Microsoft Previews Azure Active Directory Custom Claims Providers
Microsoft this week announced a preview of custom claims providers for Azure Active Directory users.
Custom claims providers let organizations map claims into a token via an API. Microsoft's example is an HR department needing to associate locally stored employee numbers with authentications.
The custom claims process happens after a user is authenticated by signing into an app or portal. In Microsoft's custom claims provider example for the HR department, the Lightweight Directory Access Protocol (LDAP) gets used with local Active Directory to return a user's employee number within the token. However, custom claims providers will work with "any data store, LDAP, SQL or anything else."
Organizations may want to set up custom claims providers if they need to keep sensitive info on premises. It's an alternative to using Microsoft's Active Directory Federation Services (ADFS) or "other federation services to pass through claims to Azure AD," the announcement explained.
Microsoft lately has tried to steer its customers away from using ADFS, a Windows Server role that Microsoft presently refers to as a "legacy system." ADFS authenticates with Azure AD using AD on premises, but it's complex to configure, and possibly subject to security issues. For instance, the "Nobelium" nation-state attackers partly leveraged ADFS to tap Exchange Online e-mails.
Another reason why organizations may want to use custom claims providers is being unable to synchronize attributes to Azure AD due to regulatory reasons. Organizations also may have "complex RBAC [role-based access control] models which are stored in external databases."
Microsoft showed off how the custom claims providers preview works in this video. It's Microsoft's "first use of a custom extension," but more are expected to be added to support further customizations of authentication flows.
Custom authentication extensions for Azure AD are currently at the preview stage, according to this Microsoft "Overview" document. The preview apparently was first released last summer.
Microsoft defined a custom claims provider as "a type of custom extension that calls a REST API to fetch claims from external systems," per its "Overview" document.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.