科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>Unable to add additional claims in Token configuration Azure Authentication - Stack Overflow

    Unable to add additional claims in Token configuration Azure Authentication - Stack Overflow

    programmeradmin0浏览0评论

    I want to add "On-premises SAM Account Name" in the token claim. But I am not getting this option in "Token Configuration" tab. This is for an Angular application with .NET core 8 API.

    We have tried the following, but none of it helped

    1. Added optional claim to "Manifest"
    "optionalClaims": {
...
    "accessToken": [
        {
            "name": "onPremisesSAMAccountName",
            "source": "",
            "additionalProperties": []
        }
    ]
...
}

    1. We changed "acceptMappedClaims" to true in the Manifest.

    2. We tried with the extension attribute like extension_xxxxxxxxx_AttributeName in the Manifest.

    I do not have the complete access to azure portal (as I am not the admin). The admin has confirmed that the "on-premises SAM Account Name" is in sync with Azure from local Active directory.

    Question

    1. What are the correct steps to get the claim in the token?
    2. Is the property name/syntax incorrect?

    References

    1. Adding custom claims to access token issued by Azure ad
    2. Trouble with extension attributes when pulling AAD user data in powershell

    I want to add "On-premises SAM Account Name" in the token claim. But I am not getting this option in "Token Configuration" tab. This is for an Angular application with .NET core 8 API.

    We have tried the following, but none of it helped

    1. Added optional claim to "Manifest"
    "optionalClaims": {
...
    "accessToken": [
        {
            "name": "onPremisesSAMAccountName",
            "source": "",
            "additionalProperties": []
        }
    ]
...
}

    1. We changed "acceptMappedClaims" to true in the Manifest.

    2. We tried with the extension attribute like extension_xxxxxxxxx_AttributeName in the Manifest.

    I do not have the complete access to azure portal (as I am not the admin). The admin has confirmed that the "on-premises SAM Account Name" is in sync with Azure from local Active directory.

    Question

    1. What are the correct steps to get the claim in the token?
    2. Is the property name/syntax incorrect?

    References

    1. Adding custom claims to access token issued by Azure ad
    2. Trouble with extension attributes when pulling AAD user data in powershell
    • azure-active-directory
    • azure-authentication
    Share Improve this question asked Mar 7 at 6:57 SampathSampath 841 gold badge1 silver badge12 bronze badges 4
    • And stackoverflow/questions/78296857/… – Rukmini Commented Mar 7 at 7:14
    • Posted the answer please check the below:) – Rukmini Commented Mar 7 at 13:05
    • Sorry for the late response. As I am dependent on the admin, I will take some more time to confirm. – Sampath Commented Mar 15 at 8:57
    • Any update on the issue? – Rukmini Commented Apr 7 at 3:59
    Add a comment  | 

    1 Answer 1

    Reset to default 0

    You can display onpremisessamaccountname in the access token.

    To do it, you need to configure the Azure AD policy:

    # Uninstall-Module AzureAD 
# Install-Module AzureADPreview 
# Import-Module AzureADPreview 
# Get-Module -Name AzureADPreview

Connect-AzureAD
 
$Definition = [ordered]@{
    "ClaimsMappingPolicy" = [ordered]@{
        "Version" = 1
        "IncludeBasicClaimSet" = $true
        "ClaimsSchema" = @(
            [ordered]@{
                "Source" = "user"
                "ID" = "onpremisessamaccountname"
                "JwtClaimType" = "onpremisessamaccountname"
            }
        )
    }
}
$pol =  New-AzureADPolicy -Definition ($definition | ConvertTo-Json -Depth 3) -DisplayName ("Policy_" + ([System.Guid]::NewGuid().guid) + "_" + $template.Values.claimsschema.JwtClaimType) -Type "ClaimsMappingPolicy"

    Now assign this policy to the Service Principal:

    $entApp =  New-AzureADApplication -DisplayName  ("RukClaimsDemoApp_" + $template.Values.claimsschema.JwtClaimType)
$spnob =  New-AzureADServicePrincipal -DisplayName $entApp.DisplayName -AppId $entApp.AppId 

Add-AzureADServicePrincipalPolicy -Id $spnob.ObjectId -RefObjectId $pol.Id 

Get-AzureADServicePrincipalPolicy -Id SPNObjectID

    In the Manifest, update the below:

    "acceptMappedClaims": true,

"requestedAccessTokenVersion": 2

    • Make sure to generate the access token by passing the API scope as api//xx/.default to display the custom claim in access token:

    API permissions:

    • Make sure to pass scope as api://ClientID/.default to generate the access token.
    • After generating the access token, you will see the**onpremisessamaccountname** as claim.

    Otherwise, if still the issue persists, you can go to Enterprise application -> Search your application -> Single Sign on -> Under Attributes & Claims, select Edit -> Add new claim -> Under Source, select Attribute and choose user.onpremisessamaccountname -> Save:

    This will directly add the claim in the access token without any policy.

    All these actions require admin access.

    Reference:

    inlcude onpemise samaccount in azure ad claims - Microsoft Q&A by soumi-MSFT

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论