Azure IDP SAML attributes matching doesn't work.
DAP policy on FTD. Azure AD used as IDP with default claims names. Example: 'http://schemas.microsoft.com/identity/claims/tenantid' => 'e81ecb8783ec44f2ad77f368d2ad081d' DAP record [ not-working-rule ]: (EVAL(aaa.saml.http://schemas.microsoft.com/identity/claims/objectidentifier,"EQ","e489e895-bb70-4411-bc01-cce8ef673533","string"))
1. Recommended - rename the Claim name in Azure IDP to a name without special characters. 2. Use LUA script and define the attribute name and values to match in the script. Note - Writing LUA scripts is out of the TAC support scope. It is easy to make a mistake and hard to debug. Below script is provided just as an example, as is, with no warranty to work. ``` assert(function() -- To see debugs "debug dap trace 255" is required DEBUG_DAP_TRACE("===== Start!!!! =======\n") -- Define to be checked SAML attribute's name -- For string.find to work like EQ put beggining and end of string saml_attribute = "^" .. 'http://schemas.microsoft.com/identity/claims/objectidentifier' .. "$" -- Build an array of values that should be matched. -- The LUA special characters need to be escaped with % match_patterns = { 'e489e895%-bb70%-4411%-bc01%-cce8ef673533', 'test2' } -- For string.find to work like EQ put beggining and end of string for kpat in match_patterns do match_patterns[kpat] = '^' .. match_patterns[kpat] .. '$' end for k,v in pairs(aaa.saml) do if (string.find(k,saml_attribute) ~= nil) then msg = "====== Matched attribute name " .. k .. " ======\n" DEBUG_DAP_TRACE(msg) for kpat in match_patterns do DEBUG_DAP_TRACE("=== v: " .. v .. "\n=== ") if (string.find(v,match_patterns[kpat]) ~= nil) then msg = "LUA script matched!: " .. v .. " ===\n" DEBUG_DAP_TRACE(msg) return true else msg = "LUA script not matched! v: " .. v .. "\n" DEBUG_DAP_TRACE(msg) end end end end DEBUG_DAP_TRACE("====== DONE, no match found ======\n") return false end)() ```