SOLVED

Passing Additional Attributes during Authentication?

%3CLINGO-SUB%20id%3D%22lingo-sub-71142%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20Additional%20Attributes%20during%20Authentication%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-71142%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20some%20more%20research%2C%20and%20digging%20through%20documentation%2C%20I%20think%20this%20is%20the%20process%20that%20needs%20to%20be%20followed%20for%20the%20'category'%20%3D%20%7B%20Bronze%2CSilver%2CGold%7D%20example%20above%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EDecide%20to%20use%20either%20Roles%20or%20Groups%20for%20this.%26nbsp%3B(I%20think%20I%20can%20get%20the%20business%20to%20accept%20using%20groups)%3C%2FLI%3E%3CLI%3EGoto%20each%20Applications%20entry%20in%20the%20AAD%20application%20Registration%20list%2C%20and%20download%20the%20Manifest.%3C%2FLI%3E%3CLI%3EEdit%20the%20manifest%2C%20looking%20for%3A%20%22groupMembershipClaims%3Dnull%2C%22%3C%2FLI%3E%3CLI%3Echange%20this%20to%3A%20groupMembershipClaims%3D%22SecurityGroup%22%3C%2FLI%3E%3CLI%3Eupload%2Fsave%20the%20application%20manifest%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThe%20application%20should%20now%20be%20recieving%20a%20claim%20called%20groups%2C%20that%20contains%20the%20users%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20post%20describes%20this%20more%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2014%2F12%2F18%2Fazure-active-directory-now-with-group-claims-and-application-roles%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2014%2F12%2F18%2Fazure-active-directory-now-with-group-claims-and-application-roles%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20more%20complex%20data%20exchange%2C%20I%20also%20was%20able%20to%20get%20a%20hold%20of%20this%20page%2C%20describing%20a%20way%20to%20extend%20the%20directory%20schema%20to%20store%20additional%20attributes%20for%20an%20application.%26nbsp%3B(%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fdocs%2Fapi-reference%2Fbeta%2Fapi%2Fapplication_post_extensionproperties%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fdocs%2Fapi-reference%2Fbeta%2Fapi%2Fapplication_post_extensionproperties%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20attributes%20that%20are%20added%20this%20way%20can%20then%20be%20used%20during%20SAML2%2FOIDC%20claims%20mapping%2Ftransformation%2C%20and%20also%20in%20SCIM%20mapping.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-70435%22%20slang%3D%22en-US%22%3ERe%3A%20Passing%20Additional%20Attributes%20during%20Authentication%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-70435%22%20slang%3D%22en-US%22%3E%3CP%3EOr%20If%20I%20am%20using%20SCIM%2C%20how%20do%20I%20map%20a%20custom%20attribute%20(hypothetically%20speaking%20a%20Open%2C%20or%20even%20schema%20extension%20attribute)%20to%20a%20SCIM%20attribute%20configuration%20entry%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Factive-directory%2Factive-directory-saas-customizing-attribute-mappings.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Factive-directory%2Factive-directory-saas-customizing-attribute-mappings.md%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-70305%22%20slang%3D%22en-US%22%3ERE%3A%20Passing%20Additional%20Attributes%20during%20Authentication%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-70305%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20seems%20like%20open%20extensions%20(%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fdocs%2Fconcepts%2Fextensibility_open_users%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fdocs%2Fconcepts%2Fextensibility_open_users%3C%2FA%3E)%20or%20schemaExtensions(%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fdocs%2Fapi-reference%2Fv1.0%2Fresources%2Fschemaextension%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fdocs%2Fapi-reference%2Fv1.0%2Fresources%2Fschemaextension%3C%2FA%3E)%20are%20good%20ways%20to%20store%20this%20sort%20of%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20do%20store%20something%20like%20category%20as%20an%20openExtension%20attribute%2C%20how%20do%20I%20specify%20an%20openExtensionID.attribute%20as%20a%20value%20in%20an%20outbound%20SAML%20claim%20or%20an%20OIDC%20attribute%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-70285%22%20slang%3D%22en-US%22%3EPassing%20Additional%20Attributes%20during%20Authentication%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-70285%22%20slang%3D%22en-US%22%3E%3CP%3ESAML2%2C%20and%20OIDC%20both%20support%20transporting%20additional%20attributes%20during%20authentication.%20This%20is%20very%20useful%20to%20setup%20Just%20in%20Time%20(JIT)%20provisioning.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20recommended%20way%20to%20store%20additional%20attributes%20in%20AAD%2C%20and%20how%20can%20I%20configure%20the%20AAD%20application%20authentication%20entry%20to%20send%20these%20additional%20attributes%20to%20the%20application%20during%20authentication%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHypothetical%20example%3A%20my%20guest%20users%20fall%20into%203%20categories%3B%20Bronze%2C%20Silver%2C%20and%20Gold.%20%26nbsp%3BEach%20of%20my%204%20SaaS%20applications%20react%20differently%20for%20users%20depending%20on%20this%20category.%20%26nbsp%3BI%20would%20like%20to%20not%20have%20to%20setup%20a%20user%204%20seperate%20times%2C%20specifying%20their%20category%20level%20for%20each%20application.%20(and%20when%20that%20category%20increases%20decreases%2C%20have%20to%20visit%20each%20application%20to%20change%20it).%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%204%26nbsp%3BSaaS%20applications%20support%20SAML2%20or%20OIDC%2C%20and%20understand%20how%20to%20read%20(even%20custom)%20attributes%20out%20of%20those%20authentications.%20%26nbsp%3BThese%20applications%20are%20not%20Azure%20Gallery%20apps%2Fdo%20not%20understand%20Graph%20API%2C%20and%20are%20not%20setup%20to%20use%20remote%20user%20lookup%20capabilities%20like%20the%20Userinfo%20endpoint%20from%20OIDC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20it%20would%20be%20possible%20to%20add%20a%20%22category%22%20to%20my%20guest%20users%20in%20my%20Azure%20Active%20Directory%2C%20and%20then%20configure%20the%20application%20entries%20in%20AAD%20to%20send%2Fpush%20'category'%20along%20with%20the%20other%20basic%20profile%20attributes%20and%20authentication.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20do%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-70285%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20B2B%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EB2B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

