Update SAML NameID Format using MS Graph

Daniel Milnes 21 Reputation points
2022-05-27T10:31:56.683+00:00

I'm using Terraform to create a claims mapping policy, but I can't see a way to set the NameID value or format. There's nothing in the Microsoft or Terraform documentation which says how to change the NameID format or value using Microsoft Graph. Is this possible, and if so, how?

Thanks.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,871 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,997 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,491 Reputation points
    2022-06-09T22:15:06.473+00:00

    Hello @Daniel Milnes , in order to update a SAML enterprise application NameID attribute value and format using terraform and MS Graph you need:

    1. Terraform AzureAD Provider to v1.5.0
    2. Understand Claims Mapping Policies
    3. Define an azuread_claims_mapping_policy resource to create the policy.
    4. Define an azuread_service_principal_claims_mapping_policy_assignment to assign the policy to your application service principal.

    Valid SamlNameIdFormats values are:

    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    Sample:

       resource "azuread_claims_mapping_policy" "my_policy" {  
         definition = [  
           jsonencode(Valid  
             {  
               ClaimsMappingPolicy = {  
                 ClaimsSchema = [  
                   {  
                     ID            = "userprincipalname"  
                     SamlClaimType = "https://aws.amazon.com/SAML/Attributes/nameidentifier",  
                     SamlNameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",  
                     Source        = "user"  
                   },  
                 ]  
                 IncludeBasicClaimSet = "true"  
                 Version              = 1  
               }  
             }  
           ),  
         ]  
         display_name = "My Policy"  
       }  
         
       resource "azuread_service_principal_claims_mapping_policy_assignment" "app" {  
         claims_mapping_policy_id = azuread_claims_mapping_policy.my_policy.id  
         service_principal_id     = azuread_service_principal.my_principal.id  
       }  
    

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Daniel Milnes 21 Reputation points
    2022-06-10T15:04:15.21+00:00

    I've managed to figure this out, but it seems to be a really weird implementation detail on the backend. If you add an attribute to your claim mapping policy for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier, it will realise what you mean and change the NameID format from urn:oasis:names:tc:SAML:2.0:nameid-format:persistent to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    For anyone who finds this in the future, you can copy the following to get an email address in your NameID.

       resource "azuread_claims_mapping_policy" "this" {  
         definition = [  
           jsonencode(  
             {  
               ClaimsMappingPolicy = {  
                 ClaimsSchema = [  
                   {  
                     ID            = "userprincipalname"  
                     SamlClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"  
                     Source        = "user"  
                   },  
                 ]  
                 IncludeBasicClaimSet = "true"  
                 Version              = 1  
               }  
             }  
           ),  
         ]  
         display_name = "example"  
       }  
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.