Forum Discussion
AzureAD sharepoint SAML integrattion
hi Peter ,
Happy new year and apologies for the delay in responding.
thanks for your email. Below is what i have found in the trace.
SAMLtrace for working user which is a microsoft online account
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">maverick1@hotmail.com</NameID>
you can see that azure is passing the email address which is used as federatedID between azure and salesforce
SAMLtrace for non-working user which is a user account in the directory
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">F8xKa2JIpxTCFjO66gjj-9TrfpXfOnyxOHogR8s1PA4</NameID>
As you can see from above that the email address is not being passed as federationID for the user in the directory . So , it only seems to work with the MS online account.
your help would be appreciated.
Hello,
Please check your Saleforce claim mappings, nameidentifier should map to user.mail or user.userprincipalname. These values should be identical to the Saleforce account FederationID.
If you’re using user.mail, please check the accounts have the mail attribute using the Azure AD PowerShell cmdlets for cloud accounts or sync'd, Active Directory Users and Computers.
If you’ve found this post helpful, please click the Like button.
Hi ThinkSync,
They are correctly set to user.mail. The thing that I am stuck is that it works for the microsoft account i.e the account I login to the azure tenant with. However, it doesn't work with users that are in the AAD.
Thanks
AR
- hi thinksync,
any ideas?
Regards
ARHello,
Sorry for the delay.
Firstly, I recommend making sure the following attributes match. This reduces administrative overhead and provides the best user experience.
Setting
Azure AD Attribute Name
SIP
ProxyAddresses – denoted with a prefix of uppercase ‘SMTP’
Primary SMTP (default send from address)
ProxyAddresses – denoted a prefix ‘SIP’
Mail
WindowsEmailAddress (Exchange), Mail (Graph API)
User Principal Name (AzureAD login name)
UserPrincipalName
Alternative ID (**avoid if possible)
** I hear you On-prem Active Directory admins, yes, it’s a lot of work but these changes will save you a world of pain 😊
With reference to your problem, the mail attribute “user.mail”, isn’t used by Exchange or sending email, and is often out of date or not set at all. Now in saying that, Azure AD has some interesting rules which in some cases populate the mail attribute:
https://support.microsoft.com/en-gb/help/3190357/how-the-proxyaddresses-attribute-is-populated-in-azure-ad
Personally, I wouldn’t rely on Azure AD updating synchronised accounts. Please manage the mail attribute using On-Prem AD to avoid ambiguity.
So how does this help me? 😊
Check one of your problematic users using the Graph API explorer, unless you connect to Exchange Online, mail attribute isn't exposed:
- Login to the graph api explorer - https://developer.microsoft.com/en-us/graph/graph-explorer#
- Paste the following query into the query window and add you users UPN
- https://graph.microsoft.com/v1.0/users/%5bUPNHere]
