App Registration query - OIDC connection

Brass Contributor

Question,

 

I am trying to establish if there is a way using an app registration/ enterprise app so that a user can authenticate to a different ID (so authentication would use something other than their UPN for that specific app)

 

I know it's best practice to use the UPN when authenticating from the IdP (Entra ID) to the SP and not use the email address as an example and the majority of apps I have configured already set UPN to match the attribute with the SP.

 

Any ideas?

 

I was looking at custom SAML tokens but got a bit lost and since this is an OIDC app (OpenID Connect and OAuth) I don't know if it applies.

1 Reply

@tt I believe you can accomplish that through Token Configuration > Optional Claims
Reference: https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims

JoeStocker_0-1711860098711.png

 

"Users signing in with an alternate login ID shouldn't be shown their User Principal Name (UPN). Instead, use the following ID token claims for displaying sign-in state to the user: preferred_username or unique_name for v1 tokens and preferred_username for v2 tokens."
Reference: https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference#v10-and-v20-opti...