Create a static stringCollection claim

Florian Wachs 96 Reputation points
2022-02-03T16:00:50.907+00:00

Hi,
I use custom polices.
For testing purposes I want to add a new stringCollection claim to my Id Token.

I created a new claim

  <ClaimType Id="customerIds">
        <DisplayName>Sample of a customerIds collection for evaluation purposes only</DisplayName>
        <DataType>stringCollection</DataType>
        <UserInputType>Readonly</UserInputType>
      </ClaimType>

I added a transformation to add values:

<ClaimsTransformation Id="AddDummyCustomerIds" TransformationMethod="AddParameterToStringCollection">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="customerIds" TransformationClaimType="collection" />
        </InputClaims>
        <InputParameters>
          <InputParameter Id="i1" DataType="string" Value="C10080" />
          <InputParameter Id="i2" DataType="string" Value="C10240" />
          <InputParameter Id="i3" DataType="string" Value="C10000" />
        </InputParameters>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="customerIds" TransformationClaimType="collection" />
        </OutputClaims>
      </ClaimsTransformation>

I Added this in the signUpOrSignIn.xml

 <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="AddDummyCustomerIds" />
      </OutputClaimsTransformations>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" />
        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
        <OutputClaim ClaimTypeReferenceId="customerIds"/>
      </OutputClaims>

      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>

My Problem is, the claim is not added to the token. No errors a thrown. So my question is, is it possible to create a dummy stringCollectionClaim with values and add it to the token?

Azure Active Directory External Identities
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,991 Reputation points
    2022-04-04T13:38:01.56+00:00

    Hi @Florian Wachs • I was working on a different issue with a similar ask, so I thought of sharing the solution with you as well. :)

    1. Define the claims schema.
      <ClaimType Id="extension_CustomRoles">  
          <DisplayName>Custom roles</DisplayName>  
          <DataType>string</DataType>  
      </ClaimType>  
      
      <ClaimType Id="extension_MyCustomRoles">  
          <DisplayName>My custom roles</DisplayName>  
          <DataType>stringCollection</DataType>  
      </ClaimType>  
      
    2. Add the claims transformation rule.
      <ClaimsTransformation Id="customRoles_ClaimsTransformation" TransformationMethod="StringSplit">  
           <InputClaims>  
                <InputClaim ClaimTypeReferenceId="extension_CustomRoles" TransformationClaimType="inputClaim" />  
           </InputClaims>  
           <InputParameters>  
                <InputParameter DataType="string" Id="delimiter" Value="," />  
           </InputParameters>  
           <OutputClaims>  
                <OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" TransformationClaimType="outputClaim" />  
           </OutputClaims>  
      </ClaimsTransformation>  
      
    3. To the required Technical Profile, add the string claim as the output claim and the claims transformation rule to transform it to a stringCollection claim.
      <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">  
           <DisplayName>Local Account Signin</DisplayName>  
           <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
           <Metadata>  
               ...  
           </Metadata>  
           <IncludeInSso>false</IncludeInSso>  
           <InputClaims>  
                  <InputClaim ClaimTypeReferenceId="signInName" />  
           </InputClaims>  
           <OutputClaims>  
                  ...  
                  <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" AlwaysUseDefaultValue="true" DefaultValue="SecAdmin,UserAdmin,AppAdmin" />  
           </OutputClaims>  
           <OutputClaimsTransformations>  
                  <OutputClaimsTransformation ReferenceId="customRoles_ClaimsTransformation" />  
           </OutputClaimsTransformations>  
           <ValidationTechnicalProfiles>  
                  <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />  
           </ValidationTechnicalProfiles>  
           <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />  
      </TechnicalProfile>  
      
    4. Finally add the claim as output claim to the RP (signup/signin) file.
      <OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" PartnerClaimType="my_custom_roles" />  
      
      Once the custom policy is updated with above information, you will get the string collection claim in the token as mentioned below:
      189782-image.png

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful