question

JonathanHolmes-9138 avatar image
0 Votes"
JonathanHolmes-9138 asked amanpreetsingh-msft commented

Need to create a "Required Claim" (I think)

Hello. I am new to Azure AD and SSO.

I am trying to copy an existing app and modify it for another purpose. Meanwhile the new app is working using UPN for authentication with SSO.

The problem is, not all email aliases are the same in our ORG and it appears when authenticating with Azure AD, even though we have an additional claim called username set to userPrincipalName, the request fails unless the default SMTP matches the UPN.

In our working app, the claim is "Required", but in the problematic app, the claim is not required, but "Additional". Am I only the right track? Is there a way to make this claim required rather than additional?

azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @JonathanHolmes-9138 • Thank you for reaching out.

Please refer to below asp.net core code snippet to make a claim required. In below example, the attribute name is EmployeeNumber.

 public void ConfigureServices(IServiceCollection services)
 {
     services.AddControllersWithViews();
     services.AddRazorPages();
    
     services.AddAuthorization(options =>
     {
         options.AddPolicy("EmployeeOnly", policy => policy.RequireClaim("EmployeeNumber"));
     });
 }

Read more: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-5.0


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AmanpreetSingh-MSFT thanks for your reply.

Can this be done from Azure Active Directory admin center? Sorry if it is a silly question. I've been thrown in the deep end with this one.

Cheers.

0 Votes 0 ·

@JonathanHolmes-9138 · No, this has to be done from Application side.

0 Votes 0 ·