<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Pass AD Attribute as Claims in Token
Jan 20, 2026
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

This article provides instructions for passing additional user attributes from Active Directory (AD) as claims to an application using an OpenID Connect (OIDC) integration. This allows attributes such as role or department to be included in the tokens issued to the application.

Applies To
  • API Access Management (OAuth 2.0 and OpenID Connect)
  • Active Directory Integration
  • Custom Claims
Solution

Follow the steps below to add AD attributes that are part of the user's profile in the id_token/access token.

This method involves mapping the attribute from Active Directory (AD) to the Okta User Profile, and then from the Okta User Profile to the application profile.

 

Map the AD Attribute to the Okta User Profile

  1. Go to Directory > Profile Editor.
  2. Create the custom attribute (for example, custom AD) in the Okta User Profile.

Add attribute   

  1. Map the new custom attribute from the AD profile to the Okta User Profile under Profile Editor-> Mapping (from AD to Okta).                  Attribute 
  2. Verify this attribute is populated with a value for the user.
  3. Attribute

Method 1: Use the Org Authorization Server

  1. Map the Okta User Profile Attribute to the Application.

    1. Create the custom attribute in the application user profile.
    2. Follow the steps in How to Add Custom Attributes of a User Profile as Claims in a Token to configure the application to receive the attribute as a claim.

NOTE: When using the Org Authorization Server, the custom attribute will be available in the UserInfo endpoint.

Method 2: Use a Custom Authorization Server

This method involves adding a custom claim directly to a Custom Authorization Server.

  1. In the Admin Console, go to Security > API.

  2. Choose Authorization Servers and select a Custom Authorization Server from the list.

  3. Select the Claims tab and click Add Claim.

  4. Enter a name for the claim (for example, department).

  5. For the Value, enter an expression that references the user's attribute, such as user.department.

  6. Set the claim to be included in the ID Token and/or Access Token as needed.

  7. Specify which scopes such as profile, will trigger the claim to be included.

  8. Click Create.

 

Related References

Recommended content

Still looking for help?
Loading
How to Pass AD Attribute as Claims in Token