Azure Application Proxy- Header-based SSO with Custom Claim Provider


Custom authentication extension from Microsoft Entra ID is used to interact with the external system during user authentication. It contains information about the REST API endpoints, and this endpoint will return the attribute when it is called. These attributes can be used as a custom claim provider for Application proxy header-based SSO.
Please go through my previous Azure application proxy with header-based SSO to get started.

Configuring Header-based SSO with Custom Claim Provider:

We need to create a custom authentication extension before configuring the Custom claim provider.
Please click here to get started with creating a custom claim provider.

I have created a Custom authentication extension REST API using the Azure function given below.

#r "Newtonsoft.Json"
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
    log.LogInformation("C# HTTP trigger function processed a request.");
    string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
    dynamic data = JsonConvert.DeserializeObject(requestBody);

    // Read the correlation ID from the Azure AD  request    
    string correlationId = data?.data.authenticationContext.correlationId;

    // Claims to return to Azure AD
    ResponseContent r = new ResponseContent();[0].claims.CorrelationId = correlationId;[0].claims.ApiVersion = "1.0.0";[0].claims.DateOfBirth = "23/12/1991";[0].claims.Group = "Reviewer";[0].claims.CustomRoles.Add("Writer");[0].claims.CustomRoles.Add("Editor");
    return new OkObjectResult(r);

public class ResponseContent
    public Data data { get; set; }
    public ResponseContent()
        data = new Data();

public class Data
    public string odatatype { get; set; }
    public List<Action> actions { get; set; }
    public Data()
        odatatype = "microsoft.graph.onTokenIssuanceStartResponseData";
        actions = new List<Action>();
        actions.Add(new Action());

public class Action
    public string odatatype { get; set; }
    public Claims claims { get; set; }
    public Action()
        odatatype = "microsoft.graph.tokenIssuanceStart.provideClaimsForToken";
        claims = new Claims();

public class Claims
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
    public string CorrelationId { get; set; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
    public string DateOfBirth { get; set; }
    public string ApiVersion { get; set; }
    public string Group { get; set; }
    public List<string> CustomRoles { get; set; }
    public Claims()
        CustomRoles = new List<string>();

This function will return the following custom attributes,

  1. CorrelationId
  2. DateOfBirth
  3. ApiVersion
  4. Group

In my last article, we have configured header-based SSO with application proxy. I’m going to use the same enterprise application to configure custom claim attributes.

Step 1: Log in to the Azure portal
Step 2: Go to the Enterprise application, from Azure Active Directory (Azure Entra ID) and select the application, that we created while configuring Azure application proxy.
Step 3: Select the Single sign-on option from the Manage Blade.
Step 4: Click on the Edit icon to configure Headers.
Step 5: From the advanced settings, edit “Custom claim provider”.

Header-based SSO Advance setting

Step 6: It will list out the Custom authentication extension claim API created using the Azure function, select the API and click on Save.

Custom claim providers

Step 7: To add the custom claim in the header, click on Add a new header and add a required custom provider, In my case, I have selected a group and named it “ApplicationGroup”.

Custom claims

Step 8: Test the application, you will get the configured custom claim in your header request.

Home app application group

As expected we got a custom claim attribute “ApplicationGroup” from the header request.


We have seen, how to configure the custom claim provider with Azure application proxy header-based SSO with custom authentication extension. We will see more features on the Azure application proxy in my next article.


Leave a Reply

%d bloggers like this: