问题
In Azure AD i have a multi-tenant Enterprise Application and App registration that are accessed through SAML2. I receive a limited set of users attributes, including tenant-id, email, first name, last name. But the organisation that the user belongs to, has defined extension attributes in their on-premise AD that i want to consume in my application. Also i would like to receive the jobTitle and Department in the application. The organisation says they have set up synchonisation of the attributes from their on-premise AD to Azure.
I have added the attributes i want under the Enterprise Application -> Single sign-on -> User Attributes and Claims -> Additional claims. But i am obviously still missing some configuration somewhere because they do not appear in the SAML2 token.
Which API permissions do i need to grant my application to pass these attributes through to the SAML2 token? Do i need to add something else to map these attributes?
回答1:
when you set up a multitenant app, when your client's users / tenant signs in, it actually creates an "enterprise application" (service principal) in their tenant for your app. https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent
As per that, your client would have to go into the SSO (saml) setup screens for your app in their own tenant and customize the claims that they will emit to your application. It doesn't matter if you add the attribute claims to your own SSO setup. thats for your tenant, not theirs.
回答2:
It turns out that the Single Sign On properties are not visible in the Service Principal, because the proper tags are not set in the Application registration.
After using Microsoft Graph Explorer to see the properties of a working Service Principal with SSO properties, i noticed that it had a tag set that was absent in the Service Principal without SSO properties in the portal.
In the Application Registration manifest i set:
"signInAudience": "AzureADMultipleOrgs",
"tags": [
"WindowsAzureActiveDirectoryCustomSingleSignOnApplication",
"webApp",
"notApiConsumer"
],
Then recreated the service principal in a guest tenant using an adminconsent link (https://login.microsoftonline.com/[guest tenant domain]/v2.0/adminconsent?client_id=[app registration id]...) the portal displayed the Single Sign On settings in the guest tenant.
The Azure portal seems to display SSO properties for Service Principals associated with Application registrations that have the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag.
To summarise:
- Set the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag in the Application registration manifest.
- Create a Service Principal in the Owning Tenant if you haven't done that already.
- Use an adminconsent url to create a Service Principal in the Guest tenant.
- Have the Guest Tenant Administrator fill in the single sign on properties to add the required attributes.
The attributes are returned to the application in the SAML2 token
来源:https://stackoverflow.com/questions/63054989/azure-ad-how-to-pass-userextension-attributes-to-multitenant-app