How to add custom user attribute to use in Azure SAML SSO?

mjunglw 26 Reputation points
2021-01-29T20:10:26.357+00:00

I have setup an Enterprise Application on Azure for SAML-based Sign-on.
On the user attributes and claims, I added an attribute called "Accounts" for a comma separated string of accounts (as seen below).

My question is, how can I create a user attribute to have something like "Accounts" so that this field could be different per user?

Right now, I have it hard coded in the attribute (as seen below as "dev1"). Ideally, I would like to do something like user.accounts.

62041-screen-shot-2021-01-29-at-114901-am.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,870 questions
0 comments No comments
{count} vote

Accepted answer
  1. Siva-kumar-selvaraj 15,571 Reputation points
    2021-02-02T07:16:44.723+00:00

    Hello @mjunglw , Thanks for reaching out.

    I worked upon yours ask and a couple of ways is what I could find suitable in your case. You can check the approved attribute values that can be pulled in for claims here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#table-3-valid-id-values-per-source

    However, you could use directory schema extension feature to extend custom attribute for user and sending them in token claims (SAML SSO).

    May I know for which type of user, you would like to extend users attribute ? Cloud-only (created in cloud itself) or Hybrid accounts (created in on-premises and synced to AAD) because, directory schema extension can be configured and administrated through Azure AD connect interface and Azure Portal UI (User Interface) in case of Hybrid accounts which is straight forward whereas for Cloud-Only accounts all configuration and administration are done through PowerShell which require additional steps as explained below:

    For Hybrid Accounts:
    You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory (in our case “ACCOUNTS”). For more information, refer this article

    They can be used as a source for claims both by configuring them as claims in the Enterprise Applications configuration in the Portal UI for SAML applications registered using the Gallery or the non-Gallery application configuration experience under Enterprise Applications, Once a directory extension attribute created via AD Connect is in the directory, it will show in the SAML SSO claims configuration UI as shown below:

    62852-saml-sso-claims-configuration-ui.png

    For Cloud-Only accounts:

    In this case, you can only use PowerShell way for creating a new directory extension, associating them to existing user and set value as explained in this article. This would create custom attribute for Cloud-Only users in AAD and allow you to associate your own custom attribute (in our case “ACCOUNTS”), but these attribute will not show in the SAML SSO claims configuration UI instead you have to use Option Claims configuration UI in the App Registrations configuration in the AAD Portal UI as shown below.

    Another difference that you see within the SAML token, these claims will be emitted with the following URI format: http://schemas.microsoft.com/identity/claims/**extn.<attributename>** instead “user.account” (see below screenshot for your reference)

    62808-app-registrations-configuration-in-the-portal-ui.png

    SAML token sample claims for extended attribute:

    62882-sample-saml-token-for-extended-attribute.png

    ------------------------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

4 additional answers

Sort by: Most helpful
  1. mjunglw 26 Reputation points
    2021-02-11T01:19:04.583+00:00

    I figured out an alternative solution but I do believe that the solution @sikumars-msft proposed exactly answers my question.

    The alternative solution is to create groups and add users to the groups. Then, setting the claim conditions allows using the groups to determine the value.


  2. Chirannjevi Panala 1 Reputation point
    2021-07-21T17:28:25.607+00:00

    @sikumars-msft I could not find the claim in the SAML SSO app to select after making the extension attribute as an optional claim as per the above steps. Did i miss any steps?

    0 comments No comments

  3. Chirannjevi Panala 1 Reputation point
    2021-07-21T17:31:08.363+00:00

    @sikumars-msft That's for Cloud only environment.

    0 comments No comments

  4. Animesh Kashyap 21 Reputation points
    2022-01-11T10:22:26.087+00:00

    hi @sikumars-msft, I am facing a similar problem

    1. I have an extension/custom ADB2C attribute that we collect at signup flow or programmatically update using MS GRAPH
    2. The custom attribute extension_ApplicationClientID_AgentCode is added in JWT token and working fine as expected
    3. Now we register an Enterprise App in Azure AD and want to map this attribute in SAML claims to achieve the SSO. I could see couple of extension attribute from 1-15 but not able to understand how i can add this extension attribute in Claims in SAML

    Please advise.

    163903-image.png