In this shorter post, we'll look at mapping profile data to fields that aren't configured out of the box when installing Sitecore and Sitecore Identity. We'll be piggybacking off the last post in the series, where we created a custom Claim Mapping Policy in Azure AD to pass along a claim of "State", which we used to determine access to Sitecore. Today, we'll map that value to the Comment field in the Sitecore user profile.
This post is part of a series on configuring Sitecore Identity and Azure AD. You can view all posts in this series, covering setup to configuration, here.
Sitecore Identity Claim Mapping Cliff's Notes
Briefly, these are the four things we need to do to map a claim from Azure AD to Sitecore. We'll walk through these one by one:
- Ensure the claim is being passed from an Azure AD attribute
- For claims you want to store in the User Profile, ensure the profile is extended to use that claim.
- Configure a claim transformation in Sitecore Identity
- Configure a claim map in Sitecore
Ensure the claim is being passed from Azure AD
In the first post in the series, we configured our Azure AD instance to use an Identity Token to pass claim data to our Sitecore Identity instance. Microsoft maintains a list of claims that come standard in that token. If the value you want to use for profile or security mapping is included, no additional configuration should be necessary on Azure.
Additionally, there are a set of optional claims that you can easily configure Azure AD to pass to your application. If you'd like to use one of the claims listed there, you'll need to customize your application manifest in Azure AD (we've done this in multiple prior posts in this series) to include the claims you want. Instructions are here.
If the AD attribute you want isn't part of the standard or optional claims sets, you still have the ability to create a Claim Mapping Policy to pass that claim (with some restrictions). The prior post in this series explains how to do that.
Obviously these are Azure AD centric (as is this series), but if you're using a different identity provider, you'll want to check the documentation to ensure the attribute you want is being passed to Sitecore Identity as a claim.
For claims you want to store in the User Profile, ensure the profile is extended to use that claim.
This step is not necessary if you're using a claim to determine membership or role in Sitecore (See post 1 and post 3: where we map a group claim to Sitecore role and a nonstandard claim to administrator, respectively). However, if you want to use the claim as a value in the user's Sitecore profile, you'll need to add that outbound claim (SI -> Sitecore) to the Sitecore.Profile definition.
You'll find that definition on the Identity server in the identityServer.xml file. It looks like this by default in Sitecore 9.1:
<IdentityResources>
<SitecoreIdentityResource>
<Name>sitecore.profile</Name>
<UserClaims>
<UserClaim1>name</UserClaim1>
<UserClaim2>email</UserClaim2>
<UserClaim3>role</UserClaim3>
<UserClaim4>http://www.sitecore.net/identity/claims/isAdmin</UserClaim4>
<UserClaim5>http://www.sitecore.net/identity/claims/originalIssuer</UserClaim5>
</UserClaims>
<Required>true</Required>
</SitecoreIdentityResource>
</IdentityResources>
To extend it, add the name of the claim you'll be sending to Sitecore from Sitecore Identity (we'll configure that in the next step). I'm going to call my new claim "comment".
<IdentityResources>
<SitecoreIdentityResource>
<Name>sitecore.profile</Name>
<UserClaims>
<UserClaim1>name</UserClaim1>
<UserClaim2>email</UserClaim2>
<UserClaim3>role</UserClaim3>
<UserClaim4>http://www.sitecore.net/identity/claims/isAdmin</UserClaim4>
<UserClaim5>http://www.sitecore.net/identity/claims/originalIssuer</UserClaim5>
<UserClaim6>comment</UserClaim6>
</UserClaims>
<Required>true</Required>
</SitecoreIdentityResource>
</IdentityResources>
Configure a claim transformation in Sitecore Identity
We've done this in every prior post in this series, so I'm not going to belabor this again in this post. Here's the claim transformation I'm adding to Sitecore.Plugin.IdentityProvider.AzureAd.xml in my "state" claim from post 3 in this series, and mapping it to a new outbound claim called "comment". We just configured "comment" to be part of Sitecore.Profile in the prior step:
<StateToComment type="Sitecore.Plugin.IdentityProviders.DefaultClaimsTransformation, Sitecore.Plugin.IdentityProviders">
<SourceClaims>
<Claim1 type="state" />
</SourceClaims>
<NewClaims>
<Claim1 type="comment" />
</NewClaims>
</StateToComment >
Configure a claim map in Sitecore
Finally, over in Sitecore, we'll configure a new claim map in the Sitecore.Owin.Authentication.IdentityServer.config file. (Again, for more on the whys and hows, check the prior posts in this series).
<map name="set Comment" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication">
<data hint="raw:AddData">
<source name="comment" />
<target name="Comment" />
</data>
</map>
Results
Remember to restart your Sitecore Identity instance between configuration changes, as the xml files are not watched and the server will not recycle itself. Once all the configs are in place, I see the value of the state claim in the comment field of the user profile: