Configuring User Claims or Permission in Scope

You can include user’s attributes or a client application’s claim in the scope.

  1. (Conditional) If you chose User attributes to create scope, perform the following steps:

    1. Select the required attribute set from the LDAP profile or create a new attribute set.

      This lists the user attributes in the attribute set.

      NOTE:You can add any configured LDAP based virtual attribute to the scope of the access token. You can add a virtual attribute by creating an attribute set that includes the virtual attributes. For information about creating an attribute set, see Configuring Attribute Sets.

    2. To add the user attribute scope to the access token, select the required attributes that should be added to the access token, then select Access Token.

      If you want to remove a specific attribute from the access token, deselect Access Token. When you remove the attribute from the access token, the attributes will not be removed from the already issued token.

    3. To add the user attribute scope to the ID token, select the required attributes that should be added to the ID token, then select ID Token.

      NOTE:The token size varies based on the attribute value that is included in the token. Hence, it is recommended to include only the required attribute to the token.

      If you require to remove a specific attribute from the ID token, select the attribute then deselect ID Token.

      NOTE:The attributes are not added to or removed from an issued ID token.

    4. (Conditional) If you require the selected attributes to be available in both ID token and access token, then after selecting the attributes select Access Token and ID Token.

      If you require to remove specific attributes from both access token and ID token, then after selecting those attributes deselect Access Token and ID Token.

  2. (Conditional) If you have used Custom Claims/Permissions, perform the following:

    1. Click Plus icon to create a new custom claim.

    2. In Name, specify the permission that the client is allowed after consuming the access token.

    3. To add a claim to the access token, then select Access Token.

      To remove a specific claim from an access token, deselect Access Token.

      NOTE:The claims are not added to or removed from an already issued access token. You can view the new Claims/Permissions in the claims set. The key name is claims and the value is a list of strings.

    4. Select the required claim to be added to the ID token, then select Add > Add to ID Token.

      To remove a specific claim from the ID token, select Access Token and ID Token.

      NOTE:Claims are not added to or removed from an issued ID token. You can view the new Claims/Permissions in the claims set. The key name is claims and the value is a list of strings.

    5. (Conditional) If you require to select the claims that must be available for both access token and ID token, then after selecting the claims select Access Token and ID Token.

      To remove claims from both tokens, select claims, and remove Access Token and ID Token.

      NOTE:The claims are not added to or removed from the already issued tokens. These claims are displayed as list of strings under the claims attribute in access and ID tokens.