Reputation: 105
Custom SAML claim configured in multitenant Azure AD app is not copied to this app in another tenant
We are authenticating users of our application using WS-Federation. Up to now, we used single tenant app, created in Azure AD via App registration. Our application expects to get user.employeeid attribute as a SAML claim, and it is configured in a corresponding app in Enterprise applications blade (Single sign-on > Attributes & claims). In app manifest (in app registration), acceptMappedClaims is set to true, to make this work.
Above configuration works perfectly, and now we want to switch to multi-tenant, and in the application code we set valid issuers to tenants AAA and BBB, where AAA is the original one.
When I sign in as a user from BBB, after I consent the app, employeeid claim is not returned. When checking the enterprise app, which was created in BBB after consent, I see that the custom claim is missing, and I have to manually add it. After that, it works perfectly.
Adding the claim manually is not a big problem for me, but I'm curious if it does work that way by design? Do I have to manually add such claims by hand to each tenant which I want to grant access, or maybe I'm missing something, and there is a way to copy such custom claims automatically?
Upvotes: 0
Views: 538
Answers (1)
Reputation: 16064
I created an Azure AD Multitenant Application:
Configured SAML claims:
When I signed in with the home tenant user, the claim is displayed like below:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=https://jwt.ms&scope=api://xxxx/access_as_user&state=12345&nonce=12345
When I signed in with the other tenant user, the access token did not contain the SAML claim:
Note that: By default, custom claims are tenant specific. If the claims are configured in the tenant A application, then only the claims will be added for tenant A users not other tenant users.
- The custom claims that you have configured in one tenant might not be available in another tenant since each tenant has its own set of claims and attribute mappings.
Hence you had to manually add the claims in the Enterprise application created in the other tenant and it cannot be automated.
I added the custom claim in the Enterprise application created in another tenant:
Now when I tried to sign-in with another tenant user, the access token contains SAML claim:
Upvotes: 1
Related Questions
- Email claim is not being sent in ID token when Entra ID app is added to another tenant
- Multi tenant SAML SSO app installed with OAuth flow?
- Azure AD Multi-tenant App - Find what tenant provided admin consent
- Can I configure the SSO SAML with an App Registration (not Enterprise Application)?
- Sign-up and tenant onboarding - how to only allow when invited to application
- Azure AD generates wrong SAML metadata for multi-tenant app
- How to allow Client Tenants to add custom roles in my multi tenant Azure AD app
- Integrate Spring Boot Security SAML with Azure AD Gallery app as multi tenant
- Azure AD How to pass userextension attributes to multitenant app