How to change outgoing claims for SAML based SSO in Azure AD?

Question

My application has authentication backed by SAML based Single sign on. The identity provider for the application is Azure AD. The application have different claims/attributes names as compared to what present in the Azure AD. What is the process to map those AD outgoing claims to the fields present in the application?

Assume attribute name in Azure AD is phonenumber and application is expecting mobilenumber in the SAML response during authentication process.

Answer 1

i'm not sure what the docs say there, but i assume it would be similar to what i'm going to say, you go into the enterprise applications-> choose your app -> go to single sign on -> click edit on claims -> then click add new claim. -> name would be mobilenumber -> namespace.. you can leave it blank or put something random like http://schemas.xmlsoap.org/ws/2005/05/identity/claims -> source attribute -> user.telephonenumber probably.

Answer 2

If I understood correctly, Generally application requets the claim attribute and may expect a different claim attribute from Azure AD. For example, application requesting to send phone number and Azure will transform the claim attribute and send it to application.

In this case, you can use claim transformation in Azure AD.

Refer the document for transformation rule.

Still if it not working after following the above scenario, check whether the application is sending the correct request and what Azure AD is responding to application. Capture the https traffic by using fiddler or any other trace to check the communication between your application and Azure AD.