Roles per App
User roles can flow to the applications.
By default no roles flow to the application. This is so to limit the size of messages in some protocols that are used to connect the application to The Identity Hub. Or in some cases (external) applications are only allowed to see roles of the user that apply to the application.
Configure the roles used by an App
- Navigate to the Apps list (https://www.theidentityhub.com/{tenant}/Admin/App) of your Tenant and select the application you want to configure. If you don't have a Tenant yet, you can register one for free.
- Click the app for which you want to edit the applicable roles
- On the left side click Roles.
- Check the roles you want to make available for the application. Optionally: add a comma-separated list of user roles to be mapped to a selected app role.
- Click Save.
Configure The Identity Hub to authorize access only to users with at least one applicable role
For an app it is possible to configure required output claims.
When setting the role claim as required The Identity Hub will verify if the user signing in has at least one applicable role. (Mapped roles are also considered as applicable)
If not, the user will be redirected to a page either to provide the role via another account (if possible), or to inform that the role claim is missing.
To configure the role claim as required
- Navigate to the Apps list (https://www.theidentityhub.com/{tenant}/Admin/App) of your Tenant and select the application you want to configure. If you don't have a Tenant yet, you can register one for free.
- Click Edit at the right side of the app you wish to configure
- Go to the Output Claims section
- Check the Required option for the http://schemas.microsoft.com/ws/2008/06/identity/claims/role claim in the list of Standard Output Claims
Note
Setting the role claim as required can only be done when at least one role is configured for the application.
The check is done after applying the optional role mappings.