Custom static claim in JWT token

Giacomo Collini 96 Reputation points
2021-02-05T15:19:53.377+00:00

Hi,

We have a web application configured with JWT SSO against Azure.
We need to deploy multiple instances of this application, and we would like to configure an optionalc laim to be added to the id token. The claim will be statically defined and will be unique for each application instance.
Is there a way to achieve this? All the examples I found expects value to come from an Azure object, as defined by the 'source' attribute.

What I'm looking for is something like:

"optionalClaims": {
"idToken": [
{
"name": "custom_instance_identifier",
"essential": false,
"value":"instanceid"
}
]
}

Thanks,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,859 questions
0 comments No comments
{count} votes

1 additional answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,566 Reputation points
    2021-02-10T10:37:09.407+00:00

    Hello Hello @Giacomo Collini ,

    Thanks for your reaching out.

    Custom static claim can be configured by using "Claims mapping policies". Please find below detailed steps for creating AzureAD policy and then assigning them to service principal objects.

    • You must have AzureAD module installed because this can be only done through PowerShell way. If not installed already refer this article to install AzureAD Module.

    • Use this cmdlet to create New Azure AD Policy, this would define static claim with the name of custom_instance_identifier and value as 555

       New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":true,"ClaimsSchema":[{"Value":"555","JwtClaimType":"custom_instance_identifier"}]}}') -DisplayName "StaticClaim" -Type "ClaimsMappingPolicy"  
    

    • To see your new policy, and to get the policy ObjectId, run the following command:

       Get-AzureADPolicy  
    

    • Assign the policy to your service principal. You can get the ObjectId of your service principal from Enterprise applications blade as shown below screenshot.

       Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>  
    

    66393-image.png

    • Once policy has successfully assigned, then enable the AcceptMappedClaims to true in the App Registration Manifest as we can see in the following image:
    66404-image.png

    Now you should see defined static claim appears in ID_Token (JWT token). Please find below screenshot from my lab for your reference:

    id_token (JWT):

    66278-image.png

    ------------------------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments