Access Server: Configure Entra ID to Return a Username Without a Domain for SAML Authentication

Overview

In some migration scenarios, administrators may need Microsoft Entra ID to return usernames without the domain portion in the SAML assertion.

This is commonly used when migrating from LDAP or RADIUS authentication while continuing to authenticate against Active Directory. Matching the SAML username to the existing Access Server username allows Access Server to reuse existing accounts rather than create new user records.

For example:

• user@example.com → creates a new user record.

• user → matches an existing local Access Server user.

Solution

1. Sign in to the Azure portal.
2. Go to Identity → Applications → Enterprise applications.
3. Select your SAML application.
4. Once the application loads, select Single sign-on from the navigation menu.
5. Under Attributes & Claims, select Edit.
6. Next to the Unique User Identifier (Name ID) claim, select the three-dot menu, and select Manage claim.
7. Under Source attribute, select user.mailnickname.
8. Save.

After saving the change, the Entra ID returns usernames in the format: user instead of user@example.com.

Note: For users migrated from LDAP or RADIUS authentication, we recommend downloading a new connection profile after enabling SAML authentication.

Existing connection profiles created for Local, PAM, LDAP, or RADIUS authentication contain the auth-user-pass directive. When using those profiles after SAML authentication is enabled, users may be prompted for a password before being redirected to the SSO portal. 

If you have additional questions, please submit a support ticket.