Question

Azure SAML SSO and First/Last Names in attributes/claims not working

16 days ago
4 July 2024
5 replies
34 views

Dean Salter
3 replies

Hi there. I have been successful in configuring SAML SSO with our Azure Entra ID tenant and our Lucid Enterprise tenant. Lucid's auto-provisioning accounts from SSO does indeed create the Lucid account but there is one issue I am hoping someone can help fix.

When the auto-provisioning happens upon first SSO login, the First Name and Last Name do not get filled in properly from their Azure Entra ID account. The First name gets the part of their email address before the @ sign and the Last name is blank.

I searched for an read Lucid documents/tips on configuring SAML SSO as well as ones which indicate the SAML attribute statement mappings. However, Azure Entra ID does not have the same attribute names. For First name Azure has user.givenname; for Last name Azure has user.surname.

Is this something that can be corrected by modifying the standard attributes/claims for the Lucid (All products) SAML app? Here is what comes standard in Azure Enterprise Applications for Lucid (All products):

SAML Attribute statement mappings:

Value Name	Accepted naming convention	OID naming convention
email	user.email	urn:oid:0.9.2342.19200300.100.1.3
first name	user.firstname	urn:oid:2.5.4.42
last name	user.lastname	urn:oid:2.5.4.4

Comments

Karsten B
Lucid support team
140 replies
15 days ago
5 July 2024

Hi Dean,

You can modify the attribute claim by clicking on the claim you wish to edit in Entra. I added an example where I updated the claim to user.firstname as the outgoing name and targeted user.givenname as the Entra source attribute to fill that outgoing claim. Hope this helps!

Thanks for the reply Karsten. Did that change work for you in your (test) Azure tenant?

It did not work for me. I have tried all sorts of combinations of modifying SSO attributes in our Enterprise Application config for Lucid but to date none have worked, including using OID attributes as documented by Lucid.

I expect our company is not the only one with this issue and I am hopeful engineering at Lucid has developed a proven solution. Worst case, we have to get every Lucid Azure Entra ID guest to manually edit their Lucid profile to set the correct First and Last name fields. It does not interfere with operations but it would be nice to get it working if indeed Lucid has a proven solution.

I do not want to spend more hours experimenting and so an hopeful you/Lucid can provide a proven solution. Appreciate your help in this.

Karsten B
Lucid support team
140 replies
11 days ago
9 July 2024

Hi Dean,

I sure did test and can confirm the SAML mappings work without issue in my implementation, perhaps we need a note in our documentation for how to work with SAML attributes in Entra. In the meantime, can you post a screenshot of the mappings for FirstName LastName, so I can help you get this configured the right way?

Hi Karsten. I didn’t mention it originally but the main issue for us is B2B Guest accounts in our Entra ID that get autoprovisioned in our Lucid tenant. As you likely know, Guests have a User Principal Name (UPN) very different from Member UPNs. For example, the Azure Entra ID Guest bill_smith@gmail.com has a UPN of bill_smith_gmail.com#EXT#@magnussen0.onmicrosoft.com. Because of the requirement for Guests to also use SSO in our Lucid tenant, we could not use user.UserPrincipalName as the Unique User Identifier (Name ID) in our SAML configuration. We had to use user.mail. By doing that, the autoprovisioned user via SSO into our Lucid tenant has a username of their email address – just like Member user accounts from our Entra ID. And their email address in their Lucid account is also their correct email address.

Perhaps that is where the problem lies? Have you tried your solution with B2B (external) Guest users in your Entra ID?

I tried your screenshot example for the claim and it still did not get the correct field value from the Entra ID user account. I will private message you as I have a detailed document I can send you showing our full config.

In the meantime, please test your solution against B2B Guest users that get autoprovisioned in Lucid.

While on the topic, is there any way to disable the autoprovisioning of users from our Entra ID SAML SSO config into our Lucid tenant? I realize that is a separate topic.

And interestingly enough, when an Entra ID Member (not Guest) uses our current default SSO config and accesses our Lucid tenant, their First Name and Last Name are properly retrieved from their Entra ID account details. So, it seems the issue is tied to Guest users who uses SSO. Again, Guest users do get an autoprovisioned account through our SSO - it is just that their First Name and Last Name are not properly populated from their Entra ID account.

And - it is just one SAML SSO config - for both Members and Guests. Yes, we can afterwards as an Admin correct their First Name and Last Name in our Lucid tenant but it would be great if it just worked as it should and get it from Entra ID, saving us that extra work/task.

Reply

Create an account in the community

Login with SSO

Log in to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded