|
| 1 | +--- |
| 2 | +title: Workload identity federation for app considerations |
| 3 | +description: Important considerations and restrictions for creating a federated identity credential on an app. |
| 4 | +services: active-directory |
| 5 | +author: rwike77 |
| 6 | +manager: CelesteDG |
| 7 | + |
| 8 | +ms.service: active-directory |
| 9 | +ms.subservice: develop |
| 10 | +ms.workload: identity |
| 11 | +ms.topic: include |
| 12 | +ms.date: 09/26/2022 |
| 13 | +ms.author: ryanwi |
| 14 | +ms.reviewer: shkhalid, udayh, vakarand |
| 15 | +ms.custom: aaddev |
| 16 | +--- |
| 17 | + |
| 18 | +A maximum of 20 federated identity credentials can be added to an application or user-assigned managed identity. |
| 19 | + |
| 20 | +When you configure a federated identity credential, there are several important pieces of information to provide: |
| 21 | + |
| 22 | +- *issuer* and *subject* are the key pieces of information needed to set up the trust relationship. The combination of `issuer` and `subject` must be unique on the app. When the external software workload requests Microsoft identity platform to exchange the external token for an access token, the *issuer* and *subject* values of the federated identity credential are checked against the `issuer` and `subject` claims provided in the external token. If that validation check passes, Microsoft identity platform issues an access token to the external software workload. |
| 23 | + |
| 24 | +- *issuer* is the URL of the external identity provider and must match the `issuer` claim of the external token being exchanged. Required. If the `issuer` claim has leading or trailing whitespace in the value, the token exchange is blocked. This field has a character limit of 600 characters. |
| 25 | + |
| 26 | +- *subject* is the identifier of the external software workload and must match the `sub` (`subject`) claim of the external token being exchanged. *subject* has no fixed format, as each IdP uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. This field has a character limit of 600 characters. |
| 27 | + |
| 28 | + > [!IMPORTANT] |
| 29 | + > The *subject* setting values must exactly match the configuration on the GitHub workflow configuration. Otherwise, Microsoft identity platform will look at the incoming external token and reject the exchange for an access token. You won't get an error, the exchange fails without error. |
| 30 | + |
| 31 | + > [!IMPORTANT] |
| 32 | + > If you accidentally add the incorrect external workload information in the *subject* setting the federated identity credential is created successfully without error. The error does not become apparent until the token exchange fails. |
| 33 | +
|
| 34 | +- *audiences* lists the audiences that can appear in the external token. Required. You must add a single audience value, which has a limit of 600 characters. The recommended value is "api://AzureADTokenExchange". It says what Microsoft identity platform must accept in the `aud` claim in the incoming token. |
| 35 | + |
| 36 | +- *name* is the unique identifier for the federated identity credential. Required. This field has a character limit of 3-120 characters and must be URL friendly. Alphanumeric, dash, or underscore characters are supported, the first character must be alphanumeric only. It's immutable once created. |
| 37 | + |
| 38 | +- *description* is the user-provided description of the federated identity credential. Optional. The description isn't validated or checked by Azure AD. This field has a limit of 600 characters. |
| 39 | + |
| 40 | +Wildcard characters aren't supported in any federated identity credential property value. |
0 commit comments