Skip to Content

How to Retrieve Username from SAML Attributes and Claims in Entra ID

By: Author Alex Lim

Posted on

Categories Uncategorized

Learn how to retrieve username from SAML attributes and claims in Entra ID, a cloud-based identity and access management platform.

SAML (Security Assertion Markup Language) is a standard protocol for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). SAML attributes and claims are pieces of information about a user that are sent from the IdP to the SP in a SAML response. In this article, we will show you how to retrieve username from SAML attributes and claims in Entra ID, a cloud-based identity and access management platform that supports SAML integration.

Problem Description

One of the common use cases for SAML integration is to enable single sign-on (SSO) for users across multiple applications. SSO allows users to log in once with their credentials and access multiple applications without having to re-enter their credentials. To achieve this, the IdP needs to send the user’s identity information to the SP in a SAML response. The SP then uses this information to authenticate and authorize the user.

One of the identity information that is often required by the SP is the user’s username. The username is a unique identifier for the user that is used to access the application. However, depending on the IdP configuration, the username may not be sent as a separate attribute or claim in the SAML response. Instead, it may be embedded in another attribute or claim, such as the user’s email address or full name. For example, if the user’s email address is [email protected], then the username is firstname.lastname.

In Entra ID, a cloud-based identity and access management platform, you can configure SAML attributes and claims to send user information to the SP. Entra ID supports both standard and custom attributes and claims, and allows you to map them to the user’s attributes in Entra ID. However, if you want to send the username as a separate attribute or claim, you need to use a custom claim and specify the expression to extract the username from another attribute or claim.

Solution Explanation

In this section, we will show you how to retrieve username from SAML attributes and claims in Entra ID. We will assume that you have already configured Entra ID as the IdP and the SP as the relying party. We will also assume that you have already mapped the user’s email address to the standard Name ID attribute in Entra ID. If you need help with these steps, you can refer to the Entra ID documentation.

To retrieve username from SAML attributes and claims in Entra ID, you need to do the following:

  1. Log in to Entra ID as an administrator and go to the Single Sign On page.
  2. Click on the Edit button next to the SP that you want to configure.
  3. Go to the Attributes & Claims tab and click on the Add Claim button.
  4. In the Add Claim dialog, enter a name for the custom claim, such as Username.
  5. In the Source attribute dropdown, select Name ID.
  6. In the Value field, enter the expression to extract the username from the Name ID attribute. The expression should use the string functions supported by Entra ID. For example, if the Name ID attribute contains the user’s email address in the format [email protected], then the expression to extract the username is: 
    substring-before(NameID, "@")
  7. Click on the Save button to add the custom claim.
  8. Click on the Save button again to save the changes to the SP configuration.

Now, when a user logs in to the SP via SSO, Entra ID will send the username as a separate attribute or claim in the SAML response. The SP can then use this attribute or claim to authenticate and authorize the user.

Frequently Asked Questions (FAQs)

Question: What are the benefits of retrieving username from SAML attributes and claims in Entra ID?

Answer: Retrieving username from SAML attributes and claims in Entra ID can provide the following benefits:

  • It can simplify the user management process for the SP, as the username can be used as a unique identifier for the user across multiple applications.
  • It can improve the user experience, as the user does not have to remember different usernames for different applications.
  • It can enhance the security, as the username can be used to enforce password policies and prevent unauthorized access.

Question: What are the limitations of retrieving username from SAML attributes and claims in Entra ID?

Answer: Retrieving username from SAML attributes and claims in Entra ID can have the following limitations:

  • It depends on the format of the source attribute or claim that contains the username. If the source attribute or claim changes or is not consistent, the expression to extract the username may not work correctly.
  • It may not be compatible with some SPs that require a specific attribute or claim name for the username. In this case, you may need to use a custom mapping or transformation to match the SP’s requirements.

Question: How can I test the SAML integration and verify that the username is sent correctly?

Answer: You can test the SAML integration and verify that the username is sent correctly by using the following steps:

  1. Log in to Entra ID as an administrator and go to the Single Sign On page.
  2. Click on the Test button next to the SP that you want to test.
  3. In the Test SSO dialog, select a user from the dropdown and click on the Launch button.
  4. A new browser tab will open and redirect you to the SP’s login page.
  5. If the SSO is successful, you should be logged in to the SP as the selected user.
  6. To verify that the username is sent correctly, you can inspect the SAML response using the browser’s developer tools or a third-party tool such as SAML Tracer.

Summary

In this article, we have shown you how to retrieve username from SAML attributes and claims in Entra ID, a cloud-based identity and access management platform that supports SAML integration. We have explained the problem description and the solution explanation, and provided some FAQs related to the topic. We hope that this article has helped you to understand and implement this use case for your SAML integration.

Disclaimer: This article is for informational purposes only and does not constitute professional advice. We are not affiliated with or endorsed by Entra ID or any other third-party products or services mentioned in this article. We do not guarantee the accuracy, completeness, or suitability of the information in this article for your specific needs. You should consult your own IT technical expert before making any decisions based on this article. We are not liable for any damages or losses arising from the use of or reliance on this article.