How can we help you today?
Changing claim rules to re-write UPN in AzureAD SSO
The SSO login process matches the UPN passed from AzureAD with AD (on prem Active Directory).
When those do not match, a warning is shown that your login name does not match and login is not granted.
If you have the case where your users’ UPN on AzureAD do not match AD, for example they were manually created and are not sync’d, or they are changed on Sync, you will need to change the default claim rule on the Enterprise APP for MyWorkDrive in AzureAD to re-write them to match the UPN on AD in order for SSO Logins to succeed.
The easiest way to re-write the UPN on the App is to use a RegEx. Extract the upn prefix (the name portion before the @domain) and write in a custom domain.
In this case, our users UPN on AD use domain “@corp.company.com”
and their upn on AzureAD is domain “@company.com”, which is re-written to match their email
So when they login on AzureAD with user@company.com, the SSO rejects their login as it does not match user@corp.company.com on Active Directory
Login to Azure and edit the AzureAD (Entra) Enterprise App for your MyWorkDrive SSO
From the Single Sign On panel, click to edit box 2, Attributes & Claims
Click on the first entry, the Required Claim
Change the Source from Attributes to Transformation
In the new window which opens, select Transformation “RegExReplace()”
for Attribute Name, select “user.userprincipalname” at the bottom of the list
In the RegEx Pattern, you want to specify the domain name you are changing from, ie, the domain in AzureAD. Retain the formatting and characters as shown in the example.
(?’domain’^.*?)(?i)(\@company\.com)$
In the replacement pattern you will specify the variable {domain} and enter the domain name you are changing to, ie, the domain in AD
{domain}@corp.company.com
You can then use the test tool to validate that the regex correctly re-writes your login.
Enter the users email (upn from AzureAD) and it will show the transformation to the UPN which matches AD. We are entering user@company.com and expecting it to output user@corp.company.com, and it does.
If you make a mistake in the translation, a warning will be shown at the top of the page
(in this case, we misspelled the domain name for the test user)
To finish saving your changes, Scroll down and click Add. The window should close.
Click save on the Manage Claim page
You should now be able to go to the login url for your MyWorkDrive server and enter your email (user@company.com) and have it successfully login.
You can also test that the AD UPN (user@corp.company.com) has access using the Share Test Tool option on the Shares page of MyWorkDrive Admin.
Select test, select SSO and use the UPN as entered on AD (in this case, user@corp.company.com). If the test tool validates access and the re-write is correct, user logins will succeed.
If there are errors, troubleshoot the errors in your environment (share permissions, delegation not set, user not a member of a group which has permission to the share, etc)
