![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 75%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 65%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hello Krishna Gundam,
Thanks for posting your question in Microsoft Q&A!
When a user signs in through your custom SAML IdP, the SAML response contains a bunch of user details (called "attributes" or "claims") like email, first name, last name, and so on. Azure Entra External ID needs to know exactly how to take these attributes and put them into the right place in the user account profile it creates.
By default, Azure Entra will only automatically map the email address from the SAML response. All other details like first name (givenName) and last name (surname) need to be explicitly told to Azure by configuring claim or attribute mappings.
This usually happens because:
- The names of the attributes sent by your IdP are either different or not exactly matching what Azure Entra expects.
- The Azure Entra configuration for mapping those attributes is missing or incomplete.
- Sometimes, Azure Entra creates the user account first and may only update additional user details like names after further syncing or provisioning steps.
Check the SAML attributes from your IdP
- Use a tool like SAML-tracer or a browser’s developer tools to capture the actual SAML response when a user signs in.
- Look inside the response and find the exact names of the attributes for first name, last name, email, etc.
- Be sure the attribute names are exactly what you intend to map. For example, it might say FirstName or givenName or something else note the exact spelling and capitalization.
Configure attribute mappings in Azure Entra External ID
- Login to the Azure portal and go to your Azure Entra tenant.
- Find External Identities > Identity providers and select your custom SAML provider.
- Look for Claim mapping or Attribute mapping settings.
- Here, add mappings so Azure knows to take the SAML attribute names you found and map them to Azure user properties. For example:
- Map SAML attribute givenName to the user property givenname
- Map surname to surname
- Confirm the email mapping is correct as it usually is set by default.
Check the Enterprise Single Sign-On (SSO) settings
- Go to Entra ID > Enterprise applications and select your application.
- Under Single sign-on > Attributes & claims, ensure that all required claims like givenName and surname are listed and correctly mapped to the expected attribute names sent by your IdP.
- If they're missing, add new claims with the exact names from the SAML assertion.
Use advanced custom claims mapping if needed
- If the portal settings are not enough and attributes still don’t map correctly, you can use Microsoft Graph API to create detailed and customizable claims mapping policies.
- This allows more control on how claims from SAML are transformed and matched to user properties during sign-in and provisioning.
Testing
- After making these changes, test by signing in with a user from your external IdP.
- Check that the user record in Azure Entra External ID has the email, given name, and surname correctly populated.
- If it still does not work, review the sign-in logs in Azure to see if there are warnings or errors related to claims mapping.
Please Note:
Mapping these attributes correctly ensures that your users have complete and accurate profiles after signing in. Without mapping, users might get created only with basic information, causing issues in your applications or services relying on user names.
Microsoft documentation:
- How to add and configure a SAML 2.0 Identity Provider in Microsoft Entra External ID: https://learn.microsoft.com/en-us/entra/external-id/direct-federation
- Customize attribute mappings in Entra applications and provisioning: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes
- Troubleshooting SAML-based single sign-on issues in Azure Entra: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/troubleshoot-saml-based-sso
- Create and assign custom claims mapping policies: https://learn.microsoft.com/en-us/entra/external-id/custom-claims-mapping
Kindly let us know if the above helps or you need further assistance on this issue.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".