> Security > Applications. The Applications
page appears.
You can include Identity as a Service authenticators, groups, and organizations as part of the OIDC claim to an application during authentication. These are called User Related Attributes on Identity as a Service. For example, if a user authenticated using an OTP and Password authenticator and belonged to Group1, Group2, and Group3, and were associated with organizations MyOrganization and Beta, then the token responses can be configured to include these claims, as shown in this example:
{
. . .
"authenticators": ["NONE:OTP", "PASSWORD:OTP", "PASSWORD:NONE",
"groups": ["Group1", "Group2", "SomeOtherGroup"],
"organizations": ["MyOrganization", "Beta"]
}
Note: User groups, authenticators, and organizations are multi-valued fields and are sent as unsorted arrays.
Identity as a Service supports customizing OIDC claims to include User Related Attributes for the following applications:
● Integrate a generic OIDC and OAuth Web application
● Integrate a generic OIDC and OAuth SPA application
● Integrate a generic OIDC and OAuth Device application
● Integrate a generic OIDC and OAuth Native application
These attributes are not tied directly with a user's record but are associated with the user through other entities or session information.
Configure OIDC and OAuth claim to include user authenticators, groups, or organizations
1. Log in to your Identity as a Service account.
2. Click
> Security > Applications. The Applications
page appears.
3. Click the OIDC application that you want to configure with custom claims. The Edit Applications page appears.
4. Click Next. The General Settings and Authentication Settings page appears.
5. Go to the Supported Claims section.
6. Click
. The Add Claim
dialog box appears.
a. In the Open ID Claim section, do one of the following:
– Scroll to select the claim name to use to create a custom claim (for example, groups).
b. From the Association Type drop-down list, select User Related Value.
c. Configure the Association Value, based on the information required:
– Select [Authenticators] to include a user's authenticators every time they authenticate.
– Select [Groups] to include the user's Identity as a Service groups every time they authenticate.
– Select [Unique Group IDs] to include the user's Identity as a Service group ids every time they authenticate.
– Select [Organizations] to include a list of the user's organizations every time they authenticate.
– Select [Unique Organization IDs] to include a list of the user's organization ids every time they authenticate.
– Select [Selected Organization] to include the user's selected organization every time they authenticate.
– Select [Unique Selected Organization ID] to include the user's selected organization ID every time they authenticate.
7. Click Add. You are returned to the list of Support Claims.
8. Click Submit.