We are trying to get the Groups/Roles from our IDP provider who uses Microsoft Active Directory. Our IDP provider has created claims which are as follows:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-3463014927-548064903-2158370261-25747", Issuer == "AD AUTHORITY"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value = "XXXXXX_Admin", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
Our decrypted Access token looks like the following and do not appear to receive the roles/gorups. How to get the roles (groups) from our IDP provider. Is there any privilege required at UAA side or anything to be enabled from our IDP provider?
The following are data received when we decode the "Access Token":
{ "jti": "1b36ac1862944766a9ad3511a6c24b22", "sub": "139c2215-b32c-402c-af92-45b315275090", "scope": [ "openid", "profile", "roles", "user_attributes" ], "client_id": "xx-xxx-xxxxx-uaa-meg-test-new-clientid", "cid": "xx-xxx-xxxxx-uaa-meg-test-new-clientid", "azp": "xx-xxx-xxxxx-uaa-meg-test-new-clientid", "grant_type": "authorization_code", "user_id": "139c2215-b32c-402c-af92-45b315275090", "origin": "xx-xxx-xxxxx-uaa-meg-idp", "user_name": "xxx.xxxxx@company.com", "email": "xxx.xxxxx@company.com", "auth_time": 1612097527, "rev_sig": "41530cb7", "iat": 1612097529, "exp": 1613897529, "iss": "https://xxxxxxxxxxxxxxxxxxxxxxxxxx.predix-uaa.run.aws-usw02-pr.ice.predix.io/oauth/token", "zid": "88d83c2a-cd25-4000-afaf-50ba4147b563", "aud": [ "openid", "xx-xxx-xxxxx-uaa-meg-test-new-clientid" ] }
