Share via

How can I access user flow custom atributes for a self-service sign-on in an Enterprise App SAML user attributes/claims

Anthony Fitzgerald 26 Reputation points
2021-07-01T09:26:22.813+00:00

Novice Azure AD user here and have been tasked to setup SSO for one of our 3rd Party apps.

I've created a user flow for self service sign up for this 3rd party app and added in a custom attribute to capture their user id on this app with the hope to use this to match them up in the 3rd party platform.

When I edit the SAML user attributes/claims for this Enterprise App, I can't see this custom user attribute in the drop down selection, so I can't pass it to the 3rd party app.

Is what I'm doing possible, or is there some other step I'm missing.

Thanks,
Anthony.

Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2021-07-06T09:38:48.097+00:00

    Hi @Anthony Fitzgerald · Thank you for reaching out.

    The extension attributes populated via User Flow won't appear in the portal under SAML user attributes/claims for the Enterprise App. You can however, use Claims Mapping policy to pass the extension attribute as SAML claim in the token.

    Keep in mind that the attributes without any value populated will not be returned in the token. So make sure the attribute is not empty.

    In below example, I am using ExtID extension attribute that I created via User flow, which is always in extension_<App ID of aad-extensions-app>_attributeName format. 

    New-AzureADPolicy -Definition @('{  
	"ClaimsMappingPolicy": {  
		"Version": 1,  
		"IncludeBasicClaimSet": "true",  
		"ClaimsSchema": [  
			{  
				"Source": "user",  
				"ExtensionID": "extension_a90abxxxxxxxxxxxxxa5f1072c3810bc_ExtID",  
				"SamlClaimType": "http://schemas.microsoft.com/identity/claims/ExtID",  
				"JwtClaimType": "ExtID"  
			},  
			{  
				"Source": "user",  
				"ID": "onpremisessamaccountname",  
				"SamlClaimType": "samaccountname",  
				"JwtClaimType": "samAccountName"  
			},  
			{  
				"Source": "user",  
				"ID": "department",  
				"SamlClaimType": "http://schemas.microsoft.com/identity/claims/department",  
				"JwtClaimType": "department"  
			}  
		]  
	}  
}') -DisplayName "MyClaimsPolicy" -Type "ClaimsMappingPolicy"  

Add-AzureADServicePrincipalPolicy -Id <Object ID of Enterprise App> -RefObjectId <object ID of the Policy created above>

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.