none
Providing directory extension optional claims and returning value within token RRS feed

  • Question

  • I have a simple web forms app which uses standard windows integrated authentication. I need to migrate this to the Azure App Service and have enabled OWIN support to authenticate against Azure AD. This is all working however when I inspect the claims I am not seeing the SAMAccountName. 

    I have looked at the following articles and found that I can extend AD connect with Directory Extensions and sync the users SAMAccountName to Azure AD. Again this is working OK and if I query the graph explorer I can see my attribute...

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

     "extension_3cb1857501cc42a79dfc94edbee4c244_sAMAccountName": "valuemasked",

    I have added the following optional claims section within my manifest of my Azure AD App however when I launch my app in Visual Studio and inspect the claims returned I am not seeing the claim which shows me the attribute value.

    foreach (System.Security.Claims.Claim claim in ClaimsPrincipal.Current.Claims)

    Can anyone advise what I am missing here?

    Thanks

    Manifest below

    "optionalClaims": {
        "idToken": [
          {
            "name": "extension_3cb1857501cc42a79dfc94edbee4c244_sAMAccountName",
            "source": null,
            "essential": false,
            "additionalProperties": []
          }
        ],
        "accessToken": [
          {
            "name": "extension_3cb1857501cc42a79dfc94edbee4c244_sAMAccountName",
            "source": null,
            "essential": false,
            "additionalProperties": []
          }
        ],
        "saml2Token": [
          {
            "name": "extension_3cb1857501cc42a79dfc94edbee4c244_sAMAccountName",
            "source": "user",
            "essential": false,
            "additionalProperties": []
          }
        ]

    Monday, June 17, 2019 8:03 PM

Answers

All replies

  • Are you trying to check the claim in the access token claims set ? If yes, then you need to modify the manifest of the resource app. For example - 

    If you have an Application A which needs access to a Web API B and you want the claims in the access_token then you need to modify the manifest of B.
    Monday, June 17, 2019 10:32 PM
    Moderator
  • Hi, I only have 1 application in Azure AD. No WEB api is involved here. I have one simple application which is using OWIN to authenticate against Azure AD and return claims back to the application. Currently the claims returned to me include the email address / UPN however I specifically need to get hold of the SAM account name. 
    Wednesday, June 19, 2019 7:47 AM
  • Hello,

    it looks like you're trying to add scopes/claims to your access token. There are two options for this there is custom claims mapping and optional claims mapping. Please refer to the docs here : 

    Optional Claims : 

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

    Custom Claims : 

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

    These are the only options available to add claims to access tokens. Samaccountnames are an available custom claim, please refer to the docs,

    In addition to that please remember to mark a reply as answer if we've resolved the issue within the scope of this thread.

    Thursday, June 27, 2019 9:30 PM
    Moderator
  • Hi. thanks for the response. My app A is trying to access Web API B. I have modified the manifest of App B to include the following. ADConnect has been updated to push up Employee ID to Azure AD.

    However when I launch my app locally and inspect the claims in the ClaimsPrincipal I still see the same set of claims. Am I missing something here?

    Although we have Azure AD our authentication is through ADFS 3 to enable single sign on. Does that make any difference here in trying to return specific additional claims?

    "optionalClaims": {
        "idToken": [
          {
            "name": "extension_3cb1857501cc42a79dfc94edbee4c244_employeeID",
            "source": null,
            "essential": false,
            "additionalProperties": []
          }
        ],
        "accessToken": [
          {
            "name": "extension_3cb1857501cc42a79dfc94edbee4c244_employeeID",
            "source": null,
            "essential": false,
            "additionalProperties": []
          }
        ],
        "saml2Token": [
          {
            "name": "extension_3cb1857501cc42a79dfc94edbee4c244_employeeID",
            "source": "user",
            "essential": false,
            "additionalProperties": []
          }
        ]
      },

    ClaimsPrincipal screenshot

    Friday, June 28, 2019 3:29 PM
  • Thanks. I did create my custom claims policy and I assigned that to both my Azure AD app A and Azure AD Web Api however when I launched the app locally and inspected the claims it made no difference. See previous reply above. Any further help would be much appreciated. I basically need to return the users employee ID (stored in AD and in Azure AD) as part of the claims so I can cache that (redis cache) and use it within my application
    Friday, June 28, 2019 3:31 PM
  • So you were able to apply the policies properly in Azure Powershell to the SPs? This article goes into that further : http://www.redbaronofazure.com/?p=7566
    • Marked as answer by Jason Sargood Thursday, July 4, 2019 5:07 PM
    Friday, June 28, 2019 5:32 PM
    Moderator
  • Thanks. The additional link worked for me. I was missing the AcceptMappedClaims : true in the manifest. If I inspect my accessToken in jwt.io I can now see the additional attributes. I now need to work out how to extract those attributes to map to my own user details class in my app. Any info you could provide on how best to achieve this would be appreciated.

    • Marked as answer by Jason Sargood Thursday, July 4, 2019 5:07 PM
    • Unmarked as answer by Jason Sargood Thursday, July 4, 2019 5:07 PM
    Tuesday, July 2, 2019 9:04 AM
  • I now need to work out how to extract those attributes to map to my own user details class in my app. Any info you could provide on how best to achieve this would be appreciated.

    If you mean extract the attributes from the JWT token and parse them accordingly, you can utilize the System.IdentityModel.Tokens class per the stackoverflow post here : https://stackoverflow.com/questions/31150223/parsing-jwt-to-get-claims-in-c-sharp

    If you have anymore questions within the scope of this thread please let us know otherwise please mark a response as answered. 

    • Marked as answer by Jason Sargood Thursday, July 4, 2019 5:07 PM
    Tuesday, July 2, 2019 8:28 PM
    Moderator