Chain Together AAD Claims Transformations
Daniel Milnes
26
Reputation points
Hi there,
We're trying to use Azure AD claims transformations to work around legacy requirements from a previous IDP. We'd like to replace the domain on all UPNs with a different domain, but we don't appear to be able to chain together claims transformations to achieve this.
We're deploying the below policy with Terraform
resource "azuread_claims_mapping_policy" "this" {
definition = [
jsonencode({
ClaimsMappingPolicy = {
Version = 1,
IncludeBasicClaimSet = "true",
ClaimsSchema = [
{
Source = "user"
ID = "userprincipalname"
},
{
Source = "transformation"
ID = "Compat1"
TransformationId = "Transform1"
},
{
Source = "transformation"
ID = "Compat2"
TransformationId = "Transform2"
SamlClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
}
],
ClaimsTransformations = [
{
ID = "Transform1"
TransformationMethod = "ExtractMailPrefix"
InputClaims = [
{
ClaimTypeReferenceId = "userprincipalname"
TransformationClaimType = "mail"
}
],
OutputClaims = [
{
ClaimTypeReferenceId = "Compat1"
TransformationClaimType = "outputClaim"
}
]
},
{
ID = "Transform2"
TransformationMethod = "Join"
InputClaims = [
{
ClaimTypeReferenceId = "Compat1"
TransformationClaimType = "string"
}
],
InputParameters = [
{
ID = "string2"
Value = "example.com"
},
{
ID = "separator"
Value = "@"
}
],
OutputClaims = [
{
ClaimTypeReferenceId = "Compat2"
TransformationClaimType = "outputClaim"
}
]
}
]
}
})
]
display_name = var.name
}
However, when we try and login through Azure AD, we get the below error
AADSTS501242: ClaimsTransformations with ID 'Transform2' contains an unsupported InputClaim.Source 'transformation'.
What would be the way forward here? We're happy to use a regular expression instead, but wouldn't see a way to do this from the docs.
Thanks!
Sign in to answer