Solved

OpenID Provisioning multi-tenant claim

  • 12 December 2022
  • 9 replies
  • 154 views
rbiram
Rank
Userlevel 6
Badge +3

Hi,

We're setting up OpenID Provisioning for our application and we have a question about mapping the ‘Tenant’ claim to multiple tenants. It's a single Azure AD OpenID connection that has all the users from both tenants in it on their side. 

We have two tenants set up in IAM and we're wondering what the best way is to map the Tenant (which is to be filled with ‘iss’) claim to each of the tenants. Currently its like this:
 

We're curious to hear a possible solution!

Thanks.

icon

Best answer by Anne Buit 12 December 2022, 10:47

View original
This topic has been closed for comments

9 replies

Anne Buit
Rank
Userlevel 7
Badge +5

Hi,

You can set the tenant to the ‘iss’ claim and set up a tenant value mapping in the tabpage that will appear subsequently.

The issuer claim mapped for the tenant

Here, you can map certain issuer URLs to tenants in IAM.

Issuer mapping to tenants in IAM

 

rbiram
Rank
Userlevel 6
Badge +3

Thanks for the quick response.

 

What if the iss is the same url for both tenants? The client has one active directory in which all the users are saved from both tenants. Is there another possible claim we could use for the tenant identification?

Anne Buit
Rank
Userlevel 7
Badge +5

Well, that is a question that you should ask the client. Is there any way to distinguish the tenants using the information available in Azure AD?

It is likely that this determination can be done based on AD user group membership. You can configure Azure AD to include information about the user groups in the token. More info here.

rbiram
Rank
Userlevel 6
Badge +3

Thanks for pointing us in the right direction. We're going to look into it and I'll update the topic when I know more!

rbiram
Rank
Userlevel 6
Badge +3

Good morning,

We've almost got it working. The external users are being provisioned (created and updated) in IAM, but for some reason the user groups aren't being assigned. 

Considering that the iss claim isn't unique enough in our case (two tenants in one Azure AD on their side) we've added the upn claim to map to. The upn claim ends with ‘@tenant1.nl’ or ‘@tenant2.nl’ depending on the tenant the user belongs to.

Tenant 1

 

Tenant 2

So what we thought we could do is the following:

User template:
 

upn claim for the tenant with one of the tenants as the default value, it seems this field cannot be empty

User group template:

We fill the ‘Gelijk aan of bevat element’ column with the name of the tenants, as they are included in the upn value, as you can see two screenshots above


Tenant mapping:
 

We do the same for the Tenant mapping. 

This all looks good in our eyes, but it seems the upn claim isn't being recognized? Are we missing something here?

 

Thanks!

A
Rank
Userlevel 6
Badge +10

@rbiram there have been multiple issues with OpenID User Group provisioning lately, are you up to date with all latest Hotfixes for IAM?

rbiram
Rank
Userlevel 6
Badge +3

Hi @Arie V,

 

I'm up to date with the latest hotfixes!

 

Anne Buit
Rank
Userlevel 7
Badge +5

The tenant value claim mapping must be equal to the value of the claim or equal to an element value of the claim when the claim value is an array.

In your example, the values Rony.test@arbonet.nl or the value geurt.test@humancapitalcare.nl neither match abonet or humancapitalcare. So they both fall back to the default value for the tenant - ArboNed.

Can you somehow make your identity provider provide a claim with only the domain name of the upn claim? Then you can do matching on arbonet.nl and humancapitalcare.nl.

rbiram
Rank
Userlevel 6
Badge +3

You're right. It works when I enter the ‘Rony.test@arboned.nl’ as a value. I was under the impression that ‘arboned’ was enough because of the ‘of bevat element’ thing, thinking it would work as a ‘like ‘%arboned%’’ operator.

 

I'll see what they can provide us! Thanks

Terms & ConditionsCookie settings