天蓝色广告，如何为OIDC/userinfo请求添加用户声明 [英] azure AD, How to add user claims for OIDC /userinfo request

问题描述

我正在Azure AD中实现一个新的已注册"应用程序，为此我需要在用户身份验证过程中获取用户的Samaccountname值作为首选声明.这些应用程序可以与oidc请求一起使用，因此我试图找到一种在用户个人资料中添加新声明的方法(获取

I'm implementing a new "registered" application in Azure AD for which i need to get the user's Samaccountname value as preferred claim during the user authentication process. The apps can work with oidc request, so i'm trying to find a way to add a new claim in the user's profile (get https://graph.microsoft.com/oidc/userinfo ) containing the SamaccountName attribute "extension_cda8b3eafdfb4aa0b27ca9860634fd74_sAMAccountName" synchronized from local active directory. unfortunately after many research and testing, I can't find a way to achieve this. would appreciate any experience on this topic, thanks

在我探索声明映射策略技术之前( https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-claims-mapping )，在身份中创建并返回自定义声明令牌，因为应用程序也可以实现Oauthv2.但是我在应用程序中没有任何灵活性来更改我可以从令牌(硬编码)读取的声明列表.这种灵活性只有通过oidc配置才能实现，我可以在其中选择首选的声明.

Before I've explored the claim mapping policy technique (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping), creating and returning a custom claim in the identity token, as the apps can implement Oauthv2 as well. However I haven't any flexibility in the apps to change the list of claim i can read from the token (hard coded). this flexibility is only given through the oidc configuration, where i can select the preferred claim.

推荐答案

根据我的理解，您要将自定义属性Samaccountname添加到Azure AD.

Per my understanding, you want to add custom attribute Samaccountname into Azure AD.

您应该使用Azure AD Graph API来实现它:

You should use Azure AD Graph API to implement it:

POST https://graph.windows.net/contoso.onmicrosoft.com/applications/269fc2f7-6420-4ea4-be90-9e1f93a87a64/extensionProperties?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1Qi...r6Xh5KVA

{
    "name": "Samaccountname",
    "dataType": "String",
    "targetObjects": [
        "User"
    ]
}

使用 Azure AD Graph Explorer 进行快速测试.

查看详细信息请注意，此API仅支持v1.0 Azure AD应用程序(不支持个人帐户).

Please note that this API only supports v1.0 Azure AD app (doesn't support personal account).

此外，Microsoft强烈建议您使用Microsoft Graph而不是Azure AD Graph API来访问Azure Active Directory资源.有关如何使用Microsoft Graph API向Azure AD用户添加自定义属性的信息，请参考:

Besides, Microsoft strongly recommends that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. For how to add custom attribute to Azure AD user with Microsoft Graph API, please refer to: Add custom data to users using open extensions.

更新:

对不起，我很抱歉.如果答案不是一个，请不要添加答案.您可以编辑问题以更新您的帖子.

I'm sorry for the delay. Please never add an answer when it is not one. You can edit your question to update your post.

"extension_cda8b3eafdfb4aa0b27ca9860634fd74_sAMAccountName"这样的自定义属性格式由Azure AD Graph(而不是Microsoft Graph)托管.无法通过Microsoft Graph查看自定义属性.

"extension_cda8b3eafdfb4aa0b27ca9860634fd74_sAMAccountName" such format of custom attribute is hosted by Azure AD Graph rather than Microsoft Graph. It's impossible to see the custom attribute through Microsoft Graph.

您可以调用AAD Graph API端点以获取预期的自定义属性:

You could call AAD Graph API endpoint to get the expected custom attribute:

GET https://graph.windows.net/myorganization/users

在 AAD图形资源管理器中进行快速测试.

这篇关于天蓝色广告，如何为OIDC/userinfo请求添加用户声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！