Azure AD SAML - Claim Conditions on nameidentifier (required Name ID) claim

coaxke 21 Reputation points
2020-04-13T23:25:28.6+00:00

Hi Azure AD Team,

I just deployed an application in my tenant with some crazy claim transforms but ran into an issue when attempting apply claim conditions on a required NameID claim:

In my application for some users I want to emit a static value if the user is a member of a group - this works fine if the claim is of type "Additional" - to example the following claim emits a static role if the user is a member of a specific group:

7384-additionalclain.png

The above works great!

If i attempt to do the same for the NameID claim the value is not re-written (i know this is a strange scenario). The only work around is do create a Claim condition of type transform instead of attribute - Consider the following examples:

This will not work:

7364-wontwork.png

This will work:

7394-willwork.png

Is this perhaps a known issue or am I doing something unsupported here?

Hopefully my description is understandable :)

Thanks,
Patrick

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,092 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,441 Reputation points
    2020-04-14T08:27:03.897+00:00

    @coaxke Thanks for the clarification. When you select Attribute, the value has to be the name of an attribute. You cannot pass static value in that case. To pass static value, Transformation option needs to be used.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.


2 additional answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,441 Reputation points
    2020-04-14T07:26:48.29+00:00

    @coaxke I just tested the same settings for Name ID in my tenant and it worked perfectly fine for me.

    7442-capture.jpg

    Below is the snip from token with the same value being passed as name ID:

    7324-capture2.jpg

    If you are not getting the specified static value in the token, what do you get in the token as Name ID?

    With the information that you have shared, the only thing that I can think of which might be causing the issue in your case is, if the user account that you are testing with doesn't have an email address. In that case, the condition will not match and the rule will not apply.

    -----------------------------------------------------------------------------------------------------------

    Please Accept as answer wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

  2. Mathieu Lavigne 1 Reputation point
    2022-10-27T21:31:13.663+00:00

    I consider this a bug from Microsoft. Overwriting attributes works with static values for the other claim attributes but not the NameID. For NamedID we used Transformation as suggested here and it worked [enter faceplant emoji here].

    Thanks guy for saving the day. This article was useful for us.

    0 comments No comments