Scopes & Claims
Scopes define what data your OAuth integration can access, and claims carry user identity information within tokens. Correct scope and claim configuration is essential for proper authentication and agency assignment in eCourtDate.
Standard OIDC Scopes
The following standard OpenID Connect scopes are used across all providers:
| Scope | Required | Description |
|---|---|---|
openid | Yes | Indicates an OIDC authentication request; returns a sub (subject) claim |
email | Recommended | Returns the user's email address |
profile | Recommended | Returns basic profile information (name, etc.) |
Provider-Specific Scopes
Each Identity Provider may require additional scopes for full functionality, particularly for group-based agency assignment:
| Provider | Additional Scopes | Purpose |
|---|---|---|
| Azure AD | GroupMember.Read.All, User.Read | Read group memberships and user profile via Microsoft Graph |
| Google Workspace | admin.directory.group.member.readonly, admin.directory.group.readonly | Read Google Workspace group memberships |
| Okta | groups | Include group membership in the ID token |
| AWS Cognito | openid, email, profile | Standard OIDC scopes (no additional scopes required) |
Group Claim Configuration
Group claims enable automatic agency assignment when users sign in through SSO. The Identity Provider sends group membership information in the token, and eCourtDate maps those groups to agencies.
Group Name Format
Group names must follow this format:
{AgencyReference}_ECOURTDATE
- AgencyReference -- The agency reference identifier configured in eCourtDate
- _ECOURTDATE -- A required suffix (case-insensitive)
Example: If your agency reference is municipal-court-123, the corresponding group name in your Identity Provider should be:
municipal-court-123_ECOURTDATE
The matching is case-insensitive, so Municipal-Court-123_ecourtdate will also work.
Super Admin Designation
Role names containing any of the following keywords are automatically elevated to Super Admin status:
SECURITYADMINROOT
This matching is case-insensitive. For example, a role named Court_Security_Team or system-admin would trigger Super Admin designation. If this behavior is not desired, rename the role in your Identity Provider to avoid these keywords.
User Provisioning
When a user authenticates via SSO for the first time, eCourtDate handles provisioning as follows:
| Behavior | Details |
|---|---|
| Profile creation | A new user profile is automatically created based on token claims |
| Default Agency | The user is assigned to the Default Agency if no group claims match |
| Role/permission assignment | No automatic role or permission assignment by default |
| Default role | A default role can be configured for automatic assignment to new SSO users |
Users who are members of matching groups (following the {AgencyReference}_ECOURTDATE format) will be assigned to the corresponding agencies automatically upon sign-in.