Hi,

We have deployed IVIA 11 on OpenShift cluster, and IVIA is connected to external Verify Directory Server. We have implemented OAuth2/OIDC, however we have a requirement to inject additional claims, for example groups, email, firstname and lastname etc into id_token, please share any knowledge articles on this.

Current id_token format:

{
  "rt_hash": "Bk8GKbl1yUgf21stQLhBGA",
  "iat": 1755077366,
  "iss": "https://<fqdn>",
  "at_hash": "O1fr9WzL06dH_AdEnL5hdw",
  "sub": "test01",
  "exp": 1755080966,
  "aud": "<client_id>"
}

Thanks for your support.

Regards
SK

Hi,
Please check this article it it can help you: https://community.ibm.com/community/user/blogs/jack-yarborough1/2019/09/25/inserting-isam-credential-attributes-that-have-mul

Hello All,

At IVIA 11.0.X and current firmware versions the easiest way to include attributes in the ID Token is by using scope values.

For example, if you use something like "scope=opend%20AZN_CRED_GROUPS%mail%20phone" and there are attributes in the verify access credential called 'AZN_CRED_GROUPS' and 'mail' and 'phone' then they will be inserted into the ID Token.

You can also setup Attribute Sources and map them to scope values in the API Protection Definition. That way you can change the names of the scopes to mask the internal attribute names.

EG: Make an attribute source called 'groups' that has a credential attribute value of 'AZN_CRED_GROUPS'.
Then you'd add an attribute mapping in the API Protection Definition called 'groups' that matches to 'groups' attribute source.

Then when you use a scope of 'scope=openid%20groups' it will include the groups in the ID Token.

This is the easiest way to add credential attributes into the ID Token without having to directly update the mapping rule.