This is the Azure B2C User Flow’s Application claims, where I can tick the Email Addresses and save it.
UserFlow Application Claims
How can I do this in custom policy? I am trying to add Multi-Tenant login to AAD B2C via custom policies and I need to select this ‘Email Addresses’ in the Application Claims from User Flow.
How can I select or activate this same ‘Email Addresses’ in custom policy XML files?
So far I tried adding -->> OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" <<-- to the technical profiles, but still no luck.
The claim you want is "preferred_username".
Try to add <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="preferred_username" />.
I have Azure AD configured as an identity provider. I wanted to know if it is possible to have Azure AD pass along the email address of the user and pass that along as a claim in the token we obtain when users log in. If not, how can I achieve this, I am new to B2C.
You can use Azure AD Custom claims to issue the "email" claim in the Azure AD Token that is returned to AAD B2C. This claim is only populated if the user has an Exchange Online inbox.
If you are using custom policies in Azure AD B2C, you can output the claim into the claimbag using:
<OutputClaim ClaimTypeReferenceId="aadEmail" PartnerClaimType="email" />
Where the ClaimTypeReferenceId is the claimbag claim that AAD B2C will store, and the PartnerClaimType is the name of the claim in the AAD Token you want to parse.
If the users do not have an EXO mailbox, then you could rely on the users UserPrincipalName coming back from Azure AD. That is in the claim called unique_name. So you could map that in the AAD technical profile by adding the following:
<OutputClaim ClaimTypeReferenceId="upn" PartnerClaimType="unique_name" />
If you are using AAD B2C User Flows, map it as per the doc step 11:
Email: unique_name
or
Email: email (if the users have EXO inboxes).
I have Azure B2C with custom policies with Local Login and Microsoft Account login enabled. I have started with the starter pack and made some modifications to add my custom logic for validate and add additional claims as explained here.
Everything works fine with Microsoft Account. But I am facing issues with Local Account Sign in.
email claim is only populated when the user signup but not on sign-in. In case of sign-in the email is part of "signInNames.emailAddress" claim. I tried making changes as explained here and here. I would like the email to be populate in email claim as my API uses this claim.
Additional calims returned from my REST API are not added to token only for Local Login. They are added for Microsoft Account.
thank you.
Update: For point 2, its a problem with my policy file and is now fixed.
There is a simple method to return email claim.
Just replace <OutputClaim ClaimTypeReferenceId="email" /> with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" /> in your SignUporSignIn.xml file.
You need to sign up new local user and then sign in to test it. You will see the email claim.
In fact, this solution has been provided by #Wayne Yang in the post you shared.
I have created custom policies for social and local accounts based on the example from the Active Directory B2C custom policy starter pack for social and local accounts. I have enabled the login with Microsoft and Google and tested that both work, I have also enabled logging in with a local account.
When I log in with google I get the following claims
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,email,given_name,family_name,name,idp,at_hash
When I log into a custom Azure AD tenant the set of claims is missing 'email', but the email is listed in the 'name' claim
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,given_name,family_name, name,idp,at_hash
When I log in as a local account the set of claims is missing 'email' and there is no email listed in any of the fields.
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,given_name, family_name,name,at_hash
Finally, when I look at the list of users in the B2C admin, these are all different user entries...even though the email address is the same. So I have 2 questions,
How do I get a consistent set of claims in the id_token
How do I link all these accounts together at registration time (Same UPN)
I believe these may be related, which is why I am asking them together.
You probably want to see the policies, but I assure you they are exactly the same as the policies in the starter pack, all I've done is change the tenant names and added google and azure in the trust framework extensions file.
For the Azure AD email claim, add the following <OutputClaim /> to the Azure AD OpenID Connect technical profile:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
For the local account email claim, add the following <OutputClaim /> to the AAD-UserReadUsingObjectId technical profile:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
AD FS is configured with custom policies as a claims provider on Azure AD B2C using either WS-Federation and SAML 1.1 or SAML 2.0.
Do Azure AD B2C expose a metadata endpoint as relying party which can be used by the AD FS when configuring Azure AD B2C as relying party?
I'm interested in both WS-Federation/SAML and SAML 2.0 metadata.
** Edited **
The following metadata url do not work: https://login.microsoftonline.com/te/<yourtenant>.onmicrosoft.com/b2c_1a_<yourpolicy>/Samlp/metadata
When the metadata is called the following error is returned:
Azure AD B2C does expose a metadata endpoint when using Custom Policies.
It can be found at this URL:
https://login.microsoftonline.com/te/<yourtenant>.onmicrosoft.com/b2c_1a_<yourpolicy>/Samlp/metadata
EDIT: B2C as a SAML RP is not officially supported at this time, however it is possible to enable it via custom policies. If you are interested in this feature, make sure to vote for it in order to support it and get updates on its progress.
There is no good documentation on how to do this outside of these docs:
Outdated walkthrough, compliment it with the StackOverflow posts below.
Azure Active Directory - Custom Policy Error
Issue when calling New-CpimCertificate for Azure AD B2C custom policy
At the moment of writing SAML2 metadata endpoint works with this idptp=TechnicalProfile-id variabel:
https://login.microsoftonline.com/te/<yourtenant>.onmicrosoft.com/b2c_1a_<yourpolicy>/Samlp/metadata?idptp=<TechnicalProfile-id>
This TechnicalProfile must have the following definitions:
<Protocol Name="SAML2"/>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_ADFSSamlCert"/>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_ADFSSamlCert"/>
</CryptographicKeys>
P.S. Microsoft should really document these features.