question

SanderKlaassen-4202 avatar image
0 Votes"
SanderKlaassen-4202 asked SanderKlaassen-4202 commented

Azure AD OIDC - Claims Mapping Policy send claim convert datatype

Hi,
I want to send a specific user property as claim using a Open DI COnne ct (OIDC, not SAML) to be used by an application.
I configured a AzureAD ClaimMappingPolicy to use the samaccountname, and linked it to the Service Principal, it works correctly. The application does receive the claim.

However instead of samaccountname I want to use a different property, one that is sourced form on premises AD: the "UID" field (which is a multi value string).
the property is successfully replicated to Azure AD. I see it when I use MS graph:

 "extension_aa703c4e6def47f88d223d1141234567_uid@odata.type": "#Collection(String)",
 "extension_aa703c4e6def47f88d223d1141234567_uid": [
     "IAM872049"
 ],

The property is a collection, i need to send the first element it a string. I assume that is the issue. hard to troubleshoot when you're not a dev.
the collection always only has 1 value.
When I use this policy definition:

@{
'ClaimsMappingPolicy' = @{
'Version' = 1
'IncludeBasicClaimSet' = $true
'ClaimsSchema' = @(
@{
'Source' = 'user'
'ID' = 'extension_aa703c4e6def47f88d223d1141234567_uid'
'JwtClaimType' = 'uid'
}
)
}
}

The application doesn't receive the "uid" claim and I cant find any documentation on how to do it.
I've looked into transformation rules. but the only combine strings. and the don't convert datatype. or select one element form a collection.

Could the data type indeed be the issue? if so, does anyone have a tip how to send the UID property (or any collection property) as a string claim?

Thanks,
Sander

azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered SanderKlaassen-4202 commented

Hi @SanderKlaassen-4202 • Thank you for reaching out.

The problem is with the parameter ID, which needs to be replaced with ExtensionID. ID can only be used with built-in attributes. For extension attributes, you need to use Extension ID. So, rather than using 'ID' = 'extension_aa703c4e6def47f88d223d1141234567_uid', you need to use 'ExtensionID' = 'extension_aa703c4e6def47f88d223d1141234567_uid'

Below is an example of PowerShell cmdlet to create ClaimsMappingPolicy:

 Set-AzureADPolicy -Definition @('{
  "ClaimsMappingPolicy": {
  "Version": 1,
  "IncludeBasicClaimSet": "true",
  "ClaimsSchema": [{
  "Source": "user",
  "ExtensionID": "extension_aa703c4e6def47f88d223d1141234567_uid",
  "JwtClaimType": "uid"
  }
  ]
  }
 }') -DisplayName "JWTClaimsPolicy" -Type "ClaimsMappingPolicy"

Read more: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-schema-extensions


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That was the issue indeed!
thanks so much!

Have a great day!
Sander

0 Votes 0 ·