SOLVED - Help with Azure SAML please

I am being authenticated. But then there is a value mismatch for the properties, so everyone is being logged in as the same user.

I am using the following values now (have tried many mixes):

ID Property: id

First Name Property: givenname

Last Name Property: surname

email address property: emailaddress

 

Here is the SAML payload back (with GUID's blah'd out)

<samlp:Response
Destination="https://us-api.someplace.net/v1/applications/BLAH/auth/Azure/return"
ID="_c7b55105-9121-46ec-a01e-BLAH" InResponseTo="_e1d3347c8734242cee52"
IssueInstant="2020-12-01T22:09:34.913Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/98a530c8BLAH/</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_652287a7-ae18-BLAH" IssueInstant="2020-12-01T22:09:34.908Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/98a530c8-5cb7-BLAH/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_652287a7-ae18-BLAH">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>OxxzYasY4vQlCbWTclBFfQbCs3cRuxbTShz6mhQSEm0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>PoYC1F8g0tRNkqlfoMwRi73k0Hh7afU8+TbApBLAHWfzsKEAe5pG0/gwjgroHrGr5oCEou/pNMCoa6iKmtYfUdNetfhvvLNVZm4YY37Qbzp1bvfneJu6PMQjj+hal8VcVSwYbKUAmk+3SnDYCMqanKtFsA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDBTCCAe2gAwIBAgIQQiR8gZNKuYpH6BLAH/+dXihcHzLEfKbCPw4/Mf2ikq4gqigt5t6hcTOSxL8wpe8OKkbNCMcU0cGpX5NJoqhJBt9SjoD3VPq7qRmDHX4h4nniKUMI7awI94iGtX/vlHnAMU4+8y6sfRQDGiCIWPSyypIWfEA6/O+SsEQ7vZ/b4mXlghUmxL+o2emsCI1e9PORvm5yc9Y/htN3Ju0x6ElHnih7MJT6/YUMISuyob9/mbw8Vf49M7H2t3AE5QIYcjqTwWJcwMlq5i9XfW2QLGH7K5i8</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">UxWm4yq0nyl5aSgGb6eeUU219sCJvBXVpy2qYx6JfDQ</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_e1d3347BLAH"
NotOnOrAfter="2020-12-01T23:09:34.803Z"
Recipient="https://us-api.someplace.net/v1/applications/BLAH/auth/Azure/return"/></SubjectConfirmation>
</Subject>
<Conditions NotBefore="2020-12-01T22:04:34.803Z" NotOnOrAfter="2020-12-01T23:09:34.803Z">
<AudienceRestriction>
<Audience>spn:870d0f1f-9a38BLAH</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>98a530c8-5cb7-BLAH</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>1b0d1322-ae04-4c0dBLAH</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>ken@sompleace.net</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>curtis</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>ken</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>ken curtis</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>kencurtis@someplace.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/98a530c8BLAH/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-12-01T22:09:32.817Z"
SessionIndex="_652287a7-ae18-4c36-9a19-140d44265e00">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>

I think I have it resolved.

While other SSO solutions provide attributes like "surname" and "id", Microsoft provides a URL that links to the definition they use for the object. Sort of counter-intuitively, use the entire URL!

Also, you need to add the Email attribute manually in the Azure app as an additional claim.

So...

ID Property = http://schemas.microsoft.com/identity/claims/objectidentifier

First Name = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Email = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Note that it is important to use the objectidentifier for ID (it is the user's GUID) because that is sent back to the MS SAML for logging the user out. If that is wrong, the user stays signed into SSO & SAML even if they click logout in Knack.

I tried to get SSO working with Auth0 awhile back and was getting similar messages. Tried everything and nothing seemed to work and support really couldn't help.