Manage token claims

SecureAuth lets you configure claims to include in tokens issued by your authorization server. You can define these claims using either IDP-mapped authentication context or attributes from the OAuth client application, including its metadata.

About claims

Claims are statements about an authenticated user, such as their identity and attributes, packaged in a token (either ID token or access token) and issued by an authorization server. You can control how these claims are issued and group them in scopes.

You can also manage how SAML Assertion Attributes Coming from IDP are sent to SAML Service Providers.

Prerequisites

Access to a SecureAuth tenant with at least one authorization server
Configured and connected IDPs
Authentication context is configured (for claims based on it)
Configured and connected client application (for claims based on client data)

Add claim

In the target workspace, from the left sidebar, go to OAuth > Claims.
Select a claim type. The options are:
- Access Tokens
- ID Tokens
- SAML Assertion Attributes (this option is available only when SAML is enabled in your tenant)
- Custom Claims

To create a new claim, click +ADD CLAIM and set the following:

Name	The name of the claim in SecureAuth.
Source type	Specifies how the claim's value is retrieved. AuthN Context: A set of attributes mapped from data sent by the Identity Provider (IDP) on behalf of the user. Risk Context Client: Represents an application registered in SecureAuth. Workspace Identity Pool Organization
Source path	The specific attribute available in the source for this claim.
Output source path	The exact name of the attribute representing the claim in the token.
Scopes	Optional. Defines the token scope in which this claim is included. If left empty, the claim is global (included in every token).
SAML Name	Only available with SAML enabled in your tenant. The SAML attribute name issued by your Service Provider's assertion. For example, `urn:oid:2.5.4.10`.
SAML Attribute Format	Only available with SAML enabled in your tenant. The format of the SAML attribute For example, `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`.

Click Add to save your changes.

Video tutorial

In the video below, we add a custom claim based on authentication context data.

This claim shows the user's phone number, provided by the identity provider (IDP) in use, which is why the source type is AuthN Context. In the source path, we select Phone, which originally comes from the claim sent by the IDP, mapped to the SecureAuth's authentication context.

Edit claim

In the Claims section, select an existing claim.
The Edit claim page appears.
Modify the claim data and click Update to save your changes.

Remove claim

In the Claims section, click the trash can icon next to the claim that you want to delete.
Confirm.
Warning
This action is permanent and cannot be undone.

In this section: