By: Cu kal user 05 Mar 2020 at 4:17 p.m. CST

6 Responses
Cu kal gravatar
I've managed to setup Gluu / Passport with Azure AD / Office365 as idP using passport-openidconnect and added `console.log(JSON.stringify(profile))` to see the raw incoming profile, I see the raw profile, the mapped profile and the user is logged in. I'm trying now to include UPN as a claim but i'm having a hard time understanding if this is possible without rewriting too much stuff? Should the UPN claim be seen by Passport if it's included? Or, is there a requirement for an additional call to fetch additional claims and they are not included by default? Thanks!

By Michael Schwartz Account Admin 05 Mar 2020 at 4:20 p.m. CST

Michael Schwartz gravatar
See [Custom Attributes](https://gluu.org/docs/ce/4.1/admin-guide/attribute/#custom-attributes) And you may have to update the mappings of the user claims either in passport or in the passport-social authentication script in Gluu.

By Aliaksandr Samuseu staff 05 Mar 2020 at 4:59 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Cu kal. Please provide a bit more data so we could understand what you try to achieve and why it doesn't work. You mentioned you added some logging lines, and can see profile(s) due to this - please share these. Sharing "passport.log" will help as well - but first make sure you set logging level to "debug" for Passport in web UI. You may need to check [this article](https://gluu.org/docs/ce/4.1/tutorials/passport-attributes-mapping/) - it explains how to map additional attributes passed from external IDP in Passport (I'm assuming you want to pass through UPN attirbute that is sent by external IDP).

