Make same user from different clients to have same sub claim

Question

I have two entra ID clients that I used with two seperate, but related applications. One application is a web application, where as other is an SPA.

I am trying to configure these application to use same sub claim for the same user, when a token is received via either of the apps. Is it possible to do this?

I understand that entra ID uses pairwise as subject type supported by default. Is it possible to change this to "public" or it it possible to configure both my applications to have the same sector_identifier_uri ?

Answer 1

Hi @Chamila Gamage

Thank you for posting this in Microsoft Q&A.

I understand your question about configuring Entra ID clients to use the same sub claim for the same user when a token is received via either of the apps.

The sub claim is a pairwise value that is unique and based on a combination of the token recipient, tenant, and user. Therefore, two apps that request ID tokens for a user receive two different values for the sub claims. This value is immutable and cannot be reassigned or reused.

To answer your question, it is not possible to change the sub claim to a public subject type. As discussed earlier, the sub claim is a pairwise hash of the Azure AD user object's ObjectID and the ApplicationId of the application, meaning it is an identifier that is unique per Entra ID application.

Regarding the sector_identifier_uri, it is used to identify the sector that the client belongs to. If two clients have the same sector_identifier_uri, they are considered to be in the same sector. This can be useful for enabling cross-client single sign-on (SSO) and session management. However, it is important to note that the sector_identifier_uri is not used to generate the sub claim.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.