We are authenticating users of our application using WS-Federation. Up to now, we used single tenant app, created in Azure AD via App registration. Our application expects to get user.employeeid
attribute as a SAML claim, and it is configured in a corresponding app in Enterprise applications blade (Single sign-on > Attributes & claims). In app manifest (in app registration), acceptMappedClaims
is set to true, to make this work.
Above configuration works perfectly, and now we want to switch to multi-tenant, and in the application code we set valid issuers to tenants AAA and BBB, where AAA is the original one.
When I sign in as a user from BBB, after I consent the app, employeeid
claim is not returned. When checking the enterprise app, which was created in BBB after consent, I see that the custom claim is missing, and I have to manually add it. After that, it works perfectly.
Adding the claim manually is not a big problem for me, but I'm curious if it does work that way by design? Do I have to manually add such claims by hand to each tenant which I want to grant access, or maybe I'm missing something, and there is a way to copy such custom claims automatically?
I created an Azure AD Multitenant Application:
Configured SAML claims:
When I signed in with the home tenant user, the claim is displayed like below:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=https://jwt.ms&scope=api://xxxx/access_as_user&state=12345&nonce=12345
When I signed in with the other tenant user, the access token did not contain the SAML claim:
Note that: By default, custom claims are tenant specific. If the claims are configured in the tenant A application, then only the claims will be added for tenant A users not other tenant users.
Hence you had to manually add the claims in the Enterprise application created in the other tenant and it cannot be automated.
I added the custom claim in the Enterprise application created in another tenant:
Now when I tried to sign-in with another tenant user, the access token contains SAML claim: