cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Passing Additional Attributes during Authentication?

Chad Carlton
Copper Contributor

‎May 16 2017 05:06 AM - last edited on ‎Jan 14 2022 04:49 PM by

‎May 16 2017 05:06 AM - last edited on ‎Jan 14 2022 04:49 PM by

Passing Additional Attributes during Authentication?

SAML2, and OIDC both support transporting additional attributes during authentication. This is very useful to setup Just in Time (JIT) provisioning.  

 

What is the recommended way to store additional attributes in AAD, and how can I configure the AAD application authentication entry to send these additional attributes to the application during authentication?

 

Hypothetical example: my guest users fall into 3 categories; Bronze, Silver, and Gold.  Each of my 4 SaaS applications react differently for users depending on this category.  I would like to not have to setup a user 4 seperate times, specifying their category level for each application. (and when that category increases decreases, have to visit each application to change it).  

 

These 4 SaaS applications support SAML2 or OIDC, and understand how to read (even custom) attributes out of those authentications.  These applications are not Azure Gallery apps/do not understand Graph API, and are not setup to use remote user lookup capabilities like the Userinfo endpoint from OIDC.

 

I thought it would be possible to add a "category" to my guest users in my Azure Active Directory, and then configure the application entries in AAD to send/push 'category' along with the other basic profile attributes and authentication. 

 

How do I do this? 

 

Labels:
5,094 Views
1 Like
3 Replies
Reply
3 Replies
Chad Carlton

‎May 16 2017 06:07 AM - edited ‎May 18 2017 10:04 AM

‎May 16 2017 06:07 AM - edited ‎May 18 2017 10:04 AM

RE: Passing Additional Attributes during Authentication?

It seems like open extensions (https://developer.microsoft.com/en-us/graph/docs/concepts/extensibility_open_users) or schemaExtensions(https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/schemaextension) are good ways to store this sort of information.

 

If I do store something like category as an openExtension attribute, how do I specify an openExtensionID.attribute as a value in an outbound SAML claim or an OIDC attribute?

0 Likes
Reply
Chad Carlton

‎May 16 2017 11:49 AM - edited ‎May 18 2017 10:11 AM

‎May 16 2017 11:49 AM - edited ‎May 18 2017 10:11 AM

Re: Passing Additional Attributes during Authentication?

Or If I am using SCIM, how do I map a custom attribute (hypothetically speaking a Open, or even schema extension attribute) to a SCIM attribute configuration entry?

 

https://github.com/Microsoft/azure-docs/blob/master/articles/active-directory/active-directory-saas-...

 

 

0 Likes
Reply
best response confirmed by Chad Carlton (Copper Contributor)
Chad Carlton

‎May 18 2017 10:38 AM - edited ‎May 18 2017 10:55 AM

‎May 18 2017 10:38 AM - edited ‎May 18 2017 10:55 AM

Solution

Re: Passing Additional Attributes during Authentication?

After some more research, and digging through documentation, I think this is the process that needs to be followed for the 'category' = { Bronze,Silver,Gold} example above

 

  1. Decide to use either Roles or Groups for this. (I think I can get the business to accept using groups)
  2. Goto each Applications entry in the AAD application Registration list, and download the Manifest.
  3. Edit the manifest, looking for: "groupMembershipClaims=null,"
  4. change this to: groupMembershipClaims="SecurityGroup"
  5. upload/save the application manifest

The application should now be recieving a claim called groups, that contains the users groups.

 

This post describes this more: 

https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-gr...

 

For more complex data exchange, I also was able to get a hold of this page, describing a way to extend the directory schema to store additional attributes for an application. (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_extensionpr...)

 

I believe attributes that are added this way can then be used during SAML2/OIDC claims mapping/transformation, and also in SCIM mapping.

 

2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Chad Carlton (Copper Contributor)
Chad Carlton

‎May 18 2017 10:38 AM - edited ‎May 18 2017 10:55 AM

‎May 18 2017 10:38 AM - edited ‎May 18 2017 10:55 AM

Solution

Re: Passing Additional Attributes during Authentication?

After some more research, and digging through documentation, I think this is the process that needs to be followed for the 'category' = { Bronze,Silver,Gold} example above

 

  1. Decide to use either Roles or Groups for this. (I think I can get the business to accept using groups)
  2. Goto each Applications entry in the AAD application Registration list, and download the Manifest.
  3. Edit the manifest, looking for: "groupMembershipClaims=null,"
  4. change this to: groupMembershipClaims="SecurityGroup"
  5. upload/save the application manifest

The application should now be recieving a claim called groups, that contains the users groups.

 

This post describes this more: 

https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-gr...

 

For more complex data exchange, I also was able to get a hold of this page, describing a way to extend the directory schema to store additional attributes for an application. (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_extensionpr...)

 

I believe attributes that are added this way can then be used during SAML2/OIDC claims mapping/transformation, and also in SCIM mapping.

 

View solution in original post

2 Likes
Reply