AD FS to Azure AD app migration - Claim Rules

Pa_D 1,071 Reputation points
2021-03-12T20:37:00.57+00:00

There are 4 different claim rule templates that requires attention,

  1. EmitGroupClaims template
  2. MapClaims template
  3. Custom template
  4. Pass through claim template

Attached screenshots for those 4 templates. Can someone provide guidance for equivalent mapping in Azure AD claim rules?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,532 questions
Accepted answer
  1. James Hamil 21,776 Reputation points Microsoft Employee
    2021-04-01T18:41:22.883+00:00

    Hi @Pa_D ,

    We do not recommend use of Transient NameID.
    As per the doc: https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#nameidpolicy

    • urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Azure Active Directory issues the NameID claim as a randomly generated value that is unique to the current SSO operation. This means that the value is temporary and cannot be used to identify the authenticating user.

    Hence my suggestion, omit that claim for NameID being sent as Transient, in its place you can send the Name ID as either Unspecified or as email address

    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Azure Active Directory issues the NameID claim in e-mail address format.
    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: This value permits Azure Active Directory to select the claim format. Azure Active Directory issues the NameID as a pairwise identifier.

    The only supported types for the NameID format are are listed here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#nameid-format

    I hope this helps! Please let me know if you have any further questions.

    Best,
    James

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 21,776 Reputation points Microsoft Employee
    2021-03-18T21:20:09.847+00:00

    Please find the details for the screenshots below:

    1. EmitGroupClaims template: Emit claim with value if user is member of the specific group ---> This is a supported scenario. For more information please check here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#emitting-claims-based-on-conditions
    2. MapClaims template: Send Email as NameID ---> This scenario is also supported. For more details around the same can be found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#editing-nameid
    3. Custom template: In Azure we don't recommend applications to check auth method. We don't do anything less secure than password.
    4. Pass through claim template: This is also a supported scenario. For more details you can refer to the following link: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

    To test these claims, you can try using the Claims XRay SAML App in Azure.

    Please let me know if this helps! If so, please mark the answer as "Verified" so other users may reference it.

    Thank you,
    James