keycloak-scim/docs/documentation/server_admin/topics/organizations/mapping-organization-claims.adoc

[id="mapping-organization-claims_{context}"]

=  Mapping organization claims
[role="_abstract"]
To map organization-specific claims into tokens, a client needs to request the *organization* scope when sending
authorization requests to the server. When authenticating in the context of an organization, clients can request the `organization` scope to map information
about the organizations where the user is a member.

As a result, the token will contain a claim as follows:

```json
"organization": {
  "testcorp": {
    "attr1": [
      "value1"
    ]
  }
}
```

The organization claim can be used by clients (for example, from ID Tokens) and resource servers (for example, from access tokens)
to authorize access to protected resources based on the organization where the user is a member.

The `organization` scope is a built-in optional client scope at the realm.  Therefore, this scope is added to any client created in the realm by default. It also defines the `Organization Membership` mapper that controls how the organization membership information is mapped to the tokens.

By default, the organization attributes are not included in the organization claim. To include the attributes in the claim, edit the mapper and enable *Add organization attributes*.

.Including attributes in the organization claim
image:images/organizations-add-org-attrs-in-claim.png[alt="Including attributes in the organization claim"]

The `organization` scope is requested using different formats:

[cols="2*", options="header"]
|===
|Format
|Description
| `organization` | Maps to a single organization if the user is a member of a single organization.
Otherwise, if a member of multiple organizations, the user will be prompted to select an organization when authenticating to the realm.
| `organization:<alias>` | Maps to a single organization with the given alias.
| `organization:*` | Maps to all organizations the user is a member of.
|===
Adding organization section (#29796) Closes #28731 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2024-06-10 07:08:50 +00:00			`[id="mapping-organization-claims_{context}"]`

			`= Mapping organization claims`
			`[role="_abstract"]`
			`To map organization-specific claims into tokens, a client needs to request the organization scope when sending`
Update organizations documentation in the server admin guide Closes #33199 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2024-09-27 14:27:54 +00:00			authorization requests to the server. When authenticating in the context of an organization, clients can request the `organization` scope to map information
			`about the organizations where the user is a member.`
Adding organization section (#29796) Closes #28731 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2024-06-10 07:08:50 +00:00
			`As a result, the token will contain a claim as follows:`

			```json
			`"organization": {`
Update organizations documentation in the server admin guide Closes #33199 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2024-09-27 14:27:54 +00:00			`"testcorp": {`
			`"attr1": [`
			`"value1"`
			`]`
			`}`
Adding organization section (#29796) Closes #28731 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2024-06-10 07:08:50 +00:00			`}`
			```

			`The organization claim can be used by clients (for example, from ID Tokens) and resource servers (for example, from access tokens)`
			`to authorize access to protected resources based on the organization where the user is a member.`

Update organizations documentation in the server admin guide Closes #33199 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2024-09-27 14:27:54 +00:00			The `organization` scope is a built-in optional client scope at the realm. Therefore, this scope is added to any client created in the realm by default. It also defines the `Organization Membership` mapper that controls how the organization membership information is mapped to the tokens.

			`By default, the organization attributes are not included in the organization claim. To include the attributes in the claim, edit the mapper and enable Add organization attributes.`

			`.Including attributes in the organization claim`
			`image:images/organizations-add-org-attrs-in-claim.png[alt="Including attributes in the organization claim"]`
Support for selecting an organization when requesting the organization scope Closes #31438 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> 2024-08-20 15:25:48 +00:00
			The `organization` scope is requested using different formats:

			`[cols="2*", options="header"]`
			`\|===`
			`\|Format`
			`\|Description`
			\| `organization` \| Maps to a single organization if the user is a member of a single organization.
			`Otherwise, if a member of multiple organizations, the user will be prompted to select an organization when authenticating to the realm.`
			\| `organization:<alias>` \| Maps to a single organization with the given alias.
			\| `organization:*` \| Maps to all organizations the user is a member of.
			`\|===`