Skip to main content

Hi,

We're setting up OpenID Provisioning for our application and we have a question about mapping the ‘Tenant’ claim to multiple tenants. It's a single Azure AD OpenID connection that has all the users from both tenants in it on their side. 

We have two tenants set up in IAM and we're wondering what the best way is to map the Tenant (which is to be filled with ‘iss’) claim to each of the tenants. Currently its like this:
 

We're curious to hear a possible solution!

Thanks.

Hi,

You can set the tenant to the ‘iss’ claim and set up a tenant value mapping in the tabpage that will appear subsequently.

The issuer claim mapped for the tenant

Here, you can map certain issuer URLs to tenants in IAM.

Issuer mapping to tenants in IAM

 


Thanks for the quick response.

 

What if the iss is the same url for both tenants? The client has one active directory in which all the users are saved from both tenants. Is there another possible claim we could use for the tenant identification?


Well, that is a question that you should ask the client. Is there any way to distinguish the tenants using the information available in Azure AD?

It is likely that this determination can be done based on AD user group membership. You can configure Azure AD to include information about the user groups in the token. More info here.


Thanks for pointing us in the right direction. We're going to look into it and I'll update the topic when I know more!


Good morning,

We've almost got it working. The external users are being provisioned (created and updated) in IAM, but for some reason the user groups aren't being assigned. 

Considering that the iss claim isn't unique enough in our case (two tenants in one Azure AD on their side) we've added the upn claim to map to. The upn claim ends with ‘@tenant1.nl’ or ‘@tenant2.nl’ depending on the tenant the user belongs to.

Tenant 1

 

Tenant 2

So what we thought we could do is the following:

User template:
 

upn claim for the tenant with one of the tenants as the default value, it seems this field cannot be empty

User group template:

We fill the ‘Gelijk aan of bevat element’ column with the name of the tenants, as they are included in the upn value, as you can see two screenshots above


Tenant mapping:
 

We do the same for the Tenant mapping. 

This all looks good in our eyes, but it seems the upn claim isn't being recognized? Are we missing something here?

 

Thanks!


@rbiram there have been multiple issues with OpenID User Group provisioning lately, are you up to date with all latest Hotfixes for IAM?


Hi @Arie V,

 

I'm up to date with the latest hotfixes!

 


The tenant value claim mapping must be equal to the value of the claim or equal to an element value of the claim when the claim value is an array.

In your example, the values Rony.test@arbonet.nl or the value geurt.test@humancapitalcare.nl neither match abonet or humancapitalcare. So they both fall back to the default value for the tenant - ArboNed.

Can you somehow make your identity provider provide a claim with only the domain name of the upn claim? Then you can do matching on arbonet.nl and humancapitalcare.nl.


You're right. It works when I enter the ‘Rony.test@arboned.nl’ as a value. I was under the impression that ‘arboned’ was enough because of the ‘of bevat element’ thing, thinking it would work as a ‘like ‘%arboned%’’ operator.

 

I'll see what they can provide us! Thanks