...
| Claim Type | Source System Value | OneList User |
|---|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | Source system user id | UserName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | First name | FirstName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Surname | LastName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
ADFS configuration
Use OneList root URL as the RelyParty URL, e.g. https://iqx.onelistapprovals.com follow this link for step-by-step instruction at the ADFS side: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2
Use ADFS server Windows Event Log to investigate errors.
Configure RoleManager using the following JSON:
{
"MetadataAddress": "https://adfs.cloud.weir/FederationMetadata/2007-06/FederationMetadata.xml",
"Wtrealm": "https://onelist-dev.cloud.weir/"
}
Azure AD configuration
Poweshell script to add custom claim:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
- https://devblogs.microsoft.com/premier-developer/adding-user-optional-and-mapped-claims-in-the-azure-ad-authentication-token/
- Modified the App Registration Manifest: "acceptMappedClaims": true,
- New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"onpremisessamaccountname","JwtClaimType":"onpremisessamaccountname"}]}}') -DisplayName "ExtraClaimsSAMAccountName" -Type "ClaimsMappingPolicy"
- Get the Service principal for the app id: Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq 'the app id')"
- Assigned policy to the Service Principal: Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>
DO NOT use the .Net MicrosoftAccount provider for Azure AD because it uses OAuth flow and won't be able to get custom claims. Only OIDC flow can retrieve custom claims.
Steps to register OneList on AAD: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
The Redirect URI for OneList is: https://iqx.onelistapprovals.com/rolemanager/signin-azure
If OneList is registered for multi-tenant then tenant_id = common
Configure RoleManager using this JSON:
{
"clientid": "xxxxx",
"clientsecret": "xxxx",
"Authority": "https://login.microsoftonline.com/<tenat_id>/v2.0",
"CallbackPath": "/signin-azure",
"Prompt": "select_account",
"SaveTokens": false,
"UserNameClaim": "<custom user name claim>"
}
To avoid auto sign-in, add the following to the JSON.
"Prompt": "select_account"