I was wondering how I could change the discovery point metadata:
"scopes_supported": [
"openid"
],
to include "email" and "profile"
This metadata is found at the https://domain/name.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy-name}
Thanks in advance
I just confirmed with Azure support engineer that we can not modify the scope in the metadata.
Related
We are trying to setup user provisioning via custom JSON schemas in Onelogin for Druva, to move users to profiles based on department.
The issues we are facing might be down to our Onelogin account not being an enterprise account. However, we found a workaround which did work, basing the mapping off company instead, as per this setup where the company field is used for "department".
While this works it doesn't seem the best option long term.
Any reason this shouldn't work?
{
"schemas": [
"urn:scim:schemas:core:2.0",
"urn:scim:schemas:extension:enterprise:1.0"
],
"userName": "{$user.email}",
"displayName": "{$user.firstname} {$user.lastname}",
"company": "{$user.company}",
"urn:scim:schemas:extension:enterprise:1.0": {
"department": "{$parameters.department}",
}
}
Any other suggestions?
Its just a concept im having trouble understanding with the wildcard * and what that means, so here we have two roles Owner and contributor.
"Name": "Contributor",
"Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"IsCustom": false,
"Description": "Lets you manage everything except access to resources.",
"Actions": ["*"],
"NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action'],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [],
"/"
Name : Owner
Id : 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
IsCustom : False
Description : Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Actions : {*}
NotActions : {}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/}
So my hang up is use of the astrisk, i know * under Owner means everything but with contributor, why is it used under the NotActions permissions? Why is it "Microsoft.Authorization/*/Delete" instead of Microsoft.Authorization/Delete". The permission in question stops the contributor from deleting users. So i know how these roles and permissions work, im just really struggling with the syntax. I have read the documentation on microsoft learn but there is something i clearly dont understand about the *. Does anyone with any knowledge know of a way of explaining this to help clear it up or maybe someone could point me to some better documentation? Any help would be greatly appreciated.
Why is it "Microsoft.Authorization/*/Delete" instead of
Microsoft.Authorization/Delete".
To understand this, please see this link especially Operations format section.
Essentially each operation is specified in {Company}.{ProviderName}/{resourceType}/{action} format.
So when you specify the operation as Microsoft.Authorization/*/Delete, you're essentially allowing delete operation on all the resources under Microsoft.Authorization resource provider.
This format also enables you to specify actions granularly at each resource level under a resource provider.
I have two requirements that seem to conflict:
Use the email as the username.
Allow users to change their email.
The problem: if you configure the directory to use the email as the username then the edit profile policy does NOT show the email to allow you to change it.
Any solution I think of is a kludge and involves creating a whole new local account for the user.
Any ideas or suggestions?
You'll need to use the Azure AD Graph API to update the 'User' entity.
You can do this via Microsoft Graph now too.
Example:
PATCH: https://graph.microsoft.com/v1.0/users/{UUID}
{
"identities": [
{
"signInType": "emailAddress",
"issuer": "xxxx.onmicrosoft.com",
"issuerAssignedId": "{new email address}"
}
]
}
The possibilities have changed and #pswillies answer is not true anymore.
It is possible to change the sign-in name of local accounts where the sign-in name is an email address.
See this official sample: https://github.com/azure-ad-b2c/samples/tree/master/policies/change-sign-in-name
It is using custom policies.
I'm using OAuth2 with OpenAM 13. I need my client application to be able to retrieve user information by means the OpenAM "User Information" endpoint.
However, I need to add / enhance the information provided to provide custom information in the user profile.
I was not able to see how to do this with the "User Information" endpoint.
However, with the "Token Information" endpoint it is very easy to add information (adding scopes that match the profile name automatically adds the information in the JSON response). I tried the same for the "User Information" endpoint but this didn't work.
In this other POST I have read that the "User Information" endpoint information can be enhanced by using a 'script'. However I was not able to find how to do it:
OpenAM - Use OAuth2 Access Token to get User Details?
Could someone help with this? I would really appreaciate it.
Thanks so much
In the default claims script you can add additional profile attributes by
extending the 'profile' key of the 'scopeClaimsMap' and create a mapping for the new claim in the 'claimAttributes' map.
As the claims script is using the IDRepo API of OpenAM you need to make sure the attributes are configured in the 'User Attributes' section of the configured user data store.
Example: Additional claim "employee_number" for the "profile" scope.
claimAttributes = [
"email": attributeRetriever.curry("mail"),
"address": { claim, identity, requested -> [ "formatted" : attributeRetriever("postaladdress", claim, identity, requested) ] },
"phone_number": attributeRetriever.curry("telephonenumber"),
"given_name": attributeRetriever.curry("givenname"),
"zoneinfo": attributeRetriever.curry("preferredtimezone"),
"family_name": attributeRetriever.curry("sn"),
"locale": attributeRetriever.curry("preferredlocale"),
"name": attributeRetriever.curry("cn"),
"employee_number": attributeRetriever.curry("employeeNumber")
]
scopeClaimsMap = [
"email": [ "email" ],
"address": [ "address" ],
"phone": [ "phone_number" ],
"profile": [ "given_name", "zoneinfo", "family_name", "locale", "name", "email", "employee_number" ]
]
The attribute 'employeeNumber' must be configured in the user data store config (which is there by default if you did not change anything)
I have successfully registered a REST API app wth Paypal but I am not sure if this is what I need or I need to create a CLASSIC API app from the same screen.
So far I have been testing in the sandbox, and the credentials I have been using follow this pattern:
{
"user" : "a#a.com",
"host" : "api.paypal.com",
"port": "",
"client_id" : "ID",
"client_secret": "SECRET",
"classicAPI": {
"username" : "paypal_api1.domain.com",
"password" : "PWD",
"signature" : "SIGNATURE",
"environment" : "production"
}
};
What my code is trying to do is to create a subscription, calling the "SetExpressCheckout" and "CreateRecurringPaymentsProfile", but I get a "PaypalMissing token"error.
Am I doing it the right way, ie REST API and those credentials? Looks like since I'm using the ClassicAPI parameters shouldn't I be registering a CLASSIC app?
For clarification, I'm using NodeJs and this plugin https://www.npmjs.org/package/paypal-recurring
Thank you in advance
Express Checkout specifically would be using the classic API. I'd recommend sticking with that for now as the REST API is still very young and doesn't have all of the features tied in yet that the classic API provides.