By Cu kal user 05 Mar 2020 at 5:58 p.m. CST

Cu kal gravatar
Thanks for your help, it's appriciated! I changed `openidconnect-default.js`: ``` module.exports = profile => { console.log(JSON.stringify(profile)) return { uid: profile.id, mail: profile._json.email, cn: profile.displayName, displayName: profile.displayName, givenName: profile.name.givenName, sn: profile.name.familyName } } ``` This is the output from passport: ``` 2020-03-05T23:25:29.273Z [VERBOSE] Issuing token 2020-03-05T23:25:29.274Z [INFO] ::ffff:192.168.250.5 - GET /passport/token HTTP/1.0 200 201 - 0.905 ms 2020-03-05T23:25:29.385Z [VERBOSE] Validating token 2020-03-05T23:25:29.385Z [VERBOSE] Authenticating request against AzureOpenID 2020-03-05T23:25:29.386Z [INFO] ::ffff:192.168.250.5 - GET /passport/auth/AzureOpenID/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJhYjc5YTUxZC1iYjQwLTQ0NDYtYjJlOS1lNTY1ZWYzNGIwMTgiLCJpYXQiOjE1ODM0NTA3MjksImV4cCI6MTU4MzQ1MDg0OX0.0yHDUtajma2Kh6KPtDIIwS5oqqN7MEiUkpfxmTyFscs HTTP/1.0 302 0 - 1.435 ms 2020-03-05T23:25:30.121Z [VERBOSE] Authenticating request against AzureOpenID 2020-03-05T23:25:30.998Z [INFO] Applying mapping 'openidconnect-default' to profile {"id":"nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8","displayName":"<SNIPPED>","name":{"familyName":"<SNIPPED>","givenName":"<SNIPPED>"},"_raw":"{\"sub\":\"nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8\",\"name\":\"<SNIPPED>\",\"family_name\":\"<SNIPPED>\",\"given_name\":\"<SNIPPED>\",\"picture\":\"https://graph.microsoft.com/v1.0/me/photo/$value\",\"email\":\"<SNIPPED>\"}","_json":{"sub":"nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8","name":"<SNIPPED>","family_name":"<SNIPPED>","given_name":"<SNIPPED>","picture":"https://graph.microsoft.com/v1.0/me/photo/$value","email":"<SNIPPED>"}} 2020-03-05T23:25:30.998Z [DEBUG] Resulting profile data is { "provider": "AzureOpenID", "uid": "nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8", "mail": "<SNIPPED>", "cn": "<SNIPPED>", "displayName": "<SNIPPED>", "givenName": "<SNIPPED>", "sn": "<SNIPPED>" } 2020-03-05T23:25:30.998Z [INFO] User nDmfwemEZa119dT4m9a8ktHUcnd8g2WpKE55ocdwmM8 authenticated with provider AzureOpenID 2020-03-05T23:25:31.001Z [DEBUG] Sending user data <SNIPPED>IsImtpZCI6IjAzYTQ2YTFkLTQxMWYtNDZiMS1iOTAyLTBjYjcyNjNmMThhN19zaWdfcnM1MTIifQ.eyJpc3MiOiJodHRwczovL2RwcC50ZXN0LmRwcC5kaWxlb3oubmV0d29yay9veGF1dGgvcG9zdGxvZ2luLmh0bSIsInN1YiI6Im5EbWZ3ZW1FWmExMTlkVDRtOWE4a3RIVWNuZDhnMldwS0U1NW9jZHdtTTgiLCJhdWQiOiIwMDA4LWE2ZWNiODg4LTRlZTgtNDk4ZC05YTQ3LTE5N2YxNDNiODZkMCIsImp0aSI6IjE3ODdhMTQxLTAxNzQtNGQwNy04NTUyLTA3NTQyMjVhNzE3MSIsImV4cCI6MTU4MzQ1MDc2MC45OTksImlhdCI6MTU4MzQ1MDczMDk5OSwiZGF0YSI6eyJwcm92aWRlciI6IkF6dXJlT3BlbklEIiwidWlkIjpbIm5EbWZ3ZW1FWmExMTlkVDRtOWE4a3RIVWNuZDhnMldwS0U1NW9jZHdtTTgiXSwibWFpbCI6WyJsYXJzLnZhbmNhc3RlcmVuQGRpbGVvei5jb20iXSwiY24iOlsiTGFycyBWYW4gQ2FzdGVyZW4iXSwiZGlzcGxheU5hbWUiOlsiTGFycyBWYW4gQ2FzdGVyZW4iXSwiZ2l2ZW5OYW1lIjpbIkxhcnMiXSwic24iOlsiVmFuIENhc3RlcmVuIl0sImRlc2NyaXB0aW9uIjpbXX19.s1R-8X2JFRt1HXoa-228qkQSw9xFaG0LZSNkb6yrDlS421v5KlNo1mnUDkOw43AMVcvKS0WZXFPeAAPRYoAyoV-73X_AF9JZ2YzfgZdt9EpcNwQms7CyuQDXJudQr1dxvBX5M1AdtvH4eoxcU1lKcMW-3O2cT-WSsu7ZYSzJfVrLhGJelc4BkvulHwqbzBIvAEmLNSANxFPoykacilzi4cIUuBZ9ox1Ztq6LoSskbfoJN8uZNFu1NcyEpYnHnwcHj6qrKFLq03fqEHbi2flvVgS1u-2TuoMww6EIm3eyj8SL5aynbYNqVrWrEPpjllSLveRoY_9kTkdRIppX5tfNQw to: https://<GLUU_SERVER>/oxauth/postlogin.htm 2020-03-05T23:25:31.002Z [INFO] ::ffff:192.168.250.5 - GET /passport/auth/AzureOpenID/callback?code=<SNIPPED>DLh_qYbH8UL_HibVEDHkR1zlgl--8jWVGyUoREWWOHyKl-inkHQ92TB-zhxNrPkWZTmLszrgnzGxId8websz09Jdx_wwdrXfG2nNyJrAOCS9xm0DNfVL5TYufVgYYKjWSisV0xJk1bzMPBWpJG2d9En2CAO1Oi0Edi7HDYQrfFssOQrOapCizj5BJpDVXvg9QcZt2XSibMWJz-AwBvFgTLGZ7gNU59i4kNoy85sM3V6TWHuU9zwWNn3diyFkqotx0z0SPZN1_jm7yMpUMOpJt2stwmEdoL1lyUxr2-qba94xxCmAPK1HWk75hN63q809srgxgNY5TbbdWx5Mw7ktFFcivoM18KDLSVAz22ZEB9VKCFNsdWsPRKQ8c-5XAu1NXkpu64GMFHb1qrNjN0MSOCpnKDzFFMdVA994FVYfOhd8bFFSu2GyhjsDmOqGjcADK9x9DfMo3zO4O_5j3GP1OFoqLOa6USrmQvoTsSgvHXUXkYJCvxTZUG2JfIjoqnJo3rpvvKXzFuIayDMyh7_WB9byYGGzMGx9c_21c0-5SFz3QIzTbYYafhumm2PtDDuQkeanV3zTYXWtOOEZ7o0QKtT7uGV0hdlQwmGWVqkxgNRgNk0tWvB6BjSafdV33vUIevqgCq56x_jT3H8rxrj17VBk89Pp8OOQ9Ey76PM3A8aYObvEL-pUgAA&state=zbofAglT6%2bvzRXLtwjTJo2MP&session_state=30b31647-59dc-4d7b-9abf-19fdf9cd398e HTTP/1.0 200 1675 - 881.057 ms 2020-03-05T23:25:46.797Z [VERBOSE] Issuing token 2020-03-05T23:25:46.798Z [INFO] ::ffff:192.168.250.2 - GET /passport/token HTTP/1.1 200 201 - 0.768 ms ``` I thought adding the console.log line would output anything the IDP sends back, including additional claims defined in the IDP and it will get mapped if the additional values are defined in the mapping part and available as attributes on the user? But I'm not seeing them coming in.

