This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 15%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hello Experts,
I need your support with the configuration of attributes between Azure AD and SAP IAS. I have configured the OpenID Connect protocol between Azure and SAP IAS. An app has been configured in SAP IAS, and the user should be able to log in to this app.
However, I don’t understand how the attributes are transferred in this context. I tested by deleting all attributes in SAP IAS, but attributes are still being transmitted to the cloud app. In Azure, under App Registration > Token Configuration, I defined the attributes email, family_name, and given_name, and these are exactly the attributes being transmitted to the app. It doesn’t matter which attributes I have defined in IAS.
Now, my question is: How can I define in Azure that additional attributes, such as Employee Number, Department, etc., should also be transmitted?
When configuring SAML between apps, I can define Claims in Azure.
Is this also possible for OIDC?
I look forward to your response.
Thank you in advance
Best Regards
Hello Mike,
Thanks for posting your question in the Microsoft Q&A forum.
You can follow these steps:
Token configuration and select Add optional claim then choose the token type (ID token or Access token) and add the desired claims and then go to App registrations > Your app > ManifestoptionalClaims sectionApplications section and select your applicationSubject Name Identifier and Assertion AttributesRemember that the attributes must exist in Azure AD and be associated with the user accounts. For custom attributes, you may need to configure them in Azure AD first and populate them with data.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful
Hello @hossein jalilian
Thank you very much for your support.
In Azure, under App Registration -> Token Configuration -> Add Optional Claim, I cannot find claims like Employee_id, department...
These claims, for example, can be added without any issues in a SAML App. Do I need to create this claim manually?
Second question: Under App Registration -> Token Configuration -> Add Optional Claim, I added the "upn" (ID) claim. However, when I enter the "upn" claim under Subject Name Identifier in SAP IAS (IAS is configured as a proxy), I cannot log in with the upn. I can only log in to the cloud app with an email address.
Thank you.
Best Regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 17%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Hello Mike,
We understand that you have registered an app in Azure (OpenID - OIDC). You are now looking for an option where you can add other user attributes such as Employee ID, department, city, etc.
Please find below steps to pass additional attributes like Employee ID and Department in the access token.
Modify the Manifest:
Add Claims to the Access Token:
After completing these steps, both claims (Employee ID and Department) will be added to the access token, allowing access to the application with these claims included.
On the second query, your Service Provider SAP IAS is set up to authenticate users based on a specific claim — email address, but not UPN.
SAP IAS may be configured to authenticate based on the email address claim and may not recognize the UPN as a valid identifier.
If your configuration in Azure AD is passing the UPN as the identifier in the token, but SAP IAS is expecting the email address, authentication will fail.
I request you to check authentication settings on SAP IAS if it is configured email address as identifier and configure SAP IAS to accept the UPN directly if that's supported.
And if it is not supported, you can map the UPN to a custom claim in Azure AD and configure SAP IAS to use that custom claim for authentication
Thanks,
Venkata Jagadeep.
Hello Mike,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello @Venkata Jagadeep
Thank you so much for your support !!!
I followed your instructions and defined the custom attribute (employee_number) as you described.
Then, I configured in SAP IAS the Subject Name Identifier =Corporate Identity Provider=employee_number.
The user is successfully transferred to SAP BTP, and the value "employee_number" is populated in the Name ID field.
Still, even though the user has all the necessary permissions in SAP BTP, they receive the "Access Denied" error.
Could it be that the user is not found/identified in BTP based on the Subject Name Identifier (employee_number), even though the employee_number claim is being transferred?
What am I still doing wrong here ?
Thanks again for your help !!!
Best Regards
Hello Mike,
It will be helpful if you share screenshot of the error and who is giving the error (Azure or SAP)
Note : Please remove any Personally Identifiable Information on the screenshot (if any)
SAP IAS may be configured to authenticate based on the email address claim and may not recognize the UPN as a valid identifier.
We suggest you connect with SAP IAS technical team to check if they are expecting UPN as identifier.
Thanks,
Venkata Jagadeep
Hello Mike,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Thanks,
Venkata Jagadeep