Symantec Access Management

Expand all | Collapse all

OIDC Custom Claims Plug-in

Jump to Best Answer
  • 1.  OIDC Custom Claims Plug-in

    Posted 09-30-2019 11:11 AM
    Hi all,
    I got a request from a client to include the name of the calling application as a claim in the token during OIDC auhentication. Looking at the Custom Claims plugin API, i would have to access some session context to retrieve information about calling client application. However it seems to me that there is no API that give access to this context information. Is there any way to fulfill the requirement?
    The only option i see at the moment is to this name as a parameter to the plugin. But this would require to create a provider for each client which doesn't seem very scalable.
    Any thoughs are welcome.

    Best regards,

  • 2.  RE: OIDC Custom Claims Plug-in

    Posted 10-16-2019 03:05 AM
    Hi Dirk,

    I have no experience in OIDC implementation, but depending the value
    you are looking for for "application", you maybe can refer to a
    "Request Context Variable". Again I'm not sure that this will work as
    the value should be available before the authentication as the claim
    plugin will process for authentication.

    Best Regards,

  • 3.  RE: OIDC Custom Claims Plug-in
    Best Answer

    Posted 10-17-2019 11:09 AM
    Hi Dirk,

    The ID Token will contain the ClientID in the "aud" claim attribute (see example below). The ClientID can be customized and renamed to a more user-friendly name in the OICD client configuration screen in the Admin UI.
    If you need to, you can also use the Custom Claims plugin API to set additional claims based on the "aud" claim value.

    Let me know if this helps.

    Below is an IDToken example: 


      "sub": "user1",

      "aud": "a9e8418f-5954-4142-aff6-5e0e3003774c",

      "auth_time": 1571323296,

      "iss": "https://<hostname>/affwebservices/CASSO/oidc/test",

      "exp": 1571323709,

      "iat": 1571323409


  • 4.  RE: OIDC Custom Claims Plug-in

    Posted 10-17-2019 01:20 PM
    Hi Uzi,
    Of course you are right. Why haven't i seen this before? :)
    Thanks a lot.