Adding Outgoing Token Claims
SecureAuth allows you to set up claims to be passed with tokens issued by your authorization server. You can define claims to be added either using IDP-mapped authentication context or OAuth client application attributes (including application metadata).
About Claims
On an abstract level, claims are statements that a subject (such as a user) makes about itself or another subject. In practical terms, these claims are attributes representing certain data about the user, packaged in a token (either ID token or access token) issued to the client application. You can control how these claims are issued and group them in scopes.
You can also control how SAML Assertion Attributes Coming from IDP are sent to SAML Service Providers.
Prerequisites
Access to an SecureAuth tenant with at least one authorization server
IDPs are connected and configured.
Authentication context is configured (if you want to set up claims based on the authentication context).
Client application is connected and configured (if you want to set up claims based on the client data).
Add Claim
In the video below, we are adding a custom claim based on authentication context data. This claim represents the user's phone number, as provided by the IDP in use (hence the AuthN Context source type). In the source path, we select Phone, which originally comes from the claim sent by the IDP, mapped to the SecureAuth's authentication context.
From the workspace sidebar, select OAuth > Tokens & Claims > Claims.
Predefined claims are displayed.
Select a list label (ID Tokens, Access Tokens, SAML Assertion attributes - only when SAML is enabled in your tenant) to toggle the display of claims on the list.
To preview claim details, select a claim from the list.
The Edit claim dialog box opens and displays claim details: Claim name, Source type, Source path and Scopes.
Note
In the Edit claim dialog box, you can also edit claim details. Source values are defined in the authentication context.
To create a new claim:
Select ADD CLAIM from the list header.
The Add claim dialog box gets displayed.
In the Add claim dialog box, set the claim details.
Parameter
Description
Claim name
Claim name in SecureAuth.
Source type
How the source value for the claim is retrieved. Authentication context is a set of attributes mapped from data sent by IDP acting on behalf of the user, whereas Client means an application registered in SecureAuth.
Source path
Specific attribute available in the source.
Output source path
Exact attribute name representing this claim in the token.
Scopes
Token with this claim is only issued as part of a scope defined in this field. If this field is empty, this claim is always issued with the token - you could say it's global.
SAML Name
SAML attribute name issued with your Service Provider's assertion, for example
urn:oid:2.5.4.10. Only available with SAML enabled in your tenant.SAML Attribute Format
SAML attribute format, for example
urn:oasis:names:tc:SAML:2.0:attrname-format:uri. Only available with SAML enabled in your tenant.Select Add to save your new claim.
Your claim is now added to the list.
Edit Claim
Select an existing claim from the list of claims in the Claims view.
In the Edit claim pop-up window, modify the claim data. Save the changes of the claim by selecting Update.
Remove Claim
To remove a claim, select the trash can icon for the claim that you want to delete.
In the Delete claim pop-up window, select Yes, delete to confirm the removal of the claim.
Warning
This action is permanent and cannot be undone.