How to set Bootstrap token for ClaimsPrincipal
Introduction
When Identify receives an assertion from upstream identity provider, it converts the assertion into a ClaimsPrincipal object and passes it into the claim pipeline. By default, the claims principal does not contain the original assertion, which is also called the bootstrap token. In order to let Identify make the bootstrap token available for being used in the claim pipeline, you need to enable the corresponding setting for the authentication connection of the upstream identity provider.
SAML 2.0 authentication connection
To enable the bootstrap token for the SAML 2.0 authentication connection, follow these steps:
- Open the SAML 2.0 Authentication Connection of the upstream identity provider.
- Enable the Set bootstrap token for ClaimsPrincipal setting.
Generic OIDC provider
Similar to the SAML 2.0 authentication connection, OAuth2/OIDC also supports the retrieval of access and refresh tokens from the upstream Identity provider. These tokens serve the purpose of accessing protected resources or renewing the user's session. To activate this feature, follow these steps:
- Navigate to the generic OIDC provider of the upstream identity provider.
- Enable the Set access and refresh tokens to Claims Principal setting.
Enabling this option will include the access and refresh tokens as properties of the ClaimsPrincipal object with the following names:
- Access token:
.idp_access_token - Refresh token:
.idp_refresh_token
You can use a scripting claim transformation to extract these properties from the ClaimsPrincipal object, include them in outgoing tokens, and then use it for either the generic OIDC Identity Provider or your Service Provider.
if (Exist("urn:safewhere:system")) {
var systemClaim = ClaimsPrincipal.Claims.FirstOrDefault(c => c.Type == "urn:safewhere:system");
foreach(var prop in systemClaim.Properties)
{
if (prop.Key == ".idp_access_token" || prop.Key == ".idp_refresh_token" )
{
if (!string.IsNullOrEmpty(prop.Value))
Issue(prop.Key, prop.Value);
}
}
}