Reputation: 21
Azure AD user role claims with SAML
I have an app that I want to connect to Azure AD with SAML, so I can get the users roles when they are logged in. I've created an app in my Azure account and connected it to my SSO. When I'm testing the connection I can see the default claims and everything works fine. I've added the claim user.assignedroles through Azure portal -> Enterprise applications -> myApp -> SSO -> User Attributes & Claims and I didn't see the claim. Then I changed the claim to user.city and I could see the city that is defined for the user I've tested it with. Then I've changed it again back to user.assignedroles and the claim is not being updated (still shows the user's city).
How do I add the user's roles as they are defined in Azure AD to the SAML claims?
Upvotes: 1
Views: 2665
Answers (1)
Reputation: 7728
After you have assigned the roles to a user, you need to add the SAML token attribute in the User Claims section of the User Attributes dialog:
Attribute name Attribute value
Role name user.assignedroles
If the role claim value is null, then Azure AD will not send this value in the token. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management
You can check it in Microsoft Graph Explorer:
https://graph.microsoft.com/beta/servicePrincipals/{Object ID of your Enterprise App}
If the value of "value" is null, then Azure AD will not send this value in the token.
Upvotes: 1
Related Questions
- How to use Azure AD as SAML IdP?
- SAML purpose and authentication in azure AD
- Azure AD attribute user.assignedroles not being sent in SAML response, null
- AzureAD SAML response
- Azure ad group membership claims
- Claims not persisited
- Using saml tokens in Azure AAD oauth authentication
- Add Security Group Claims to SAML token for Custom Azure Active Directory Application
- Window Azure Active Directory - Service Provide Initiated
- SSO Adding claims to a social login (SAML WS-Fed)