0

I am new to SAML and Azure but I need to integrate my PHP web application with Azure and I do not understand how the Azure name attributes (claims?) are working with simpleSAMLphp.

Problem 1 - attributes from Azure are hard to read

This is a returned dataset from Azure - the attributes are named as HTTP URLs:

Data returned from Azure

I can somehow view the purpose of each attribute in the URL but is there a way to show a shorter and more friendly name? Is the friendly names something that should be provided by our Azure team or is there a standard translation that can be done?

Problem 2 - I cannot read all Azure provided attributes/claims

I have been told by our Azure team that they have provided me with more attributes than what is visible in the above picture - e.g. our organization, title and more and they have sent this picture as a proof to me:

Azure attributes that should be available to me

This seems to be a weird mix of URLs and friendly names/descriptions but I seem not able to read all Azure attributes from simpleSAMLphp!? Do I need to read the (extra?) attributes in another way than $azure->getAttributes();?

What I have tried

I have (among others) used this guide for setting up simpleSAMLphp, https://www.lewisroberts.com/2015/09/05/single-sign-on-to-azure-ad-using-simplesamlphp/ and that guide refers to the below setup, which I have included in \config\authsources.php:

'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'eduPersonTargetedID',

But to be honest then it confuses me, if this is relevant or not.

I have also viewed How do I map attributes returned by an IDP to friendly names inSimpleSAMLphp? which gets close to my problem but I did not get any closer to a solution.

Any hints or help would really be appreciated :-) My guess is that it is not possible to get friendly names/claims and that our Azure team will need to fix the missing attributes/claims but I do not have any solid evidence for proving this.

Beauvais
  • 2,149
  • 4
  • 28
  • 63

1 Answers1

0

After more time spent on this and some trial-and-error from our IT department then everything has now been fixed.

It WAS in fact a faulty Azure configuration that did not send the attributes and the weird names/claims could also easily be "translated" by Azure in to short meaningful and friendly names.

This is what I wanted from the beginning:

Now it works

It still show the weird names for tenantid etc. but I don't care for that as I do not use that. I assume this is some standard attributes being sent from Azure.

The Azure "claims" now looks like this:

Azure configuration

Also it was not mentioned by our IT guys but even if they state that it has been fixed then please await for some time before testing as it will take some time from applying the change until it is effective in Azure. At least I noticed it could take 15-30 minutes for adding new attributes though the change of attribute names was done almost instantly.

Beauvais
  • 2,149
  • 4
  • 28
  • 63
  • Did you have to change something in your simplesamlphp authsources to accommodate these attribute claims? Or this was all configuration on the Azure side? – aaronbauman Jul 26 '22 at 19:27
  • 1
    @aaronbauman - it was changed in Azure, as far as I recall. Do note that I changed to "Shibboleth, Service Provider" soon fast after this, as it authenticates on folder level instead on file-basis as "simpleSAMLphp" does. You can view more about it here, https://www.shibboleth.net/products/ and download it here, https://shibboleth.net/downloads/service-provider/ – Beauvais Jul 27 '22 at 05:39