Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,365 questions
Why do Entra ID SAML claim transformations work differently for different claims?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 15%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Jens Bilgrav
0
Reputation points
Scenario: In an Entra ID SAML-mediated SSO solution, I have to configure the identity provider to deliver a set of claims that all correspond to an email address. Depending on whether or not a specific extensionattribute contains a value (a set of initials), the email address must be constructed differently.
For this purpose, I have configured a claim transformation with the following pseudocode:
If 'user.extensionattributeXX' is not empty, then output 'user.extensionattributeXX'. Then join this output with @ followed by domain name Y.Z. Else (if 'user.extensionattributeXX' is empty), output 'user.userprincipalname'.
Now, for the default 'Unique User Identifier (Name ID)' claim, this works perfectly.
For my user, which does not have a value in extensionattributeXX, the claim output is simply my 'user.userprincipalname' as expected.
For a user that does have a value in extensionattributeXX, the claim output is XXXX@Y.Z, where 'XXXX' is the value in extensionattributeXX.
But here comes the odd part. I have to configure a claim specifically for the email address with the exact same claim transformation - but this does not work.
For my user, the claim output is always @Y.Z (corresponding to the "Else" statement in the pseudocode above), while the other user still gets XXXX@Y.Z.
Why is there a difference between the results of these two identical claim transformations? How do I achieve my goal?