In order to configure these options, you must first perform the steps detailed in Creating Azure AD Graph API applications.

In the case of the PingAccess for Azure AD solution, the plugin addresses the following problems:

  • Data Transformation— The format of data returned from the OpenID Connect (OIDC) UserInfo endpoint results in some unexpected JSON formatting. This data transforms into a format that PingAccess can easily process.
  • Azure AD Graph API usage— If the groups attribute contains more than 200 groups, the id_token contains a level of indirection that points to a URL in the Azure AD Graph API. Through the creation of a simple purpose-driven application, you can communicate with the Azure ID Graph API to retrieve the complete list of groups.
  • Retrieving group display names— The groups attribute is a list of GUIDs. The groups for a user are only provided as GUIDs since user-friendly names for Azure AD groups are not globally unique. Configure the Graph API call to include the group names along with the GUID for creation of more robust policies.
  1. Click Settings and then go to System > Token Provider > Common > OpenID Connect.
  2. Go to Token Provider Specific Options section.
  3. From the Type list, select Azure Active Directory.
  4. To extend the attributes for a web session, select the Use Azure AD Graph API check box.
  5. In the Client ID field, enter the application ID you copied from the Azure AD API application you created.
  6. In the Client Secret field, paste the key you copied. Select Retrieve Group Display Names.
    Important:

    To retrieve group data for a particular application in the token, the manifest for that application must be modified to include a group membership claim. In the App Registrations blade, select the application and click the Manifest button. Locate the groupMembershipClaims API, select the following permission, and enter and specify a group type, such as SecurityGroup.

  7. Select Cache Group Display Names to instruct PingAccess to cache display names retrieved from the Azure AD Graph API.
  8. In the Display Name Cache Max Age (s) field, enter the number of seconds to cache group display names if caching is enabled. Click Save.