Matching against other than just ImmutableID on Azure during a Windows WS-Trust/federated login

Question

Hi all,

In a federated login, Windows will make a WS-Trust SOAP call to the federated endpoint matching the login type (username, certificate, etc).

I can only find evidence that Azure only uses the ImmutableID SAML attribute to match a user in the Azure directory when a certificate login attempt is made.

But my question is -- is there anything else one can pass along, as a SAML attribute, that Azure supports by also matching against? UPN is a good example of something that would be great to have Azure match on, at log in time:

This is the SAML assertion that certainly works:

The problem with this, (and why I'm asking for alternatives) is that there is no guarantee that every user in the Azure directory has an ImmutableID set. Sure, they should. But there is no guarantee. So, I ask; can I pass along any other attributes to have Azure match against those other User directory values as well?

Answer 1

Hi @Seth Call

Thank you for reaching us!

To answer your question yes, you can pass along other attributes in the SAML assertion to have Azure match against other user directory values.
Entra ID supports matching users based on a variety of attributes, including the user's email address, employee ID, object ID and custom attributes.
To configure these attributes, you can use the Entra portal to edit the claims issued in the SAML token for your application.
For more information on how to customize SAML token claims in Entra ID please refer to the following documentation: Customize SAML token claims
https://learn.microsoft.com/en-us/answers/questions/251487/how-to-add-custom-user-attribute-to-use-in-azure-s

Hope this helps. Do let us know if you any further queries.

Thanks,

Akhilesh.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.