Forum Discussion

Chad Carlton's avatar
Chad Carlton
Copper Contributor
May 16, 2017
Solved

Passing Additional Attributes during Authentication?

SAML2, and OIDC both support transporting additional attributes during authentication. This is very useful to setup Just in Time (JIT) provisioning.     What is the recommended way to store additio...
Azure AD B2B
  • Chad Carlton's avatar
    Chad Carlton
    May 18, 2017

    After some more research, and digging through documentation, I think this is the process that needs to be followed for the 'category' = { Bronze,Silver,Gold} example above

     

    1. Decide to use either Roles or Groups for this. (I think I can get the business to accept using groups)
    2. Goto each Applications entry in the AAD application Registration list, and download the Manifest.
    3. Edit the manifest, looking for: "groupMembershipClaims=null,"
    4. change this to: groupMembershipClaims="SecurityGroup"
    5. upload/save the application manifest

    The application should now be recieving a claim called groups, that contains the users groups.

     

    This post describes this more: 

    https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/

     

    For more complex data exchange, I also was able to get a hold of this page, describing a way to extend the directory schema to store additional attributes for an application. (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_extensionproperties)

     

    I believe attributes that are added this way can then be used during SAML2/OIDC claims mapping/transformation, and also in SCIM mapping.

     

Chad Carlton's avatar
Chad Carlton
Copper Contributor
May 18, 2017

After some more research, and digging through documentation, I think this is the process that needs to be followed for the 'category' = { Bronze,Silver,Gold} example above

 

  1. Decide to use either Roles or Groups for this. (I think I can get the business to accept using groups)
  2. Goto each Applications entry in the AAD application Registration list, and download the Manifest.
  3. Edit the manifest, looking for: "groupMembershipClaims=null,"
  4. change this to: groupMembershipClaims="SecurityGroup"
  5. upload/save the application manifest

The application should now be recieving a claim called groups, that contains the users groups.

 

This post describes this more: 

https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/

 

For more complex data exchange, I also was able to get a hold of this page, describing a way to extend the directory schema to store additional attributes for an application. (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_extensionproperties)

 

I believe attributes that are added this way can then be used during SAML2/OIDC claims mapping/transformation, and also in SCIM mapping.

 

Resources