Forum Discussion
Passing Additional Attributes during Authentication?
After some more research, and digging through documentation, I think this is the process that needs to be followed for the 'category' = { Bronze,Silver,Gold} example above
- Decide to use either Roles or Groups for this. (I think I can get the business to accept using groups)
- Goto each Applications entry in the AAD application Registration list, and download the Manifest.
- Edit the manifest, looking for: "groupMembershipClaims=null,"
- change this to: groupMembershipClaims="SecurityGroup"
- upload/save the application manifest
The application should now be recieving a claim called groups, that contains the users groups.
This post describes this more:
https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/
For more complex data exchange, I also was able to get a hold of this page, describing a way to extend the directory schema to store additional attributes for an application. (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_extensionproperties)
I believe attributes that are added this way can then be used during SAML2/OIDC claims mapping/transformation, and also in SCIM mapping.
Or If I am using SCIM, how do I map a custom attribute (hypothetically speaking a Open, or even schema extension attribute) to a SCIM attribute configuration entry?
https://github.com/Microsoft/azure-docs/blob/master/articles/active-directory/active-directory-saas-customizing-attribute-mappings.md