SAML2, and OIDC both support transporting additional attributes during authentication. This is very useful to setup Just in Time (JIT) provisioning.  

 

What is the recommended way to store additional attributes in AAD, and how can I configure the AAD application authentication entry to send these additional attributes to the application during authentication?

 

Hypothetical example: my guest users fall into 3 categories; Bronze, Silver, and Gold.  Each of my 4 SaaS applications react differently for users depending on this category.  I would like to not have to setup a user 4 seperate times, specifying their category level for each application. (and when that category increases decreases, have to visit each application to change it).  

 

These 4 SaaS applications support SAML2 or OIDC, and understand how to read (even custom) attributes out of those authentications.  These applications are not Azure Gallery apps/do not understand Graph API, and are not setup to use remote user lookup capabilities like the Userinfo endpoint from OIDC.

 

I thought it would be possible to add a "category" to my guest users in my Azure Active Directory, and then configure the application entries in AAD to send/push 'category' along with the other basic profile attributes and authentication. 

 

How do I do this? 

 

3 Replies
Highlighted

It seems like open extensions (https://developer.microsoft.com/en-us/graph/docs/concepts/extensibility_open_users) or schemaExtensions(https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/schemaextension) are good ways to store this sort of information.

 

If I do store something like category as an openExtension attribute, how do I specify an openExtensionID.attribute as a value in an outbound SAML claim or an OIDC attribute?

Highlighted

Or If I am using SCIM, how do I map a custom attribute (hypothetically speaking a Open, or even schema extension attribute) to a SCIM attribute configuration entry?

 

https://github.com/Microsoft/azure-docs/blob/master/articles/active-directory/active-directory-saas-...

 

 

Highlighted
Best Response confirmed by Chad Carlton (Occasional Contributor)
Solution

After some more research, and digging through documentation, I think this is the process that needs to be followed for the 'category' = { Bronze,Silver,Gold} example above

 

  1. Decide to use either Roles or Groups for this. (I think I can get the business to accept using groups)
  2. Goto each Applications entry in the AAD application Registration list, and download the Manifest.
  3. Edit the manifest, looking for: "groupMembershipClaims=null,"
  4. change this to: groupMembershipClaims="SecurityGroup"
  5. upload/save the application manifest

The application should now be recieving a claim called groups, that contains the users groups.

 

This post describes this more: 

https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-gr...

 

For more complex data exchange, I also was able to get a hold of this page, describing a way to extend the directory schema to store additional attributes for an application. (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_extensionpr...)

 

I believe attributes that are added this way can then be used during SAML2/OIDC claims mapping/transformation, and also in SCIM mapping.