azure-ad-b2csaml-2.0azure-ad-b2c-custom-policyclaims

Mapping SAML Attribute containing True or False to Claim with Boolean Data Type

I am attempting to define an attribute that will be returned by a SAML 2.0 Identity Provider to AAD B2C and handled in a custom policy.

The goal is that the SAML attribute defines a boolean value and that AAD B2C is able to perform logic based on the value of the claim.

The SAML Attribute represents True or False as per the below:

<saml:Attribute Name="http://schemas.custom/claim/booleanexample" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue>True</saml:AttributeValue>
</saml:Attribute>

When attempting to map this SAML Attribute to a claim defined within the Custom Policy ClaimsSchema with a data type of boolean, an error is thrown.

Message in App Insights:

The data type 'String' of claim with id 'http://schemas.custom/claim/booleanexample' does not match the Data Type 'Boolean' of claimType with id 'BooleanExample' specified in the policy.

<ClaimType Id="BooleanExample">
  <DataType>boolean</DataType>
</ClaimType>

I cannot see any mechanism to explicitly define a type for the attribute within SAML (it appears that AttributeValue should be of type xs:any).

I have attempted passing the usual values including 0/1, True/False, true/false with no luck.

Is it really required to handle this with a String claim, and then populate a Boolean claim using a Claims Transformation?

Solution

  • It appears that the claim must be mapped as a string, inspected using a CompareClaimToValue claims transformation that sets a boolean claim with the result of the comparison.

    <ClaimsTransformation Id="CreateBooleanClaimFromString" TransformationMethod="CompareClaimToValue">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="samlBooleanClaimAsString" TransformationClaimType="inputClaim1" />
    </InputClaims>
    <InputParameters>
      <InputParameter Id="compareTo" DataType="string" Value="true" />
      <InputParameter Id="operator" DataType="string" Value="equal" />
      <InputParameter Id="ignoreCase" DataType="string" Value="false" />
    </InputParameters>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="samlBooleanClaimAsBoolean" TransformationClaimType="outputClaim" />
    </OutputClaims>
</ClaimsTransformation>