Customize your authentication flows with custom claims providers for Azure AD

Customize your authentication flows with custom claims providers for Azure AD

We are super excited to announce the public preview of custom claims providers for Azure Active Directory (Azure AD), now part of Microsoft Entra.  A custom claims provider lets you call an API and map custom claims into the token during the authentication flow. The API call is made after the user has completed all their authentication challenges, and a token is about to be issued to the app.  We heard from many of you that you need to return additional claims into the tokens sent to your apps so that they could function as intended. And these claims were being sourced from external systems, for a few reasons: 

 

  • You needed to keep sensitive attributes on premises and use Active Directory Federation Services, or other federation services to pass through claims to Azure AD. 
  • Regulatory requirements prevented you from being able to synchronize these attributes to Azure AD. 
  • You have complex RBAC models which are stored in external databases. 
  • You don’t own the app or cannot modify the app to fetch these attributes post authentication.

Now, with custom claims providers, you can source claims from external systems and issue them directly into the token. It allows interfacing with any data store, LDAP, SQL or anything else. A custom claims provider can be setup for your Open ID and SAML apps, and it works in scenarios to authenticate employees, and external identities.

Let’s show you how you can set this up for Contoso’s HR app. In this scenario, Contoso are looking to decouple their HR app from Active Directory Federation Services, and authenticate directly with Azure AD. The HR app expects the user’s employee number to be returned in the token, which is stored in an on-premises Active Directory.  

 

Contoso can configure a custom claims provider to fetch this data and insert it into the token during authentication. Let’s begin setting it up for Contoso’s Azure AD. 

In the Enterprise applications menu, the Contoso Admin selects Custom authentication extensions, and then selects Create a custom extension. 

 

 

thumbnail image 1 of blog post titled Customize your authentication flows with custom claims providers!

 

 

They then select TokenIssuanceEvent and select Next. 

 

 

thumbnail image 2 of blog post titled Customize your authentication flows with custom claims providers!

 

 

 

The admin enters a Name, the API endpoint, and Description for Contoso’s API, and selects Next. The API endpoint would communicate with Active Directory using an LDAP search to fetch the user’s employee number. 

 

 

thumbnail image 3 of blog post titled Customize your authentication flows with custom claims providers!

 

 

Next, the Contoso admin can configure how the custom extension will authenticate to their API. They will select Create new app registration, provide a Name, and select Next. We will use client credentials to authenticate to Contoso’s API.  Since Contoso hosts their API using an Azure Functions app, this app registration will be used to protect it automatically. 

 

 

thumbnail image 4 of blog post titled Customize your authentication flows with custom claims providers!

 

 

Then, they configure the attribute name returned by the API to the custom extension. Contoso’s API will return the attribute employeeName. The admin enters employeeName under Claim name, and selects Next. 

 

 

thumbnail image 5 of blog post titled Customize your authentication flows with custom claims providers!

 

 

Now let’s map in the claim for the HR App Registration using the custom claims provider. The Contoso admin navigates to the Enterprise Applications menu, selects their App, selects Single sign-on, and then selects Edit under Attributes and Claims. 

 

 

thumbnail image 6 of blog post titled Customize your authentication flows with custom claims providers!

 

 

The Contoso admin then needs to create a claims mapping to source the employee number from the custom extension by configuring a custom claims provider. 

 

They expand the Advanced menu, and select Configure 

 

 

thumbnail image 7 of blog post titled Customize your authentication flows with custom claims providers!

 

 

The admin selects Custom claims provider and selects the custom extension that was created earlier, then selects Save. 

 

 

thumbnail image 8 of blog post titled Customize your authentication flows with custom claims providers!

 

Finally, the admin selects Add new claim and enters a Name for the claim to be issued into the token. They will then select Attributes under Source, and select the Source Attribute, which will be in the format: customClaimsProvider.attributeName. Then select Save. 

 

 

thumbnail image 9 of blog post titled Customize your authentication flows with custom claims providers!

 

 

Now that’s all done, when a user completes their sign in into the Contoso HR app, the custom extension will be triggered, and the custom claims provider will use the custom extension to add the employee number into the token. 

 

Here’s a diagram showing the flow. 

 

 

thumbnail image 10 of blog post titled Customize your authentication flows with custom claims providers!

 

 

There is a more in-depth video tutorial you can find below: https://youtu.be/BYOMshjlwbc

 

Custom claims providers is just the first use of a custom extension. We’ll continue to release additional custom extension events, so you can customize your authentication flows even more.

You can read more about custom extensions here and about custom claims providers here.

_

Contact Us 

LinkedIn

No Comments

Sorry, the comment form is closed at this time.