I am using Single Sign On in Zendesk for my end-user authentication and assigning several attributes. My IDP is Entra/Azure AD. One of the attributes I am passing along is the user's "Organization" membership. For most users, they are a member of a single organization, so I have been using the Join() transformation from entra to assign the value of "Organizations" as "user.department l user.companyname". The problem I've run in to is that some of our users need to be in multiple organizations. When I assign those memberships manually in ZD, they disappear every time the user logs in because ZD treats the claim as the one and only truth, erasing any org memberships that weren't emitted in the claim. I've tried every approach I could think of but I am still unable to make Entra either ignore this small group of users or emit an alternate value (using the extension attribute) for only these users. Has anyone used Entra to do this multi-layered logic approach for SAML claims?
The solution I came up with is to add the extra org names as values in an extension attribute, and pass that extension attribute in addition to the initial join() claim. The problem is, if someone has no value for the extension attribute, the login request fails. The error says "Mandatory input 'String 2' missing from transformation". I'm trying to prevent adding custom extension attributes for every single user in my organization, just to appease 4 people.
I have also tried creating custom claims policies in Microsoft Graph, but found myself similarly limited. It seems like I can only emit claims if a logic statement results in True, and nothing will happen if it is false.
