You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/app-provisioning/customize-application-attributes.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ ms.service: active-directory
8
8
ms.subservice: app-provisioning
9
9
ms.workload: identity
10
10
ms.topic: tutorial
11
-
ms.date: 03/24/2023
11
+
ms.date: 03/27/2023
12
12
ms.author: kenwith
13
13
ms.reviewer: arvinh
14
14
---
@@ -81,7 +81,7 @@ Along with this property, attribute-mappings also supports the attributes:
81
81
The Azure AD provisioning service can be deployed in both "green field" scenarios (where users don't exist in the target system) and "brownfield" scenarios (where users already exist in the target system). To support both scenarios, the provisioning service uses the concept of matching attributes. Matching attributes allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:
82
82
83
83
-**Matching attributes should be unique:** Customers often use attributes such as userPrincipalName, mail, or object ID as the matching attribute.
84
-
-**Multiple attributes can be used as matching attributes:** You can define multiple attributes to be evaluated when matching users and the order in which they're evaluated (defined as matching precedence in the UI). If for example, you define three attributes as matching attributes, and a user is uniquely matched after evaluating the first two attributes, the service won't evaluate the third attribute. The service will evaluate matching attributes in the order specified and stop evaluating when a match is found.
84
+
-**Multiple attributes can be used as matching attributes:** You can define multiple attributes to be evaluated when matching users and the order in which they're evaluated (defined as matching precedence in the UI). If for example, you define three attributes as matching attributes, and a user is uniquely matched after evaluating the first two attributes, the service won't evaluate the third attribute. The service evaluates matching attributes in the order specified and stops evaluating when a match is found.
85
85
-**The value in the source and the target don't have to match exactly:** The value in the target can be a function of the value in the source. So, one could have an emailAddress attribute in the source and the userPrincipalName in the target, and match by a function of the emailAddress attribute that replaces some characters with some constant value.
86
86
-**Matching based on a combination of attributes isn't supported:** Most applications don't support querying based on two properties. Therefore, it's not possible to match based on a combination of attributes. It's possible to evaluate single properties on after another.
87
87
-**All users must have a value for at least one matching attribute:** If you define one matching attribute, all users must have a value for that attribute in the source system. If for example, you define userPrincipalName as the matching attribute, all users must have a userPrincipalName. If you define multiple matching attributes (for example, both extensionAttribute1 and mail), not all users have to have the same matching attribute. One user could have a extensionAttribute1 but not mail while another user could have mail but no extensionAttribute1.
@@ -114,7 +114,7 @@ Applications and systems that support customization of the attribute list includ
114
114
- SuccessFactors to Active Directory / SuccessFactors to Azure Active Directory
115
115
- Azure Active Directory ([Azure AD Graph API default attributes](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#user-entity) and custom directory extensions are supported). For more information about creating extensions, see [Syncing extension attributes for Azure Active Directory Application Provisioning](./user-provisioning-sync-attributes-for-mapping.md) and [Known issues for provisioning in Azure Active Directory](./known-issues.md).
116
116
- Apps that support [SCIM 2.0](https://tools.ietf.org/html/rfc7643)
117
-
-For Azure Active Directory writeback to Workday or SuccessFactors, it's supported to update relevant metadata for supported attributes (XPATH and JSONPath), but isn't supported to add new Workday or SuccessFactors attributes beyond those included in the default schema
117
+
- Azure Active Directory supports writeback to Workday or SuccessFactorsfor XPATH and JSONPath metadata. Azure Active Directory doesn't support new Workday or SuccessFactors attributes not included in the default schema.
118
118
119
119
120
120
> [!NOTE]
@@ -148,7 +148,7 @@ The SCIM RFC defines a core user and group schema, while also allowing for exten
148
148
4. Select **Edit attribute list for AppName**.
149
149
5. At the bottom of the attribute list, enter information about the custom attribute in the fields provided. Then select **Add Attribute**.
150
150
151
-
For SCIM applications, the attribute name must follow the pattern shown in the example below. The "CustomExtensionName" and "CustomAttribute" can be customized per your application's requirements, for example: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute
151
+
For SCIM applications, the attribute name must follow the pattern shown in the example. The "CustomExtensionName" and "CustomAttribute" can be customized per your application's requirements, for example: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute
152
152
153
153
These instructions are only applicable to SCIM-enabled applications. Applications such as ServiceNow and Salesforce aren't integrated with Azure AD using SCIM, and therefore they don't require this specific namespace when adding a custom attribute.
154
154
@@ -196,7 +196,7 @@ Custom attributes can't be referential attributes, multi-value or complex-typed
196
196
197
197
198
198
## Provisioning a role to a SCIM app
199
-
Use the steps below to provision roles for a user to your application. Note that the description below is specific to custom SCIM applications. For gallery applications such as Salesforce and ServiceNow, use the predefined role mappings. The bullets below describe how to transform the AppRoleAssignments attribute to the format your application expects.
199
+
Use the steps in the example to provision roles for a user to your application. Note that the description is specific to custom SCIM applications. For gallery applications such as Salesforce and ServiceNow, use the predefined role mappings. The bullets describe how to transform the AppRoleAssignments attribute to the format your application expects.
200
200
201
201
- Mapping an appRoleAssignment in Azure AD to a role in your application requires that you transform the attribute using an [expression](../app-provisioning/functions-for-customizing-application-data.md). The appRoleAssignment attribute **shouldn't be mapped directly** to a role attribute without using an expression to parse the role details.
202
202
@@ -253,7 +253,7 @@ The request formats in the PATCH and POST differ. To ensure that POST and PATCH
@@ -296,7 +296,7 @@ The request formats in the PATCH and POST differ. To ensure that POST and PATCH
296
296
297
297
298
298
## Provisioning a multi-value attribute
299
-
Certain attributes such as phoneNumbers and emails are multi-value attributes where you may need to specify different types of phone numbers or emails. Use the expression below for multi-value attributes. It allows you to specify the attribute type and map that to the corresponding Azure AD user attribute for the value.
299
+
Certain attributes such as phoneNumbers and emails are multi-value attributes where you may need to specify different types of phone numbers or emails. Use the expression for multi-value attributes. It allows you to specify the attribute type and map that to the corresponding Azure AD user attribute for the value.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/single-sign-out-saml-protocol.md
+6-1Lines changed: 6 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,7 +48,12 @@ Per section 3.7 of the [SAML 2.0 core specification](http://docs.oasis-open.org/
48
48
The `Issuer` element in a `LogoutRequest` must exactly match one of the **ServicePrincipalNames** in the cloud service in Azure AD. Typically, this is set to the **App ID URI** that is specified during application registration.
49
49
50
50
### NameID
51
-
The value of the `NameID` element must exactly match the `NameID` of the user that is being signed out.
51
+
The value of the `NameID` element must exactly match the `NameID` of the user that is being signed out.
52
+
53
+
> [!NOTE]
54
+
> During SAML logout request, the `NameID` value is not considered by Azure Active Directory.
55
+
> If a single user session is active, Azure Active Directory will automatically select that session and the SAML logout will proceed.
56
+
> If multiple user sessions are active, Azure Active Directory will enumerate the active sessions for user selection. After user selection, the SAML logout will proceed.
52
57
53
58
## LogoutResponse
54
59
Azure AD sends a `LogoutResponse` in response to a `LogoutRequest` element. The following excerpt shows a sample `LogoutResponse`.
0 commit comments