Configuring custom claims for the OpenID Connect client - HxGN EAM - 11.07.01 - Feature Briefs - Hexagon

HxGN EAM OpenID Connect Guide
Language
English
Product
HxGN EAM
Search by Category
Feature Briefs
HxGN EAM Version
11.7.1

By default, the OIDC Client created in AD FS only transmits minimal claims (UPN, unique_name) in the ID token which is not sufficient to authenticate the user. The EAM application requires additional details to be passed in the OpenID Connect ID token for authenticating the user and, if required, create a new user in the EAM application.

The following steps explain the process for manual configuration of the custom claims which are transmitted in the OpenID Connect ID token generated by AD FS and used by the EAM application for authenticating the user.

  1. After the successful creation of the application group, as described in Configuring OpenID Connect Client in AD FS & HxGN EAM , double click the newly created application group from the list of Application groups, select the Web API application, and click Edit.

  2. Navigate to the Issuance Transform Rules tab and add the following claims manually.

  3. For each of the following claim rules:

    1. Select Add Rule.

    2. Select Send Claims Using a Custom Rule except for the UserDescriptionAttribute.

    3. The Claim Rule Name can be whatever makes sense; it will not have any effect on the functionality.

UserAttribute - Custom rule text:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(Type = "http://schemas.infor.com/claims/Identity", Value = c.Value, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer);

PrimaryRoleAttribute - Custom rule text:

=> issue(Type = "http://schemas.infor.com/claims/SecurityRole", Value = "EAM-Administrator");

‘EAM-Administrator’ should be replaced with an appropriate EAM role name

TenantAttribute - Custom rule text:

=> issue(Type = "http://schemas.infor.com/claims/Tenant", Value = "EAMTENANT");

‘EAMTENANT’ should be replaced with an appropriate EAM tenant name

InternalUserAttribute - Custom rule text:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

EmailAttribute - Custom rule text:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

UserDescriptionAttribute - Select Add Rule and then select the Send LDAP attributes as Claims and click Next. Select Attribute Store as Active Directory, LDAP attribute as Display Name, and the Outgoing Attribute as Common Name.