Configuring custom claims for the OpenID Connect client in AD FS - HxGN EAM - 12.0.1 - Feature Briefs - Hexagon

HxGN EAM OpenID Connect
Language
English
Product
HxGN EAM
Search by Category
Feature Briefs
HxGN EAM Version
12.0.1

By default, the OIDC Client created in AD FS only transmits minimal claims (UPN, unique_name) in the ID token. These details are sufficient for authenticating the user in the EAM application if the user is already created in the EAM application, but if the user is not already created in the EAM application, additional claims are required for creating a new user in the EAM application.

The following steps explain the process for manual configuration of the custom claims which are transmitted in the OpenID Connect ID token generated by AD FS and used by the EAM application for authenticating the user. The custom claims are transmitted only for Confidential clients, but not for public clients created in AD FS.

  1. After the successful creation of the application group, as described in Configuring OpenID Connect confidential client in AD FS, double-click the newly created application group from the list of Application groups, select the Web API application, and then click Edit.

  2. Navigate to the Issuance Transform Rules tab and add the following claims manually.

  3. For each of the following claim rules:

    1. Select Add Rule.

    2. Select Send Claims Using a Custom Rule except for the UserDescriptionAttribute.

    3. The Claim Rule Name can be whatever makes sense; it will not have any effect on the functionality.

UserAttribute - Custom rule text:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(Type = "http://schemas.hexagon.com/claims/Identity", Value = c.Value, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer);

PrimaryRoleAttribute - Custom rule text:

=> issue(Type = "http://schemas.hexagon.com/claims/SecurityRole", Value = "EAM-Administrator");

‘EAM-Administrator’ should be replaced with an appropriate EAM role name

TenantAttribute - Custom rule text:

=> issue(Type = "http://schemas.hexagon.com/claims/Tenant", Value = "EAMTENANT");

‘EAMTENANT’ should be replaced with an appropriate EAM tenant name

InternalUserAttribute - Custom rule text:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

EmailAttribute - Custom rule text:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

UserDescriptionAttribute - Select Add Rule and then select the Send LDAP attributes as Claims and click Next. Select Attribute Store as Active Directory, LDAP attribute as Display Name, and the Outgoing Attribute as Common Name.