Azure AD OIDC - Claims Mapping Policy send claim convert datatype

Sander Klaassen 21 Reputation points
2021-08-23T14:03:13.877+00:00

Hi,
I want to send a specific user property as claim using a Open DI COnne ct (OIDC, not SAML) to be used by an application.
I configured a AzureAD ClaimMappingPolicy to use the samaccountname, and linked it to the Service Principal, it works correctly. The application does receive the claim.

However instead of samaccountname I want to use a different property, one that is sourced form on premises AD: the "UID" field (which is a multi value string).
the property is successfully replicated to Azure AD. I see it when I use MS graph:

"extension_aa703c4e6def47f88d223d1141234567_uid@odata.type": "#Collection(String)",
"extension_aa703c4e6def47f88d223d1141234567_uid": [
    "IAM872049"
],

The property is a collection, i need to send the first element it a string. I assume that is the issue. hard to troubleshoot when you're not a dev.
the collection always only has 1 value.
When I use this policy definition:

@{
'ClaimsMappingPolicy' = @{
'Version' = 1
'IncludeBasicClaimSet' = $true
'ClaimsSchema' = @(
@{
'Source' = 'user'
'ID' = 'extension_aa703c4e6def47f88d223d1141234567_uid'
'JwtClaimType' = 'uid'
}
)
}
}

The application doesn't receive the "uid" claim and I cant find any documentation on how to do it.
I've looked into transformation rules. but the only combine strings. and the don't convert datatype. or select one element form a collection.

Could the data type indeed be the issue? if so, does anyone have a tip how to send the UID property (or any collection property) as a string claim?

Thanks,
Sander

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,672 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2021-08-24T08:09:34.543+00:00

    Hi @Sander Klaassen • Thank you for reaching out.

    The problem is with the parameter ID, which needs to be replaced with ExtensionID. ID can only be used with built-in attributes. For extension attributes, you need to use Extension ID. So, rather than using 'ID' = 'extension_aa703c4e6def47f88d223d1141234567_uid', you need to use 'ExtensionID' = 'extension_aa703c4e6def47f88d223d1141234567_uid'

    Below is an example of PowerShell cmdlet to create ClaimsMappingPolicy: 

    Set-AzureADPolicy -Definition @('{  
 "ClaimsMappingPolicy": {  
 "Version": 1,  
 "IncludeBasicClaimSet": "true",  
 "ClaimsSchema": [{  
 "Source": "user",  
 "ExtensionID": "extension_aa703c4e6def47f88d223d1141234567_uid",  
 "JwtClaimType": "uid"  
 }  
 ]  
 }  
}') -DisplayName "JWTClaimsPolicy" -Type "ClaimsMappingPolicy"

    Read more: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-schema-extensions

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest