Azure B2B External Identity Provider Claims Mapping

Copper Contributor

I'm setting up federation to multiple external identity providers for my Azure ASP.NET Core App (App Service with Enterprise App/App Registration setup) in my Azure Tenant. I have external clients, some will have Microsoft Entra and some have custom IdPs where I'll setup SAML/WS-Fed External IdP on my tenant. This documentation is pretty clear how to federate/trust.


I'm having trouble understanding or finding documentation that clearly shows how I can have the external IdP send custom attribute values from their side (via SAML token) and map/transform them into my own access token claims with a different name so I can parse out the claim value and use it my code (i.e. front-end or backend code).


I do not want to call an external API (i.e. Custom Authentication Extension/Claims Provider) during authentication flow. This would require my external clients to build custom API for me to call. I simply want ability (in real-time) during the built-in user flow to transform the attribute values from IdP SAML token into my access token so my application code can use them by reading the token values. I'm okay calling/building my own code hosted on my tenant to do that if needed. I also don't want these values stored in my tenant. Meaning if the user logs in a few days alter their attribute value changes, my application will see the new values.


Scenario: My application code reads the claims from the access token (issued by my tenant for my app) after user authenticates with external IdP and is redirected back to my application and I need to find a claim value called "AccountNumber" and use this to query our database. Because I'm federating with multiple IdPs, they may call their attribute value something different (i.e. AcctNum or CustomNum), but my application must use our attribute name so we are not adding custom logic per IdP federated.

Is this supported in B2B?


If supported in B2B, where is the mapping done? Do I tell the external IdP to add the attribute with my required attribute name to their SAML token (they map it)? If so, does Azure automatically handle putting that claim attribute in my access token because the name matches? I do understand I'll have custom/optional claims attributes setup on my Enterprise App so my app has access to this claim attribute in my access token. But how is it mapped during federation? If not automatically mapped to my custom claim, where in the Enterprise App to do map this? Single Sign-On section?

Or is this something I do in my Azure tenant? Is so, where/how? I keep seeing documentation about using the Single Sign-On section on on the Enterprise App -> Edit Claims -> Add new claim. But I can only select built-in claims from Azure AD/Entra. I was expecting ability to specify the external IdP's attribute name (free form type). For example, "AcctNumber" as source (the attribute name from external IdP) and map to my name called "AccountNumber".


Any help would be appreciated. Thanks


I've read through all the documentation, watched videos, and I can't seem to find example of anyone doing this? Videos and articles keep talking about Enterprise App -> Single Sign-On -> SAML, but that is for adding an app from the Gallery and telling that App to use my Tenant as the IdP instead of the app developer's built in IdP. For example, lettering my tenant users user their own AD/Entra account to get access to the external App. That documentation shows claims mapping in the Enterprise App - Single Sign-On, which is fine because I have an internal App using OIDC instead of SAML. But how do I map the claims attributes from the external IdP into my OIDC access token when user authenticates?

0 Replies