Adding claims to the default JWT ID token in ADFS 4.0 (Server 2016)
Published in
2 min readMay 23, 2017
Traditionally, the JWT token contains a fixed set of claims.
However, ADFS allows you to add claims using the claims rule language so it would be useful if you could utilise that feature to extend the token set.
You can do this via an Application Group — “Web browser accessing a web application”.
This creates two entries for you; a native application (essentially non-browser based e.g. command line , WPF) and a web application.
The web application allows you to configure claims rules.
The usual token returned looks like:
aud 81…01
iss https://adfs.cloudapp.net/adfs
iat 1494378378
exp 1494381978
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 1494378377
nonce 63…Vl
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 0J…7k=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn my_user@dev.local
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name DEV\my_user
c_hash ba…GAThe extended token looks like:
aud c9…b4
iss https://adfs.cloudapp.net/adfs
iat 1494379409
exp 1494383009
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 1494379408
nonce 63…k2
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier PR…0U=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name DEV\my_user
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn my_user@dev.local
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname MyUser
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Test
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress myuser@local.com
http://schemas.xmlsoap.org/claims/CommonName MyUser Test
apptype Public
appid c9…b4
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
ver 1.0
http://schemas.microsoft.com/identity/claims/scope openid
c_hash -0Z…1AYou can see the extra claims e.g. email address.
If you are wondering how to actually see what’s in the token, you can use jwt.io
