Skip to main content
Solved

Add optional claim to Identity provider and IAM

  • May 7, 2024
  • 1 reply
  • 42 views

Dennis van Leeuwen
Hero
Forum|alt.badge.img+12

I added an optional claim (ipaddr) in the Azure - Token configuration. How does this relate to the IAM claims?

I actually expected that when performing the task “Reload scopes and claims” this claim would be added to IAM, this does not appear to be the case. In fact after manually adding this claim in IAM it is deleted again after running the task. So there seems to be no link (yet) between IAM and Microsoft Azure, what am I missing?

 

Optional claim ipaddr added in Azure

 

New claim ipaddr added in IAM

 

 

Best answer by Vincent Doppenberg

Hello @Dennis van Leeuwen

The ‘Reload scopes and claims’ task simply reads the scopes and claims from the metadata document that is published by the Identity Provider, in this case Azure (Microsoft Entra ID). So the task can only work as well as the accuracy of the metadata document.

The fact that your newly added scope isn't added when running the task simply means that the Identity Provider hasn't published it in the metadata (yet). This could have some kind of time related reason, maybe the metadata document lags behind a little bit. It's also possible that it won't be added to the metadata at all, that would seem like an issue on Microsoft's end to me.

You can actually verify that the metadata is incomplete yourself by opening the metadata URL in a browser (i.e. the /well-known/openid-configuration URL). If you do see the claim in the metadata document, but the task still doesn't add it, then it could be an issue with the task as well.

Either way, adding the claim yourself should work just fine if it actually exists on the provider's end.

View original
Did this topic help you find an answer to your question?
This topic has been closed for comments

1 reply

Forum|alt.badge.img+4

Hello @Dennis van Leeuwen

The ‘Reload scopes and claims’ task simply reads the scopes and claims from the metadata document that is published by the Identity Provider, in this case Azure (Microsoft Entra ID). So the task can only work as well as the accuracy of the metadata document.

The fact that your newly added scope isn't added when running the task simply means that the Identity Provider hasn't published it in the metadata (yet). This could have some kind of time related reason, maybe the metadata document lags behind a little bit. It's also possible that it won't be added to the metadata at all, that would seem like an issue on Microsoft's end to me.

You can actually verify that the metadata is incomplete yourself by opening the metadata URL in a browser (i.e. the /well-known/openid-configuration URL). If you do see the claim in the metadata document, but the task still doesn't add it, then it could be an issue with the task as well.

Either way, adding the claim yourself should work just fine if it actually exists on the provider's end.


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings