See [Custom Attributes](https://gluu.org/docs/ce/4.1/admin-guide/attribute/#custom-attributes) And you may have to update the mappings of the user claims either in passport or in the passport-social authentication script in Gluu.

Hi, Cu kal. Please provide a bit more data so we could understand what you try to achieve and why it doesn't work. You mentioned you added some logging lines, and can see profile(s) due to this - please share these. Sharing "passport.log" will help as well - but first make sure you set logging level to "debug" for Passport in web UI. You may need to check [this article](https://gluu.org/docs/ce/4.1/tutorials/passport-attributes-mapping/) - it explains how to map additional attributes passed from external IDP in Passport (I'm assuming you want to pass through UPN attirbute that is sent by external IDP).

Thanks for your help, it's appriciated! I changed `openidconnect-default.js`: ``` module.exports = profile => { console.log(JSON.stringify(profile)) return { uid: profile.id, mail: profile._json.email, cn: profile.displayName, displayName: profile.displayName, givenName: profile.name.givenName, sn: profile.name.familyName } } ``` This is the output from passport: ``` 2020-03-05T23:25:29.273Z [VERBOSE] Issuing token 2020-03-05T23:25:29.274Z [INFO] ::ffff:192.168.250.5 - GET /passport/token HTTP/1.0 200 201 - 0.905 ms 2020-03-05T23:25:29.385Z [VERBOSE] Validating token 2020-03-05T23:25:29.385Z [VERBOSE] Authenticating request against AzureOpenID 2020-03-05T23:25:29.386Z [INFO] ::ffff:192.168.250.5 - GET /passport/auth/AzureOpenID/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJhYjc5YTUxZC1iYjQwLTQ0NDYtYjJlOS1lNTY1ZWYzNGIwMTgiLCJpYXQiOjE1ODM0NTA3MjksImV4cCI6MTU4MzQ1MDg0OX0.0yHDUtajma2Kh6KPtDIIwS5oqqN7MEiUkpfxmTyFscs HTTP/1.0 302 0 - 1.435 ms 2020-03-05T23:25:30.121Z [VERBOSE] Authenticating request against AzureOpenID 2020-03-05T23:25:30.998Z [INFO] Applying mapping 'openidconnect-default' to profile {"id":"nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8","displayName":"<SNIPPED>","name":{"familyName":"<SNIPPED>","givenName":"<SNIPPED>"},"_raw":"{\"sub\":\"nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8\",\"name\":\"<SNIPPED>\",\"family_name\":\"<SNIPPED>\",\"given_name\":\"<SNIPPED>\",\"picture\":\"https://graph.microsoft.com/v1.0/me/photo/$value\",\"email\":\"<SNIPPED>\"}","_json":{"sub":"nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8","name":"<SNIPPED>","family_name":"<SNIPPED>","given_name":"<SNIPPED>","picture":"https://graph.microsoft.com/v1.0/me/photo/$value","email":"<SNIPPED>"}} 2020-03-05T23:25:30.998Z [DEBUG] Resulting profile data is { "provider": "AzureOpenID", "uid": "nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8", "mail": "<SNIPPED>", "cn": "<SNIPPED>", "displayName": "<SNIPPED>", "givenName": "<SNIPPED>", "sn": "<SNIPPED>" } 2020-03-05T23:25:30.998Z [INFO] User nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8 authenticated with provider AzureOpenID 2020-03-05T23:25:31.001Z [DEBUG] Sending user data <SNIPPED>IsImtpZCI6IjAzYTQ2YTFkLTQxMWYtNDZiMS1iOTAyLTBjYjcyNjNmMThhN19zaWdfcnM1MTIifQ.eyJpc3MiOiJodHRwczovL2RwcC50ZXN0LmRwcC5kaWxlb3oubmV0d29yay9veGF1dGgvcG9zdGxvZ2luLmh0bSIsInN1YiI6Im5EbWZ3ZW1FWmExMTlkVDRtOWE4a3RIVWNuZDhnMldwS0U1NW9jZHdtTTgiLCJhdWQiOiIwMDA4LWE2ZWNiODg4LTRlZTgtNDk4ZC05YTQ3LTE5N2YxNDNiODZkMCIsImp0aSI6IjE3ODdhMTQxLTAxNzQtNGQwNy04NTUyLTA3NTQyMjVhNzE3MSIsImV4cCI6MTU4MzQ1MDc2MC45OTksImlhdCI6MTU4MzQ1MDczMDk5OSwiZGF0YSI6eyJwcm92aWRlciI6IkF6dXJlT3BlbklEIiwidWlkIjpbIm5EbWZ3ZW1FWmExMTlkVDRtOWE4a3RIVWNuZDhnMldwS0U1NW9jZHdtTTgiXSwibWFpbCI6WyJsYXJzLnZhbmNhc3RlcmVuQGRpbGVvei5jb20iXSwiY24iOlsiTGFycyBWYW4gQ2FzdGVyZW4iXSwiZGlzcGxheU5hbWUiOlsiTGFycyBWYW4gQ2FzdGVyZW4iXSwiZ2l2ZW5OYW1lIjpbIkxhcnMiXSwic24iOlsiVmFuIENhc3RlcmVuIl0sImRlc2NyaXB0aW9uIjpbXX19.s1R-8X2JFRt1HXoa-228qkQSw9xFaG0LZSNkb6yrDlS421v5KlNo1mnUDkOw43AMVcvKS0WZXFPeAAPRYoAyoV-73X_AF9JZ2YzfgZdt9EpcNwQms7CyuQDXJudQr1dxvBX5M1AdtvH4eoxcU1lKcMW-3O2cT-WSsu7ZYSzJfVrLhGJelc4BkvulHwqbzBIvAEmLNSANxFPoykacilzi4cIUuBZ9ox1Ztq6LoSskbfoJN8uZNFu1NcyEpYnHnwcHj6qrKFLq03fqEHbi2flvVgS1u-2TuoMww6EIm3eyj8SL5aynbYNqVrWrEPpjllSLveRoY_9kTkdRIppX5tfNQw to: https://<GLUU_SERVER>/oxauth/postlogin.htm 2020-03-05T23:25:31.002Z [INFO] ::ffff:192.168.250.5 - GET /passport/auth/AzureOpenID/callback?code=<SNIPPED>DLh_qYbH8UL_HibVEDHkR1zlgl--8jWVGyUoREWWOHyKl-inkHQ92TB-zhxNrPkWZTmLszrgnzGxId8websz09Jdx_wwdrXfG2nNyJrAOCS9xm0DNfVL5TYufVgYYKjWSisV0xJk1bzMPBWpJG2d9En2CAO1Oi0Edi7HDYQrfFssOQrOapCizj5BJpDVXvg9QcZt2XSibMWJz-AwBvFgTLGZ7gNU59i4kNoy85sM3V6TWHuU9zwWNn3diyFkqotx0z0SPZN1_jm7yMpUMOpJt2stwmEdoL1lyUxr2-qba94xxCmAPK1HWk75hN63q809srgxgNY5TbbdWx5Mw7ktFFcivoM18KDLSVAz22ZEB9VKCFNsdWsPRKQ8c-5XAu1NXkpu64GMFHb1qrNjN0MSOCpnKDzFFMdVA994FVYfOhd8bFFSu2GyhjsDmOqGjcADK9x9DfMo3zO4O_5j3GP1OFoqLOa6USrmQvoTsSgvHXUXkYJCvxTZUG2JfIjoqnJo3rpvvKXzFuIayDMyh7_WB9byYGGzMGx9c_21c0-5SFz3QIzTbYYafhumm2PtDDuQkeanV3zTYXWtOOEZ7o0QKtT7uGV0hdlQwmGWVqkxgNRgNk0tWvB6BjSafdV33vUIevqgCq56x_jT3H8rxrj17VBk89Pp8OOQ9Ey76PM3A8aYObvEL-pUgAA&state=zbofAglT6%2bvzRXLtwjTJo2MP&session_state=30b31647-59dc-4d7b-9abf-19fdf9cd398e HTTP/1.0 200 1675 - 881.057 ms 2020-03-05T23:25:46.797Z [VERBOSE] Issuing token 2020-03-05T23:25:46.798Z [INFO] ::ffff:192.168.250.2 - GET /passport/token HTTP/1.1 200 201 - 0.768 ms ``` I thought adding the console.log line would output anything the IDP sends back, including additional claims defined in the IDP and it will get mapped if the additional values are defined in the mapping part and available as attributes on the user? But I'm not seeing them coming in.