By Jose Gonzalez staff 06 Mar 2020 at 6:33 a.m. CST

Jose Gonzalez gravatar
Hi Ku, This is a very good question. Strategy `passport-openidconnect` builds a "minimal profile", see [here](https://github.com/jaredhanson/passport-openidconnect/blob/master/lib/strategy.js#L185-L199). And through this [call](https://github.com/jaredhanson/passport-openidconnect/blob/master/lib/strategy.js#L242) data ends up being sent to the mapping function. Using the specific `verify` function of arity 4 was the best fit for us because most existing strategies only expose one `verify` function of such arity. In the case of `passport-openidconnect` you'll see that with arity 8 there is access to `jwtClaims` which contains all claims released from your OP. In recently released Gluu CE 4.1 we included a generic solution for this problem and it is documented with examples [here](https://gluu.org/docs/ce/4.1/tutorials/passport-attributes-mapping/#accessing-extra-data-from-the-passport-strategy). If you cannot switch to 4.1, you will have to make modifications to our code around [here](https://github.com/GluuFederation/gluu-passport/blob/version_4.0/server/providers.js#L71) (this is located in chroot at `/opt/gluu/node/passport/server/providers.js`). We cannot offer guidance on what to do because it requires a membership. Overall your best option is to use 4.1

By Cu kal user 06 Mar 2020 at 8:26 a.m. CST

Cu kal gravatar
Hello Jose, Thanks for your message, it contained some missing pieces of the puzzle! I got it working on 4.0.1, the additional claims released by Office365 Azure AD (the free one) are now visible in the profile & can be mapped. I'm heading into one great weekend! Your email & the 4.1 docs really tied together all the stuff I read on the Microsoft document site, thanks again! Gr, Cu

By Cu kal user 06 Mar 2020 at 8:26 a.m. CST

Cu kal gravatar
Hello Jose, Thanks for your message, it contained some missing pieces of the puzzle! I got it working on 4.0.1, the additional claims released by Office365 Azure AD (the free one) are now visible in the profile & can be mapped. I'm heading into one great weekend! Your email & the 4.1 docs really tied together all the stuff I read on the Microsoft document site, thanks again! Gr, Cu