You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating a azuread_application resource and configuring for SAML I'm expecting the NameId attribute to be mapped properly and return something like the following during the auth flow:
And in the Service Provider I see the user's user id as KoIbJEiimY6YA-xyPZ02iBpQX2h3gug5VX7F-HP5Dus.
Steps to Reproduce
terraform apply
Important Factoids
If I look at the "Attributes & Claims" under SAML Single Sign-on in the Azure console everything looks correct, and the Unique User Identifier (Name ID) claim is set to user.userprincipalname [nameid-format:emailAddress] as I'd expect, but that behaviour doesn't actually appear to be being applied.
What's even more strange, is that if I change the Unique User Identifier (Name ID) to something else random and then back to user.userprincipalname [nameid-format:emailAddress] - all via the Azure console - things start working! So it almost looks like this isn't being initialised when creating the resource via Terraform, but it does when done via the Azure console.
The text was updated successfully, but these errors were encountered:
Hi @dcopestake, thanks for reporting and for the detailed repro information. At this time we do not have any control over these SAML related settings, as the API does not expose them. Unfortunately this means that only the portal (and potentially other first-party applications like Azure CLI or Az pwsh module) are able to configure these SAML settings. Additionally, whatever defaults are set as a result of this disparity, are also out of our control.
As soon as we have API support for these settings, we will be happy to support them.
Note that the Azure console currently also adds a http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress from user.mail attribute which doesn't seem to be included in IncludeBasicClaimSet but can be added to this claims mapping policy as well.
We had the same problem as OP except we created the resources manually thorough the Azure web user interface. The field Name identifier format was "Email address" as it should, but the SAML Assertion returned <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">[...]</NameID>. We managed to fix it the same way as OP too. We changed the provider to something else, and then back to "Email address" and we started getting the correct NameID in the Assertion.
I'm adding a commend about our experience here, as I could not find this issue reported anywhere else.
Community Note
Terraform (and AzureAD Provider) Version
Terraform v1.2.5
on windows_386
Affected Resource(s)
azuread_application
azuread_service_principal
Terraform Configuration Files
Expected Behavior
When creating a
azuread_application
resource and configuring for SAML I'm expecting theNameId
attribute to be mapped properly and return something like the following during the auth flow:<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">my.obfuscated.email@address.com</NameID>
And then show in the Service Provider (an OpenSearch domain in this case) to see the user's user id as
my.obfuscated.email@address.com
.Actual Behavior
After authenticating each user's user id is not set correctly. From the SAML response I can see:
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">KoIbJEiimY6YA-xyPZ02iBpQX2h3gug5VX7F-HP5Dus</NameID>
And in the Service Provider I see the user's user id as
KoIbJEiimY6YA-xyPZ02iBpQX2h3gug5VX7F-HP5Dus
.Steps to Reproduce
terraform apply
Important Factoids
If I look at the "Attributes & Claims" under SAML Single Sign-on in the Azure console everything looks correct, and the
Unique User Identifier (Name ID)
claim is set touser.userprincipalname [nameid-format:emailAddress]
as I'd expect, but that behaviour doesn't actually appear to be being applied.What's even more strange, is that if I change the
Unique User Identifier (Name ID)
to something else random and then back touser.userprincipalname [nameid-format:emailAddress]
- all via the Azure console - things start working! So it almost looks like this isn't being initialised when creating the resource via Terraform, but it does when done via the Azure console.The text was updated successfully, but these errors were encountered: