We have a need to access the Azure-AD attribute onPremisesSamAccountName from auth0, but the value is not available from auth0. Is there a way to get this information included in the user profile when they login? I cannot se it in the RAW Json for the users?
Our configuration for the enterprise connection against Azure-AD look like:
Hi Emil.
I’m afraid the Enterprise Azure AD connection type is designed to work with a specific set of claims, and everything that is not recognized (including onPremisesSamAccountName) is discarded.
As of this writing, these are the values that Auth0 will take and store (on the left is the Auth0 user profile property name, on the right is the claim name returned by Azure AD):
user_id: sub
tenantid: tid
nickname: unique_name
roles: [roles, role]
email: [email, mail]
upn: [upn, userPrincipalName]
given_name: givenName
family_name: surname
oid: oid
name: name
account_enabled: accountEnabled
assigned_licenses: assignedLicenses
assigned_plans: assignedPlans
city: city
country: country
department: department
fax: faxNumber
job_title: jobTitle
dir_sync_enabled: onPremisesSyncEnabled
last_sync: onPremisesLastSyncDateTime
mobile: mobilePhone
group_ids: groups
phone: businessPhones
postal_code: postalCode
preferred_language: preferredLanguage
provisioned_plans: provisionedPlans
provisioning_errors: onPremisesProvisioningErrors
proxy_addresses: proxyAddresses
state: state
street: streetAddress
usage_location: usageLocation
There are two alternatives that you might want to consider:
Connecting to an Azure AD domain using a SAML connection
Connecting to an Azure AD domain using a generic OIDC connection
Both the SAML connection and the Enterprise OIDC connection will accept and store any claim/attribute sent by Azure AD. These connections don’t have any Azure AD-specific knowledge, however, so they can’t use Azure AD’s API endpoints to get the “extended profile” or user groups. Only information sent by Azure AD in the response will be used (you can always configure Azure AD to include additional claims in the ID token). Not sure these alternatives would be able to provide all the information you need, but it might be worth a try.
I’d also suggest leaving a note at https://auth0.com/feedback requesting getting the onPremisesSamAccountName claim from the Azure AD response if available.
For future user that might stumble upon this.
My solution was to create a custom action the did a query against Azure Graph api and then add the information to the users meta data.