Create a static stringCollection claim

Florian Wachs 91 Reputation points
2022-02-03T16:00:50.907+00:00

Hi,
I use custom polices.
For testing purposes I want to add a new stringCollection claim to my Id Token.

I created a new claim 

  <ClaimType Id="customerIds">
        <DisplayName>Sample of a customerIds collection for evaluation purposes only</DisplayName>
        <DataType>stringCollection</DataType>
        <UserInputType>Readonly</UserInputType>
      </ClaimType>

I added a transformation to add values: 

<ClaimsTransformation Id="AddDummyCustomerIds" TransformationMethod="AddParameterToStringCollection">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="customerIds" TransformationClaimType="collection" />
        </InputClaims>
        <InputParameters>
          <InputParameter Id="i1" DataType="string" Value="C10080" />
          <InputParameter Id="i2" DataType="string" Value="C10240" />
          <InputParameter Id="i3" DataType="string" Value="C10000" />
        </InputParameters>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="customerIds" TransformationClaimType="collection" />
        </OutputClaims>
      </ClaimsTransformation>

I Added this in the signUpOrSignIn.xml 

 <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="AddDummyCustomerIds" />
      </OutputClaimsTransformations>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" />
        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
        <OutputClaim ClaimTypeReferenceId="customerIds"/>
      </OutputClaims>

      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>

My Problem is, the claim is not added to the token. No errors a thrown. So my question is, is it possible to create a dummy stringCollectionClaim with values and add it to the token?

Azure Active Directory External Identities
Accepted answer
  1. AmanpreetSingh-MSFT 55,366 Reputation points
    2022-04-04T13:38:01.56+00:00

    Hi @Florian Wachs • I was working on a different issue with a similar ask, so I thought of sharing the solution with you as well. :)

    1. Define the claims schema. 
      <ClaimType Id="extension_CustomRoles">  
    <DisplayName>Custom roles</DisplayName>  
    <DataType>string</DataType>  
</ClaimType>  

<ClaimType Id="extension_MyCustomRoles">  
    <DisplayName>My custom roles</DisplayName>  
    <DataType>stringCollection</DataType>  
</ClaimType>
    2. Add the claims transformation rule. 
      <ClaimsTransformation Id="customRoles_ClaimsTransformation" TransformationMethod="StringSplit">  
     <InputClaims>  
          <InputClaim ClaimTypeReferenceId="extension_CustomRoles" TransformationClaimType="inputClaim" />  
     </InputClaims>  
     <InputParameters>  
          <InputParameter DataType="string" Id="delimiter" Value="," />  
     </InputParameters>  
     <OutputClaims>  
          <OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" TransformationClaimType="outputClaim" />  
     </OutputClaims>  
</ClaimsTransformation>
    3. To the required Technical Profile, add the string claim as the output claim and the claims transformation rule to transform it to a stringCollection claim. 
      <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">  
     <DisplayName>Local Account Signin</DisplayName>  
     <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
     <Metadata>  
         ...  
     </Metadata>  
     <IncludeInSso>false</IncludeInSso>  
     <InputClaims>  
            <InputClaim ClaimTypeReferenceId="signInName" />  
     </InputClaims>  
     <OutputClaims>  
            ...  
            <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" AlwaysUseDefaultValue="true" DefaultValue="SecAdmin,UserAdmin,AppAdmin" />  
     </OutputClaims>  
     <OutputClaimsTransformations>  
            <OutputClaimsTransformation ReferenceId="customRoles_ClaimsTransformation" />  
     </OutputClaimsTransformations>  
     <ValidationTechnicalProfiles>  
            <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />  
     </ValidationTechnicalProfiles>  
     <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />  
</TechnicalProfile>
    4. Finally add the claim as output claim to the RP (signup/signin) file. 
      <OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" PartnerClaimType="my_custom_roles" />
      Once the custom policy is updated with above information, you will get the string collection claim in the token as mentioned below:
      189782-image.png

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest