It looks like MS decided to change the interface again and the OpenID Connect options seem to have disappeared from the "Single Sign On" page. I'm always getting frustrated when dealing with AAD.
Custom Claims Provider seems useless, whats stopping the user from deleting the provider and breaking your jwt contract? Or even replacing it with their own provider, you can't trust the value in externalDepartment, externalObjectId og externalUPN?
This video has been really helpful setting up Clients with custom claims through Entra. What I want to do next is automate this through bash scripts using the Azure Cli. I've managed to configure the majority of the client registration, i.e. app roles, consent, manifest changes etc. However I've hit a bit of a wall trying to find a way to add custom claims through the Single Sign On available in the Enterprise Application section. Is it possible to do this from the command line, that is through Azure Cli from bash, not powershell? Tokens generated are for api to api using the client_cred flow so optional claims to support this don't seem like an option. Any input much appreciated!
Thanks for the valuable information. I followed the tutorial and added the 2 custom claims like you suggested and got this error : "invalid_request', error_description: 'AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid." I believe you''ve omitted the step where you configure an application-specific signing key to make it work or edit the App manifest to include "acceptMappedClaims": true and the "requestedAccessTokenVersion": 2 in a single tenant environment. I used the latter approach and it worked as expected.
Sheesh.. It was there all the while I spent 2 days trying to make custom claims work by adding them as Optional Claims from App Registration instead. Those claim names would appear in Manifest file but never appear in ID or Access tokens. Entra ID is really a bad implementation. Receiving Manager, Sponsor and custom non-predefined attributes in claims are still a headache.
After lot of googling, found this video the most helpful! Thanks
It looks like MS decided to change the interface again and the OpenID Connect options seem to have disappeared from the "Single Sign On" page. I'm always getting frustrated when dealing with AAD.
Hi Randy, did you publish this demo app (on GitHub maybe)?
I would like to peek in your code for educational purposes.
Custom Claims Provider seems useless, whats stopping the user from deleting the provider and breaking your jwt contract? Or even replacing it with their own provider, you can't trust the value in externalDepartment, externalObjectId og externalUPN?
This video has been really helpful setting up Clients with custom claims through Entra. What I want to do next is automate this through bash scripts using the Azure Cli. I've managed to configure the majority of the client registration, i.e. app roles, consent, manifest changes etc. However I've hit a bit of a wall trying to find a way to add custom claims through the Single Sign On available in the Enterprise Application section.
Is it possible to do this from the command line, that is through Azure Cli from bash, not powershell? Tokens generated are for api to api using the client_cred flow so optional claims to support this don't seem like an option.
Any input much appreciated!
Thanks for the valuable information. I followed the tutorial and added the 2 custom claims like you suggested and got this error : "invalid_request', error_description: 'AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid." I believe you''ve omitted the step where you configure an application-specific signing key to make it work or edit the App manifest to include "acceptMappedClaims": true and the "requestedAccessTokenVersion": 2 in a single tenant environment. I used the latter approach and it worked as expected.
Sheesh.. It was there all the while I spent 2 days trying to make custom claims work by adding them as Optional Claims from App Registration instead. Those claim names would appear in Manifest file but never appear in ID or Access tokens. Entra ID is really a bad implementation. Receiving Manager, Sponsor and custom non-predefined attributes in claims are still a headache.
*PromoSM*