Create Entra ID app role attribute mapping

Once you have created an Entra ID app role, now map those roles through SCIM provisioning.

The steps below describe how to create a new provisioning attribute, roles, and to map that attribute to an expression that can retrieve the Entra ID app roles for a given Entra ID user.

Create a new provisioning attribute

1. Navigate to the desired Enterprise application and select Provisioning.
2. If not already selected, select Overview in the left menu.
3. Select Edit provisioning from the top menu. 
4. Click the Mapping tab.
5. Select Provision Microsoft Entra ID Users.
6. Select the Show advanced options checkbox.
7. Click the Edit attribute list for customappsso link.
8. In the table customappsso User Attributes, add a new row that has the following:
   1. Name: roles 
   2. Type: String
   3. Primary Key: false
   4. Required: false
   5. Multi-Value: true
9. In the upper left, click the Save button.
10. Below the table items, find and click the Add new mapping link. The Edit Attribute screen appears
11. Create the following mapping:
1. Mapping type: Expression
2. Expression: AppRoleAssignmentsComplex([appRoleAssignments])
3. Target attribute: roles
12. Click the OK button. The Attribute Mapping screen will appear. Click the Save button.

Link the Entra ID app role to the aiWARE application role

If assigning an Entra ID app role to a user, then you must create a link from the Entra ID app role to an aiWARE application role. 

1. In your browser, go to Veritone's GraphQL sandbox.

2. Paste this code into GraphQL, then replace {{OrganizationId}} with the integer identifier for your organization:

mutation userLogin {
  userLogin(input: {
    userName: "{{USERNAME}}"
    password: "{{PASSWORD}}"
  }) {
    token
    lastLoggedIn
  }
}

3. Select the play icon in the middle of the GraphQL interface to execute the mutation. The response appears on the right.
4. Save the value of token.
5. In a separate GraphQL tab, paste the following code, replacing {{OrganizationId}} with the integer identifier for your organization:

query {
	applications(orgId: {{OrganizationId}}) {
		records {
			name
			applicationRoles {
				id, 
				name
			}
		}
	}
}

6. Find the Headers button on the GraphQL page and click it.

7. Enter the following JSON string, replacing {{token}} with the saved token:

{"Authorization": "Bearer {{token}}"}

8. Execute the query.

9. From the query response, find the interested application name and role. Save the application role id for later.

10. In your browser, go to Veritone's POST openid role endpoint. Select the lock icon on the endpoint. An Available authorizations window appears.

11. In the Value field of the pop-up Available authorizations window, paste the value of token you saved. Then, select Authorize and click Close.

12. Click the Try it Out button to edit the endpoint's parameters. Update the ID with your integer organization identifier.

13. Use the saved application role identifier (roleIds) and the Entra ID app role name (openIdRole) to update the openid-role (body) parameter. Remove the applicationIds parameter.

The openid-role parameter should look something like the following:

{
  "openidRole": "aiware_somerole",
  "roleIds": [
    "3459c3de-493f-443a-8ad0-ddb9f3f6c76d"
  ]
}

14. Click the Execute button to map the Entra ID app role name to the aiWARE application role.

15. See Get a list of Veritone's OpenID roles. 

As a result of these changes, aiWARE users will automatically be assigned the desired aiWARE application roles during SCIM provisioning.

Next step

Provision a user with Microsoft Entra ID via SCIM endpoints

• Full list of steps to create Entra ID apps: Microsoft Entra ID integration with Veritone apps

• Administer aiWARE
• Identity and access management (IAM)
• Microsoft Entra ID integration
• Create Entra ID app role attribute mapping

• Create provisioning attribute
• Link Entra ID to aiWARE role