How to make sure the "sub" field in idToken during SSO is equal to any field in POST /Users SCIM provisioning call

Question

How to make sure the "sub" field in idToken during SSO is equal to any field in POST /Users SCIM provisioning call

Connected Identity 40

I am using Azure AD's SCIM provisioning to sync users from AD's enterprise application into my application. I have also enabled SSO by creating client credentials for the same application.

I see that in the idToken during OIDC flow, I receive an identifier in "sub" claim which I will be using as a unique identifier for a user in my application. For me to do this, I should have stored the same value in my database during SCIM provisioning of the user.

So, I wanted to know how to send the unique value which is sent in "sub" of idToken during scim provisioning of the user.

Accepted answer

0 additional answers

Your answer

Answer 1

Danny Zollner 10,801 Microsoft Employee Moderator

This isn't necessary. From the OIDC token, you should instead use the "oid" claim, which is mapped to the Azure AD user object's ObjectID, which is an immutable unique identifier. The "sub" claim is a pairwise hash of the Azure AD user object's ObjectID + the ApplicationId of the application, meaning it is an identifier that is unique per Azure AD application, but is not guaranteed to be unique across all of Azure AD.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims

From the SCIM provisioning side, you can then map for users: objectId -> externalId

Connected Identity 40 Reputation points

2023-05-26T03:18:49.84+00:00

Thanks for the answer @Anonymous

We actually have an internal logic to just pick the "sub" field and mark it as an external user id. Is there no way to configure this to be sent during SCIM flow (I tried almost all values including immutableId during SCIM provisioning)?

Having said that, I tried adding "profile" scope to my OAuth calls so that I get back OID in the idToken. But, it just contains an extra "name" field and no "oid" being returned.

Auth endpoint: https://login.microsoftonline.com/51e4b304-065b-4833-8f1c-5c804592bf15/oauth2/v2.0/authorize
Token endpoint: https://login.microsoftonline.com/51e4b304-065b-4833-8f1c-5c804592bf15/oauth2/v2.0/token
Userinfo endpoint: https://graph.microsoft.com/oidc/userinfo
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2023-05-26T16:59:21.9333333+00:00

For context - I'm a provisioning/SCIM expert, and only know enough about the OIDC stuff to be dangerous. To the first question on flowing sub as a value via AAD Provisioning, that's impossible and also ill-advised. AAD Provisioning can only access the attributes on the user object itself. "sub" as I mentioned above is a pairwise hash of two values, and therefore changes per application in AAD. While a customer can only add a single instance of any given OIDC app, it is possible to delete -> recreate the app, which some people do (usually unnecessarily) in troubleshooting. This would change the "sub" values irrecoverably and is one reason why using that as a unique identifier over "oid" isn't a good choice.

To the issue with getting the "oid" value in the token even after expanding your scope, I unfortunately cannot help there. It may be worth creating another post with that question if you don't figure it out.

Share via

How to make sure the "sub" field in idToken during SSO is equal to any field in POST /Users SCIM provisioning call

0 additional answers

Your answer