Skip to main content

SAML Transformation Fallback Workaround (Microsoft Entra ID)

Overview

This document describes a targeted workaround implemented within Microsoft Entra ID to address a SAML single sign-on (SSO) integration limitation with Enroly (CAS Shield), where the service provider requires the givenName (first name) attribute to be present during authentication.

The workaround enables successful authentication for users who have a single name recorded in Entra ID (i.e. no givenName or surname attribute populated), without modifying directory data.

Background

During investigation of a user login issue raised by Enroly support team, it was identified that:

  • The affected user has only the Surname attribute populated in Entra ID.

  • Microsoft Entra ID successfully completes SAML authentication even when givenName is empty.

  • Enroly enforces givenName as a mandatory SAML attribute and rejects authentication if it is missing.

This behaviour is Service Provider side and outside of Entra ID control. However, a controlled, application-scoped workaround is possible using SAML claim transformations.

Design Principles

The workaround was designed with the following principles in mind:

  • Application-scoped only – no tenant-wide or directory-wide impact

  • Non-destructive – no changes to user objects or identity source data

  • Least privilege / minimal impact – only activates when givenName is empty

  • Reversible – easy to remove if Service Provider configuration changes

Technical Summary

The SAML givenName claim for the Enroly Enterprise Application is configured using a conditional transformation:

  • If user.givenName is populated > send user.givenName

  • If user.givenName is empty > fall back to user.displayName

This ensures that Enroly always receives a non-null givenName value, allowing authentication to complete successfully.

No other SAML claims are affected.

Implementation Details

Microsoft Entra ID > Enterprise Applications > Enroly > Single sign-on >Attributes & Claims

Claim:

  • Name: givenname

  • Namespace: Default

Transformation Logic:

  1. IfNotEmpty(user.surname) > output user.surname

  2. IfEmpty(previous output) > output user.givenname

f173a4ac-8b74-4c80-87e1-36e746334983.png

This transformation is evaluated at authentication time and does not write back to Entra ID.

Impact Assessment
Who is affected:

  • Only users authenticating to Enroly via SAML

  • Only users whose givenName attribute is empty

What changes:

  • Enroly receives a synthetic givenName value for single-name users

What does NOT change:

  • Entra ID user attributes

  • Other enterprise applications

  • Authentication behaviour for users with a populated givenName

Risks and Considerations

  • The givenName value provided to Enroly may not represent a true first name.

  • If Enroly stores or reuses the attribute internally, the fallback value may persist within their system.

  • This workaround compensates for a Service Provider SAML attribute mandatory requirement and should be reviewed if Enroly updates its SAML requirements.

This implementation should not be used as a general pattern unless explicitly required.

Back to top