Hi @Florian Wachs • I was working on a different issue with a similar ask, so I thought of sharing the solution with you as well. :)
- Define the claims schema.
<ClaimType Id="extension_CustomRoles"> <DisplayName>Custom roles</DisplayName> <DataType>string</DataType> </ClaimType> <ClaimType Id="extension_MyCustomRoles"> <DisplayName>My custom roles</DisplayName> <DataType>stringCollection</DataType> </ClaimType>
- Add the claims transformation rule.
<ClaimsTransformation Id="customRoles_ClaimsTransformation" TransformationMethod="StringSplit"> <InputClaims> <InputClaim ClaimTypeReferenceId="extension_CustomRoles" TransformationClaimType="inputClaim" /> </InputClaims> <InputParameters> <InputParameter DataType="string" Id="delimiter" Value="," /> </InputParameters> <OutputClaims> <OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" TransformationClaimType="outputClaim" /> </OutputClaims> </ClaimsTransformation>
- To the required Technical Profile, add the
string
claim as the output claim and the claims transformation rule to transform it to astringCollection
claim.<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email"> <DisplayName>Local Account Signin</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata> ... </Metadata> <IncludeInSso>false</IncludeInSso> <InputClaims> <InputClaim ClaimTypeReferenceId="signInName" /> </InputClaims> <OutputClaims> ... <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" AlwaysUseDefaultValue="true" DefaultValue="SecAdmin,UserAdmin,AppAdmin" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="customRoles_ClaimsTransformation" /> </OutputClaimsTransformations> <ValidationTechnicalProfiles> <ValidationTechnicalProfile ReferenceId="login-NonInteractive" /> </ValidationTechnicalProfiles> <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" /> </TechnicalProfile>
- Finally add the claim as output claim to the RP (signup/signin) file.
Once the custom policy is updated with above information, you will get the string collection claim in the token as mentioned below:<OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" PartnerClaimType="my_custom_roles" />
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.