Add Custom Claim IClaimsTransformation to Azure ID Token and Share between two application

Tejendra Prasad Patel 111 Reputation points
2022-11-17T14:22:36.587+00:00

Hi Team,

I wanted some guidance on below scenario

I have an application URL as [https://example.com][1] that end user access it.

But internally, IIS has two separate .NET Core MVC application and will be accessed as below

I have registered application in Azure AD and provided reply URL as below

End user will access to https://example.com/mainlanding and mainlanding will create custom claims using IClaimsTransformation. - This is Working.

But, when user access subapp from menu of mainlanding application, i am not able to access custom claims which was created by mainlanding applicaiton.

Questions:

  1. Is this possible to persist custom claim created by mainlanding and can be access by subapp ?
  2. Do i need create custom claims in both application separately?
  3. Or, i need to register application separately?

Please guide on this it would be helpful.

Thank you!
Tej

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,360 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,752 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,449 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2022-11-22T22:51:45.673+00:00

    Hello @Tejendra Prasad Patel and thanks for reaching out. You will find my answers below your questions:

    1. Is this possible to persist custom claim created by mainlanding and can be access by subapp ?
      As stated by @Bruce (SqlWork.com) , Azure ID token is usually serialized in the web app cookie and can be shared provided both web apps share the same Azure AD app registration, otherwise claim validation may fail. For more information take a look at Share authentication cookies among ASP.NET apps.
    2. Do i need create custom claims in both application separately?
      You can create a common lib that that handles such task and can be used by both web apps.
    3. Or, i need to register application separately?
      Since claims processing is done in the web apps, your best bet is to add the claims in each web app. Alterntivately you may add custom claims before token issuance. For more information take a look at Provide optional claims to your app and Customize claims emitted in tokens for a specific app in a tenant. In the latter scenario, many apps can share a single policy.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Bruce (SqlWork.com) 60,866 Reputation points
    2022-11-17T19:15:47.857+00:00

    with your setup there are three cookies

    azure ad: has a login cookie. when the website redirect to azure ad, if a login cookie exists, then it just redirects back to the website with a token

    website 1: when azure ad redirects to its reply url, it creates a new cookie (with the additional claims added)
    website 2: when azure ad redirects to its reply url, it creates a new cookie (with the additional claims added)

    note that both websites have their own cookies. you can configuration the cookie authentication to share the cookie between the sites. this will require setting a common path, and configuring DataProtection services to use a common encryption key

    1 person found this answer helpful.