzureADPolicy.

    New-AzureADPolicy -Definition @('{

    "ClaimsMappingPolicy": {

    "Version": 1,

    "IncludeBasicClaimSet": "true",

    "ClaimsSchema": [{

    "Source": "user",

    "ID": "employeeid",

    "SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid",

    "JwtClaimType": "employeeid"

    }

    ]               

    }

    }') -DisplayName "CustomClaimsPolicy1" -Type "ClaimsMappingPolicy"

    Attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.

    Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}

    To check if the policy is successfully added to the ServicePrincipal or not:

    Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"

    Attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.

    Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}

    To check if the policy is successfully added to the ServicePrincipal or not:

    Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.