Access to Azure-AD attribute onPremisesSamAccountName during login

emil.enemaerke · September 24, 2021, 11:14am

Hi

We have a need to access the Azure-AD attribute onPremisesSamAccountName from auth0, but the value is not available from auth0. Is there a way to get this information included in the user profile when they login? I cannot se it in the RAW Json for the users?

Our configuration for the enterprise connection against Azure-AD look like:

nicolas_sabena · September 24, 2021, 2:52pm

Hi Emil.
I’m afraid the Enterprise Azure AD connection type is designed to work with a specific set of claims, and everything that is not recognized (including onPremisesSamAccountName) is discarded.
As of this writing, these are the values that Auth0 will take and store (on the left is the Auth0 user profile property name, on the right is the claim name returned by Azure AD):

  user_id: sub
  tenantid: tid
  nickname: unique_name
  roles: [roles, role]
  email: [email, mail]
  upn: [upn, userPrincipalName]
  given_name: givenName
  family_name: surname
  oid: oid
  name: name
  account_enabled: accountEnabled
  assigned_licenses: assignedLicenses
  assigned_plans: assignedPlans
  city: city
  country: country
  department: department
  fax: faxNumber
  job_title: jobTitle
  dir_sync_enabled: onPremisesSyncEnabled
  last_sync: onPremisesLastSyncDateTime
  mobile: mobilePhone
  group_ids: groups
  phone: businessPhones
  postal_code: postalCode
  preferred_language: preferredLanguage
  provisioned_plans: provisionedPlans
  provisioning_errors: onPremisesProvisioningErrors
  proxy_addresses: proxyAddresses
  state: state
  street: streetAddress
  usage_location: usageLocation

There are two alternatives that you might want to consider:

Connecting to an Azure AD domain using a SAML connection
Connecting to an Azure AD domain using a generic OIDC connection

Both the SAML connection and the Enterprise OIDC connection will accept and store any claim/attribute sent by Azure AD. These connections don’t have any Azure AD-specific knowledge, however, so they can’t use Azure AD’s API endpoints to get the “extended profile” or user groups. Only information sent by Azure AD in the response will be used (you can always configure Azure AD to include additional claims in the ID token). Not sure these alternatives would be able to provide all the information you need, but it might be worth a try.
I’d also suggest leaving a note at https://auth0.com/feedback requesting getting the onPremisesSamAccountName claim from the Azure AD response if available.

konrad.sopala · September 30, 2021, 9:45am

Thanks Nico for helping on this one!

emil.enemaerke · October 6, 2021, 10:17am

For future user that might stumble upon this.
My solution was to create a custom action the did a query against Azure Graph api and then add the information to the users meta data.

konrad.sopala · October 6, 2021, 10:32am

Perfect! Thanks for sharing it with the rest of community!

system · October 21, 2021, 10:33am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.