Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

SAML with Azure AD Fails to Authenticate and Throws Email Validation Error when URL format attribute names are used

Written By

Eric Yan

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How to articles!

While we make every effort to ensure this Knowledge Base is accurate,it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • Liferay SAML integration with Azure AD may not be properly configured, specifically in regards to the Attribute Mapping. This results in an Email Validation error being thrown in the logs when a user attempts to log-in for the first time.
  • Sample error message:
    2021-03-19 22:23:26.841 ERROR [http-nio-8081-exec-3][WebSsoProfileImpl:219] Email name address must validate with com.liferay.portal.kernel.security.auth.DefaultEmailAddressValidator

Environment

  • Liferay DXP as Service Provider
  • Azure AD as Identity Provider

Resolution

  • When using Azure AD as the Identity Provider, it is common for the Attribute Statement names to have a URL formatted name, such as:
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  • Liferay SAML's Attribute Mapping requires special handling when the following special characters are included: # ! : =. These characters must be escaped with a backslash: \
  • In the case of Azure AD, it is common for the Attribute Statement names to include a : within the name.
  • To resolve this, simply escape the special characters mentioned above.

    Example - Attribute Mapping with Escaped Characters: 
    http\://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=emailAddress

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?