locked
ADFS 4.0, Adal JS - No claims RRS feed

  • Question

  • For our single page application we use Adal JS 1.0.13. 

    We have configured ADFS 4.0 according to this guide for SPA-applications:

    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/single-page-application-with-ad-fs

    The problem: we do not get any non-standard claims (e.g. email) in the response.

    Some sources states that the implicit flow will never result in customized claims. Is this true? How can we get claims when running ADFS locally (not azure).



    Tuesday, November 22, 2016 2:38 PM

Answers

  • I think I figured out the issue.  Looking around the ADAL js issues, I found this:
    https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/239

    It is talking about group claims specifically from Azure AD, but it made me look at one of the pages referenced:
    http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/

    In the "Authentication flows that support groups claim", it says OpenIDConnect id_token via query string doesn't support groups claim.  

    That made me wonder if that's what is going on with ADFS.  I took the request from ADAL js that isn't working, added &response_mode=form_post and then then token had my custom role claim in it.  Apparently they do this to not exceed URL lengths, but I see no reference to this in the documentation or the OpenID spec itself, which is a bummer.

    I'm not sure how to use ADAL js to get the roles in the token, so I'm not sure how to use ADFS with a SPA and role authorization.  In Azure AD I guess you make a separate request to the graph api.

    Any comments from ADFS team appreciated.

    Wednesday, May 3, 2017 3:18 PM

All replies

  • I have the same issue, and it's only with ADAL.js.  I can get custom claims (group membership) to work with implicit flow in an MVC app.  Did you ever get a resolution to this?

    I've gone so far as to analyze the two requests to ADFS, the one that works and does not.  The only thing obvious I can see is that the ADAL JS request that doesn't get the claims send the following two querystring parameters:

    &x-client-SKU=Js
    &x-client-Ver=1.0.14

    Wednesday, May 3, 2017 1:20 PM
  • I think I figured out the issue.  Looking around the ADAL js issues, I found this:
    https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/239

    It is talking about group claims specifically from Azure AD, but it made me look at one of the pages referenced:
    http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/

    In the "Authentication flows that support groups claim", it says OpenIDConnect id_token via query string doesn't support groups claim.  

    That made me wonder if that's what is going on with ADFS.  I took the request from ADAL js that isn't working, added &response_mode=form_post and then then token had my custom role claim in it.  Apparently they do this to not exceed URL lengths, but I see no reference to this in the documentation or the OpenID spec itself, which is a bummer.

    I'm not sure how to use ADAL js to get the roles in the token, so I'm not sure how to use ADFS with a SPA and role authorization.  In Azure AD I guess you make a separate request to the graph api.

    Any comments from ADFS team appreciated.

    Wednesday, May 3, 2017 3:18 PM
  • Thanks for the update! I will try this.

    "Any comments from ADFS team appreciated."

    Yes, a clarification of this would be welcomed.

    Thursday, May 4, 2017 6:15 AM
  • I have the same problem! Do you have any update on this? Thanks team.

    Ignacio Ocampo

    Thursday, May 4, 2017 9:01 PM
  • Hi,

    I am running the SPA setup and added a Issuance Transfrom Rule to the web application. I am requesting a "code token" response type and I am receiving the claims. Granted, this is not as straight forward as it could be (but then again, security never seems to be straight forward : )). For example I found through just looking at authentication failures that the issuer is /adfs/services/trust and the audience is prefixed with microsoft:identityserver . But it does finally work.

    Tuesday, October 3, 2017 3:48 PM
  • Hi Mrent,

    I have the same issue, I tried to add a custom rule on Wep App but i didn't receive the group in  calim.

    Can you share with me what did you do to make it working?

    Thanks


    Lourh

    Saturday, December 2, 2017 1:34 PM
  • https://medium.com/the-new-control-plane/the-mystery-of-the-missing-adfs-jwt-claims-7658d9cdeaac

    Monday, September 10, 2018 8:03 PM