Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entra Application OIDC-based Single Sign-On Attributes & Claims #188

Open
DavidMrLane opened this issue Nov 1, 2024 · 5 comments
Open

Entra Application OIDC-based Single Sign-On Attributes & Claims #188

DavidMrLane opened this issue Nov 1, 2024 · 5 comments
Assignees
@dkershaw10
Labels
new type Request for a new Graph Bicep type triaged Team has triaged the item

Comments

@DavidMrLane
Copy link

image

It is possible to configure the oidc single sign-on attributes & claims using bicep? The ones in the screenshot above were done manually.

In a Microsoft.Graph/[email protected], adding items to idToken in optionalClaims only adds claims under the token configuration and I can't see any other relevant section.

image
@DavidMrLane DavidMrLane added the bug Something isn't working label Nov 1, 2024
@dkershaw10 dkershaw10 self-assigned this Nov 1, 2024
@dkershaw10 dkershaw10 added new type Request for a new Graph Bicep type and removed bug Something isn't working labels Nov 1, 2024
@dkershaw10
Copy link
Collaborator

dkershaw10 commented Nov 1, 2024
edited
Loading

Thanks for reporting @DavidMrLane. I'm not convinced that this is a bug. It's more of a missing Bicep type. From what I gather, custom claims are described here:https://learn.microsoft.com/entra/identity-platform/reference-claims-customization#claims-customization-using-a-policy. It looks like there are two APIs for this, and https://learn.microsoft.com/graph/api/resources/customclaimspolicy?view=graph-rest-beta appears to be used by the UI you have screenshots for. The second one is https://learn.microsoft.com/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0.

Neither of these resources are exposed in Microsoft Graph Bicep Types, and I would need to find the owners for these types to understand if we are planning to keep both APIs - however the second one - clams mapping policy is GA and available in all supported national clouds.

@shenglol
Copy link

shenglol commented Nov 1, 2024

@dkershaw10 - Does the Graph extension validate types, or does it function as a passthrough? If it’s the latter, would it make sense to update the Graph type loader to emit a warning instead of an error for unrecognized properties? This approach would let users work with these properties while awaiting a new type package release. For reference, we handle Azure resources similarly, emitting warnings rather than errors for resource type issues:

image

@dkershaw10
Copy link
Collaborator

@shenglol That seems orthogonal to this issue.
Anyways, I believe that the extension functions more like a passthrough - it won't error and I don't think it even emits a warning. @jason-dou do we emit any warnings when trying to deploy a template with unrecognized properties?

@jason-dou
Copy link
Collaborator

@dkershaw10 The Graph extension functions as a passthrough but the request won't reach the extension if deploying a Bicep template. Bicep compiler will throw an error and fail the deployment if the resource contains unrecognized properties.

@dkershaw10
Copy link
Collaborator

dkershaw10 commented Nov 11, 2024
edited
Loading

@jason-dou I've created a separate issue to track change the type loader to emit a warning rather than an error - #191
cc: @shenglol

@dkershaw10 dkershaw10 added the triaged Team has triaged the item label Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dkershaw10 dkershaw10

Labels
new type Request for a new Graph Bicep type triaged Team has triaged the item
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dkershaw10 @shenglol @DavidMrLane @jason-dou