+4Hi,
We're setting up OpenID Provisioning for our application and we have a question about mapping the ‘Tenant’ claim to multiple tenants. It's a single Azure AD OpenID connection that has all the users from both tenants in it on their side.
We have two tenants set up in IAM and we're wondering what the best way is to map the Tenant (which is to be filled with ‘iss’) claim to each of the tenants. Currently its like this:
We're curious to hear a possible solution!
Thanks.
Best answer by Anne Buit
Hi,
You can set the tenant to the ‘iss’ claim and set up a tenant value mapping in the tabpage that will appear subsequently.
Here, you can map certain issuer URLs to tenants in IAM.
+5Hi,
You can set the tenant to the ‘iss’ claim and set up a tenant value mapping in the tabpage that will appear subsequently.
Here, you can map certain issuer URLs to tenants in IAM.
+4Thanks for the quick response.
What if the iss is the same url for both tenants? The client has one active directory in which all the users are saved from both tenants. Is there another possible claim we could use for the tenant identification?
+5Well, that is a question that you should ask the client. Is there any way to distinguish the tenants using the information available in Azure AD?
It is likely that this determination can be done based on AD user group membership. You can configure Azure AD to include information about the user groups in the token. More info here.
+4Thanks for pointing us in the right direction. We're going to look into it and I'll update the topic when I know more!
+4Good morning,
We've almost got it working. The external users are being provisioned (created and updated) in IAM, but for some reason the user groups aren't being assigned.
Considering that the iss claim isn't unique enough in our case (two tenants in one Azure AD on their side) we've added the upn claim to map to. The upn claim ends with ‘@tenant1.nl’ or ‘@tenant2.nl’ depending on the tenant the user belongs to.
So what we thought we could do is the following:
User template:
User group template:
Tenant mapping:
This all looks good in our eyes, but it seems the upn claim isn't being recognized? Are we missing something here?
Thanks!
+12+4+5The tenant value claim mapping must be equal to the value of the claim or equal to an element value of the claim when the claim value is an array.
In your example, the values Rony.test@arbonet.nl or the value geurt.test@humancapitalcare.nl neither match abonet or humancapitalcare. So they both fall back to the default value for the tenant - ArboNed.
Can you somehow make your identity provider provide a claim with only the domain name of the upn claim? Then you can do matching on arbonet.nl and humancapitalcare.nl.
+4You're right. It works when I enter the ‘Rony.test@arboned.nl’ as a value. I was under the impression that ‘arboned’ was enough because of the ‘of bevat element’ thing, thinking it would work as a ‘like ‘%arboned%’’ operator.
I'll see what they can provide us! Thanks
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
