Reputation: 53
Custom claims for azure ad app
Is it possible to add custom claim to app manifest in Azure AD application registry? I want to have one end point to manage sso for different apps on different tenats. So, app should have claim with redirect url, and during user assigment admin should change it to the coresponding app.
Upvotes: 0
Views: 394
Answers (1)
Reputation: 30903
This is not the way how you handle redirecting to different URLs. Also because you have to properly form the authorization request by indicating a redirect_url. And how you would know redirect uri, if you do not know who is coming to your site?
Please first read the Application and service principal objects in Azure AD document. It will explain you in details what is an application and what is service principal. And how the two relate. And what it is to be multi tenant application.
After you read the document, you understand now that can only have a single application object. It is also good to pay attention to the Integrating Applications with Azure AD and Multi tenant applications in Azure AD.
You cannot use custom claims to manage redirect uri, because even when you ere able to create a custom claim in app manifest, its value is based on a user property.
The way you should handle this, is to properly handle the admin consent. You could always require an admin consent and, when you handle the admin consent response to your main redirect uri in the form of:
GET http://localhost/myapp/permissions?tenant=a8990e1f-ff32-408a-9f8e-78d3b9139b95&state=state=12345&admin_consent=True
you take a record of the tenant_id and ask the administrator for real redirect_id.
But, at the end of the day, you have to manage all redirect uris in your single app registration in your tenant. Are you sure you want to take that big expenditure. What does really make sense, is to offer a redirect uri which is subdomain of your application.
Thinking out a proper signup flow is really important part of a multi tenant application. Especially if you want custom domains per tenant.
The easiest would be to only have one domain for all tenant and simply redirect to them.
The other one - is to have your own custom signup flow where the user choses a subdomain in your domain and provides admin consent to fix that wish. After you receive the admin consent back (you have encoded the desired custom domain in the state parameter for example) you make the mapping between custom domain and tenant.
Upvotes: 1
Related Questions
- Adding custom claims into AAD token
- Azure AD Custom Claims in JWT
- AzureAD Custom Claims in token
- Can I add a custom static claim to auth tokens with a AAD OIDC app registration?
- How to add optional claims to Azure Active Directory
- How to add custom claims to Azure AD authenticated user in ASP.Net Core application?
- Adding Custom Claims to AspNetCore Azure Authenticated Application
- Restricting claims in Azure App Registration?
- Adding Custom Claim to AAD OpenIDConnect Authenticated User
- Custom authentication in Azure AD