Azure AD SSO SAML Claims Attribute - User.manager

Question

Hi,

I'm trying to add a custom SAML Claims attribute to my Enterprise App but the attribute I need isn't showing up. It's the Manager attribute and it is there on the User account but just not visible as a clams attribute.

I've read that is currently isn't supported but can anyone else confirm?

https://learn.microsoft.com/en-us/answers/questions/332964/saml-claim-for-manager-value.html

Answer 1

This is a combination of the answers from Siva-kumar-selvaraj and DavidMoreno-4043. They get all the credit. I just wanted to put it in one screen since I don't always read all the comments and it took me a while to figure this out.

From Siva-kumar-selvaraj

Alternatively, you would have to use one of the "user.extensionattribute(s)" to map it to manager attribute by creating new outbound sync custom rule

Steps to create Inbound custom Rule on Sync server:

1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group.
2. Start Synchronization Rules Editor from the Start menu.
3. Make sure Inbound is selected, and click Add New Rule.
4. Give the rule a descriptive name, such as "In from AD – Send users SAM account value to Azure AD for salesforce". Select “local ad forest”, select User as the CS object type, and select Person as the MV object type. In Link Type, select Join. In Precedence, type a value that isn't currently used by another synchronization rule (for example 51 or 90), and then click Next.
5. Leave the Scoping filter Join rules empty, and then click Next. (An empty filter indicates that the rule is to be applied to all objects.)

Adjustment from DavidMoreno-4043 in bold for step 6.

1. Click Add Transformation, select the FlowType as Expression, and select extensionattribute(1-15) as the Target Attribute. In the Source text box, enter DNComponent(CRef([manager]),1). Click Add to save the rule.

More Details:

https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-expressions#dncomponent

Safety precaution:
You can also try to enable staging mode and disable the scheduler on the Azure AD connect server while we are performing above mentioned steps and we will have to execute the full sync cycle except “export cycle of AAD connector” manually so that can make sure all changes are legitimate.

7.Post saving the sync rule. Open PowerShell wizard with Admin privileges and execute following command on the Sync server to Start-ADSyncSyncCycle -PolicyType Initial to trigger full synchronization. This step recalculates all attribute flows.

More Details:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration#create-your-first-custom-rule

Hopefully putting their answers together will help someone else with this issue. I am thrilled to say this worked for me and I am very thankful for the info.

Answer 2

Hi guys,

You can do it using the Dncomponent function from VBA

https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-expressions#dncomponent

But first you should change the flowType to "expression" and in the source column put as below:

DNComponent(CRef([manager]),1)

Manager in this case, or whatever you want. The number specifies what value you want from left.

Answer 3

Hi team,

I have tried to set up this custom sync rule but go the error attached.

Have you seen this error or know how it can be resolved?

Answer 4

Hello @james bennett ,

Thanks for reaching out.

Yes, I confirmed this functionality once again with the product group and understand that the manager attribute is not available for direct selection in Enterprise applications as SAML claims as of today.

Alternatively, you would have to use one of the "user.extensionattribute(s)" to map it to manager attribute by creating new outbound sync custom rule

Steps to create Inbound custom Rule on Sync server:

1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group.
2. Start Synchronization Rules Editor from the Start menu.
3. Make sure Inbound is selected, and click Add New Rule.
4. Give the rule a descriptive name, such as "In from AD – Send users SAM account value to Azure AD for salesforce". Select “local ad forest”, select User as the CS object type, and select Person as the MV object type. In Link Type, select Join. In Precedence, type a value that isn't currently used by another synchronization rule (for example 51 or 90), and then click Next.
5. Leave the Scoping filter Join rules empty, and then click Next. (An empty filter indicates that the rule is to be applied to all objects.)
6. Click Add Transformation, select the FlowType as Direct, and select extensionattribute(1-15) as the Target Attribute. In the Source text box, select “manager”. Click Add to save the rule.

Safety precaution:
You can also try to enable staging mode and disable the scheduler on the Azure AD connect server while we are performing above mentioned steps and we will have to execute the full sync cycle except “export cycle of AAD connector” manually so that can make sure all changes are legitimate.

7.Post saving the sync rule. Open PowerShell wizard with Admin privileges and execute following command on the Sync server to Start-ADSyncSyncCycle -PolicyType Initial to trigger full synchronization. This step recalculates all attribute flows.

More Details:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration#create-your-first-custom-rule

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.