none
Unable to Return optionalClaims in SAML response RRS feed

  • Question

  • What I am trying to do is return some additional information back to the client (via the SAML response).

    I need to know more about the authentication of the user...For example...

    - Were they a guest or a tenant user
    - Which tenant authenticated the user

    From looking at the following article...

    How to: Provide optional claims to your Azure AD app

    It appears that the following optionalClaims is what I'm after...

    - acct
    - upn (with externally authenticated upn)

    I have created an application and have updated the manifest to include the following...

    "optionalClaims": {
    	"idToken": [
    		{
    			"name": "upn",
    			"source": null,
    			"essential": false,
    			"additionalProperties": [
    				"include_externally_authenticated_upn"
    			]
    		}
    	],
    	"accessToken": [
    		{
    			"name": "ipaddr",
    			"source": null,
    			"essential": false,
    			"additionalProperties": []
    		},
    		{
    			"name": "acct",
    			"essential": false,
    			"additionalProperties": []
    		}
    	],
    	"saml2Token": [
    		{
    			"name": "upn",
    			"source": null,
    			"essential": false,
    			"additionalProperties": [
    				"include_externally_authenticated_upn"
    			]
    		}
    	]
    },

    ...but the data just doesn't come back in the SAML response.  I added a couple of other optionalClaims just to see if I could get anything back...but I don't get the modified upn, ip address nor the guest/user information.

    I can't for the life of me figure this out!!

    Please help!

    Many thanks,

    Lee

    Friday, May 10, 2019 5:04 PM

All replies

  • Have you updated the manifest of the client app ? If you have added the claim in the manifest of the client app then you will get the claim in id_token and not in the access_token.
    Monday, May 13, 2019 8:31 PM
    Moderator
  • Hi SaurabhSharma...many thanks for your reply I really appreciate it.

    The only manifest I have updated is the application one found in "App registrations".  I have added the configuration above into that manifest.

    Do I have to apply this configuration anywhere else?

    I just cannot get this working.

    Many thanks,

    Lee

    Tuesday, May 14, 2019 8:31 AM