You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/active-directory-saml-claims-customization.md
+17-19Lines changed: 17 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.author: davidmu
13
13
ms.custom: aaddev
14
14
---
15
15
16
-
# Customize SAML token claims
16
+
# Customize claims issued in the SAML token for enterprise applications
17
17
18
18
The Microsoft identity platform supports single sign-on (SSO) with most enterprise applications, including both applications pre-integrated in the Azure Active Directory (Azure AD) application gallery and custom applications. When a user authenticates to an application through the Microsoft identity platform using the SAML 2.0 protocol, the Microsoft identity platform sends a token to the application. And then, the application validates and uses the token to log the user in instead of prompting for a username and password.
19
19
@@ -88,22 +88,6 @@ Any constant (static) value can be assigned to any claim that is defined in Azur
88
88
89
89
:::image type="content" source="./media/active-directory-saml-claims-customization/edit-attributes-claims.png" alt-text="Screenshot of editing in the Attributes & Claims section in the Azure portal.":::
90
90
91
-
## Add the UPN claim to SAML tokens
92
-
93
-
The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md#table-2-saml-restricted-claim-set), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](active-directory-optional-claims.md) through **App registrations** in the Azure portal.
94
-
95
-
Open the application in **App registrations**, select **Token configuration**, and then select **Add optional claim**. Select the **SAML** token type, choose **upn** from the list, and then click **Add** to add the claim to the token.
96
-
97
-
## Advanced SAML claims options
98
-
99
-
The following table lists advanced options that can be configured for an application.
100
-
101
-
| Option | Description |
102
-
|--------|-------------|
103
-
| Append application ID to issuer | Automatically adds the application ID to the issuer claim. This option ensures a unique claim value for each instance when there are multiple instances of the same application. This setting is ignored if a custom signing key isn't configured for the application. |
104
-
| Override audience claim | Allows for the overriding of the audience claim sent to the application. The value provided must be a valid absolute URI. This setting is ignored if a custom signing key isn't configured for the application. |
105
-
| Include attribute name format | If selected, Azure Active Directory adds an attribute called `NameFormat` that describes the format of the name to restricted, core, and optional claims for the application. For more information, see, [Claims mapping policy type](reference-claims-mapping-policy-type.md#claim-sets)|
106
-
107
91
## Special claims transformations
108
92
109
93
You can use the following special claims transformations functions.
@@ -159,7 +143,7 @@ You can use the following functions to transform claims.
159
143
160
144
If you need other transformations, submit your idea in the [feedback forum in Azure AD](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) under the *SaaS application* category.
161
145
162
-
## RegexReplace() transformations
146
+
## How to use the RegexReplace() Transformation
163
147
164
148
:::image type="content" source="./media/active-directory-saml-claims-customization/regexreplace-trasform.png" alt-text="Screenshot of multiple claims transformation.":::
165
149
@@ -202,6 +186,12 @@ When the following conditions occur after **Add** or **Run test** is selected, a
202
186
* The provided test regex input doesn't match with the provided regular expression.
203
187
* The source for the groups into the replacement pattern aren't found.
204
188
189
+
## Add the UPN claim to SAML tokens
190
+
191
+
The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md#table-2-saml-restricted-claim-set), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](active-directory-optional-claims.md) through **App registrations** in the Azure portal.
192
+
193
+
Open the application in **App registrations**, select **Token configuration**, and then select **Add optional claim**. Select the **SAML** token type, choose **upn** from the list, and then click **Add** to add the claim to the token.
194
+
205
195
## Emit claims based on conditions
206
196
207
197
You can specify the source of a claim based on user type and the group to which the user belongs.
@@ -237,12 +227,20 @@ As another example, consider when Britta Simon tries to sign in and the followin
237
227
238
228
As a final example, consider what happens if Britta has no `user.othermail` configured or it's empty. In both cases the condition entry is ignored, and the claim falls back to `user.extensionattribute1` instead.
239
229
240
-
## Advanced claims options
230
+
## Advanced SAML claims options
241
231
242
232
Advanced claims options can be configured for SAML2.0 applications to expose the same claim to OIDC tokens and vice versa for applications that intend to use the same claim for both SAML2.0 and OIDC response tokens.
243
233
244
234
Advanced claim options can be configured by checking the box under **Advanced SAML Claims Options** in the **Manage claims** blade.
245
235
236
+
The following table lists other advanced options that can be configured for an application.
237
+
238
+
| Option | Description |
239
+
|--------|-------------|
240
+
| Append application ID to issuer | Automatically adds the application ID to the issuer claim. This option ensures a unique claim value for each instance when there are multiple instances of the same application. This setting is ignored if a custom signing key isn't configured for the application. |
241
+
| Override audience claim | Allows for the overriding of the audience claim sent to the application. The value provided must be a valid absolute URI. This setting is ignored if a custom signing key isn't configured for the application. |
242
+
| Include attribute name format | If selected, Azure Active Directory adds an attribute called `NameFormat` that describes the format of the name to restricted, core, and optional claims for the application. For more information, see, [Claims mapping policy type](reference-claims-mapping-policy-type.md#claim-sets)|
243
+
246
244
## Next steps
247
245
248
246
*[Configure single sign-on for applications that aren't in the Azure AD application gallery](../manage-apps/configure-saml-single-sign-on.md)
0 commit comments