I have some "Additional claims" in Azure AD, that are not being mapped in Cognito, and some others are mapped. All the "Additional claims" are coming as part of the SAML response, so, they are present, but for some reason, Cognito is not mapping them.
Example:
I've created this attribute in Azure SSO:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username
whit this transformation xtractMailPrefix (user.userprincipalname)
,
Then I have a mapping in my SAML config in Cognito that should map that attribute from the Azure SAML response:
AttributeStatement
session in the SAML response that AzureIdP is sending to Cognito.
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>vale</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>vale</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username">
<AttributeValue>value</AttributeValue>
</Attribute>
</AttributeStatement>
Note: The attributes that Cognito is not mapping are present in the SAML response from Azure, but when the user is created in the pool, those attributes are not there.
But the attribute is never saved in the Cognito user pool after the user is Signed up.
What am I missing here?
Thank you