How-tos

3 mins read

Adding Outgoing Token Claims

Cloudentity allows you to set up claims to be passed with tokens issued by your authorization server. You can define claims to be added either using IDP-mapped authentication context or OAuth client application attributes (including application metadata).

About Claims

On an abstract level, claims are statements that a subject (such as a user) makes about itself or another subject. In practical terms, these claims are attributes representing certain data about the user, packaged in a token (either ID token or access token) issued to the client application. You can control how these claims are issued and group them in scopes.

You can also control how SAML Assertion Attributes Coming From IDP are sent to SAML Service Providers.

Prerequisites

Add Claim

In the video below, we are adding a custom claim based on authentication context data. This claim represents the user’s phone number, as provided by the IDP in use (hence the AuthN Context source type). In the source path, we select Phone, which originally comes from the claim sent by the IDP, mapped to the Cloudentity’s authentication context.

  1. From the workspace sidebar, select OAuth » Tokens & Claims » Claims.

    Result

    Predefined claims are displayed.

  2. Select a list label (ID Tokens, Access Tokens, SAML Assertion attributes - only when SAML is enabled in your tenant) to toggle the display of claims on the list.

  3. To preview claim details, select a claim from the list.

    Result

    The Edit claim dialog box opens and displays claim details: Claim name, Source type, Source path and Scopes.

    Note

    In the Edit claim dialog box, you can also edit claim details. Source values are defined in the authentication context.

  4. To create a new claim:

    1. Select ADD CLAIM from the list header.

      Result

      The Add claim dialog box gets displayed.

    2. In the Add claim dialog box, set the claim details.

      Parameter Description
      Claim name Claim name in Cloudentity.
      Source type How the source value for the claim is retrieved. Authentication context is a set of attributes mapped from data sent by IDP acting on behalf of the user, whereas Client means an application registered in Cloudentity.
      Source path Specific attribute available in the source.
      Output source path Exact attribute name representing this claim in the token.
      Scopes Token with this claim is only issued as part of a scope defined in this field. If this field is empty, this claim is always issued with the token - you could say it’s global.
      SAML Name SAML attribute name issued with your Service Provider’s assertion, for example urn:oid:2.5.4.10. Only available with SAML enabled in your tenant.
      SAML Attribute Format SAML attribute format, for example urn:oasis:names:tc:SAML:2.0:attrname-format:uri. Only available with SAML enabled in your tenant.
    3. Select Add to save your new claim. Your claim is now added to the list.

Edit Claim

  1. Select an existing claim from the list of claims in the Claims view.

  2. In the Edit claim pop-up window, modify the claim data. Save the changes of the claim by selecting Update.

Remove Claim

  1. To remove a claim, select the trash can icon for the claim that you want to delete.

  2. In the Delete claim pop-up window, select Yes, delete to confirm the removal of the claim.

    Warning

    This action is permanent and cannot be undone.

Updated: Nov 2, 2023