Add optional claim to Identity provider and IAM

  • 7 May 2024
  • 1 reply

Userlevel 4
Badge +11

I added an optional claim (ipaddr) in the Azure - Token configuration. How does this relate to the IAM claims?

I actually expected that when performing the task “Reload scopes and claims” this claim would be added to IAM, this does not appear to be the case. In fact after manually adding this claim in IAM it is deleted again after running the task. So there seems to be no link (yet) between IAM and Microsoft Azure, what am I missing?


Optional claim ipaddr added in Azure


New claim ipaddr added in IAM



1 reply

Userlevel 6
Badge +4

Hello @Dennis van Leeuwen

The ‘Reload scopes and claims’ task simply reads the scopes and claims from the metadata document that is published by the Identity Provider, in this case Azure (Microsoft Entra ID). So the task can only work as well as the accuracy of the metadata document.

The fact that your newly added scope isn't added when running the task simply means that the Identity Provider hasn't published it in the metadata (yet). This could have some kind of time related reason, maybe the metadata document lags behind a little bit. It's also possible that it won't be added to the metadata at all, that would seem like an issue on Microsoft's end to me.

You can actually verify that the metadata is incomplete yourself by opening the metadata URL in a browser (i.e. the /well-known/openid-configuration URL). If you do see the claim in the metadata document, but the task still doesn't add it, then it could be an issue with the task as well.

Either way, adding the claim yourself should work just fine if it actually exists on the provider's end.