Hi Ku, This is a very good question. Strategy `passport-openidconnect` builds a "minimal profile", see [here](https://github.com/jaredhanson/passport-openidconnect/blob/master/lib/strategy.js#L185-L199). And through this [call](https://github.com/jaredhanson/passport-openidconnect/blob/master/lib/strategy.js#L242) data ends up being sent to the mapping function. Using the specific `verify` function of arity 4 was the best fit for us because most existing strategies only expose one `verify` function of such arity. In the case of `passport-openidconnect` you'll see that with arity 8 there is access to `jwtClaims` which contains all claims released from your OP. In recently released Gluu CE 4.1 we included a generic solution for this problem and it is documented with examples [here](https://gluu.org/docs/ce/4.1/tutorials/passport-attributes-mapping/#accessing-extra-data-from-the-passport-strategy). If you cannot switch to 4.1, you will have to make modifications to our code around [here](https://github.com/GluuFederation/gluu-passport/blob/version_4.0/server/providers.js#L71) (this is located in chroot at `/opt/gluu/node/passport/server/providers.js`). We cannot offer guidance on what to do because it requires a membership. Overall your best option is to use 4.1

Hello Jose, Thanks for your message, it contained some missing pieces of the puzzle! I got it working on 4.0.1, the additional claims released by Office365 Azure AD (the free one) are now visible in the profile & can be mapped. I'm heading into one great weekend! Your email & the 4.1 docs really tied together all the stuff I read on the Microsoft document site, thanks again! Gr, Cu

Hello Jose, Thanks for your message, it contained some missing pieces of the puzzle! I got it working on 4.0.1, the additional claims released by Office365 Azure AD (the free one) are now visible in the profile & can be mapped. I'm heading into one great weekend! Your email & the 4.1 docs really tied together all the stuff I read on the Microsoft document site, thanks again! Gr, Cu