SAML Federation to Azure AD – Some Notes from the Field

Also read – Migrating from ADFS to AAD

Correct User Access URLs (IdP Initiated versus SP Initiated)

The correct end user access URL can be obtained from the Properties tab on the Enterprise App’s configuration.

• IdP Initiated SSO URL – The Correct (IdP i.e. AAD Initiated) URL should look like – myapps.microsoft.com/…
• SP Initiated SSO URL – The partially correct (SP Initiated) SAML endpoint looks like  yourAADtenant.com/saml2/signin/. This is SP initiated – and going directly to the SaaS Portal. This will most likely trigger a second factor authentication for the user.

Email Addresses versus UPNs

One of the first transformations you will need on your AAD attributes (incoming from the SaaS service) will be around the email addresses. Most AAD groups and users are based on user principals – and you will need to map the email address to a UPN

Guest Users and One Time Passwords

See this post to understand why One Time Passwords are a great option for external B2B (vendors etc.) and external guest (B2C) users.

Dynamic versus Static Attributes

The SaaS or custom ADFS application may have some attributes that are dynamically added to the SAML Request. These attributes can include ad-hoc attributes (often labeled clientid_1, clientid_2…etc.). The SaaS provider is trying to handle multiple vendors using the same variable name (and extending it using a subscript).

To avoid this pattern, use static attributes – that are easily managed.

Passing a List of Attribute Values to AAD

This isn’t supported. However, you attribute’s values can be rolled up into a single comma delimited list and passed to AAD in this manner.

Custom Claims and Transformations – From Azure AD Docs

Adding Custom Claims for your Application

To add application-specific claims:

1. In User Attributes & Claims, select Add new claim to open the Manage user claims page.
2. Enter the name of the claims. The value doesn’t strictly need to follow a URI pattern, per the SAML spec. If you need a URI pattern, you can put that in the Namespace field.
3. Select the Source where the claim is going to retrieve its value. You can select a user attribute from the source attribute dropdown or apply a transformation to the user attribute before emitting it as a claim.

Claim transformations

To apply a transformation to a user attribute:

1. In Manage claim, select Transformation as the claim source to open the Manage transformation page.
2. Select the function from the transformation dropdown. Depending on the function selected, you will have to provide parameters and a constant value to evaluate in the transformation. Refer to the table below for more information about the available functions.
3. To apply multiple transformation, click on Add transformation.You can apply a maximum of two transformation to a claim. For example, you could first extract the email prefix of the user.mail. Then, make the string upper case.

 

Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.