azure-active-directorymulti-tenantws-federationazure-app-registration

Custom SAML claim configured in multitenant Azure AD app is not copied to this app in another tenant


We are authenticating users of our application using WS-Federation. Up to now, we used single tenant app, created in Azure AD via App registration. Our application expects to get user.employeeid attribute as a SAML claim, and it is configured in a corresponding app in Enterprise applications blade (Single sign-on > Attributes & claims). In app manifest (in app registration), acceptMappedClaims is set to true, to make this work.

Above configuration works perfectly, and now we want to switch to multi-tenant, and in the application code we set valid issuers to tenants AAA and BBB, where AAA is the original one.

When I sign in as a user from BBB, after I consent the app, employeeid claim is not returned. When checking the enterprise app, which was created in BBB after consent, I see that the custom claim is missing, and I have to manually add it. After that, it works perfectly.

Adding the claim manually is not a big problem for me, but I'm curious if it does work that way by design? Do I have to manually add such claims by hand to each tenant which I want to grant access, or maybe I'm missing something, and there is a way to copy such custom claims automatically?


Solution

  • I created an Azure AD Multitenant Application:

    enter image description here

    Configured SAML claims:

    enter image description here

    When I signed in with the home tenant user, the claim is displayed like below:

    https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=https://jwt.ms&scope=api://xxxx/access_as_user&state=12345&nonce=12345
    

    enter image description here

    When I signed in with the other tenant user, the access token did not contain the SAML claim:

    enter image description here

    Note that: By default, custom claims are tenant specific. If the claims are configured in the tenant A application, then only the claims will be added for tenant A users not other tenant users.

    Hence you had to manually add the claims in the Enterprise application created in the other tenant and it cannot be automated.

    I added the custom claim in the Enterprise application created in another tenant:

    enter image description here

    Now when I tried to sign-in with another tenant user, the access token contains SAML claim:

    enter image description here