How to make sure the "sub" field in idToken during SSO is equal to any field in POST /Users SCIM provisioning call

Connected Identity 40 Reputation points
2023-05-25T16:50:53.3533333+00:00

I am using Azure AD's SCIM provisioning to sync users from AD's enterprise application into my application. I have also enabled SSO by creating client credentials for the same application.

I see that in the idToken during OIDC flow, I receive an identifier in "sub" claim which I will be using as a unique identifier for a user in my application. For me to do this, I should have stored the same value in my database during SCIM provisioning of the user.

So, I wanted to know how to send the unique value which is sent in "sub" of idToken during scim provisioning of the user.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,959 questions
0 comments No comments
{count} votes

Accepted answer
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2023-05-26T02:55:00.7733333+00:00

    This isn't necessary. From the OIDC token, you should instead use the "oid" claim, which is mapped to the Azure AD user object's ObjectID, which is an immutable unique identifier. The "sub" claim is a pairwise hash of the Azure AD user object's ObjectID + the ApplicationId of the application, meaning it is an identifier that is unique per Azure AD application, but is not guaranteed to be unique across all of Azure AD.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims

    From the SCIM provisioning side, you can then map for users: objectId -> externalId


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.