I try to create an orchestration step that just set the value of a claim. I used the starter pack scenarios/phone-number-passwordless/Phone_Email_Base.xml as a sample with the DoesStrongAuthEmailExist TechnicalProfile So basicaly I have a Claim :
<ClaimType Id="isThisAvailable">
<DisplayName>Determines if something is available in an environment</DisplayName>
<DataType>string</DataType>
</ClaimType>
A claim transformation method :
<ClaimsTransformation Id="SetThisIsAvailableClaim" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="false" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isThisAvailable" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
A claim provider with TechnicalProfile :
<ClaimsProvider>
<DisplayName>Availability check</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="CheckIfThisIsAvailable">
<DisplayName>Test</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="SetThisIsAvailableClaim" />
</InputClaimsTransformations>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isThisAvailable" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
And the orchestration step which is the first of the journey :
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="TEST-CheckIfThisIsAvailable" TechnicalProfileReferenceId="CheckIfThisIsAvailable" />
</ClaimsExchanges>
</OrchestrationStep>
But when I call the user journey, I get this error in Dialog Insight :
The method or operation is not implemented
Note that I also tested putting the transformation in the OutputClaimsTransformations section of my TechnicalProfile without any success.
Here are the last log lines from dialog insight showing that it happens in step 1 :
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.MoveFirstOrchestrationStepHandler"
}, {
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"ORCH_CS": {
"c": "2022-11-11T21:17:53.9870141Z",
"k": "ORCH_CS",
"v": "1",
"p": true
}
}
} }, {
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.InvokeValidationProfileDirectHandler"
}, {
"Kind": "FatalException",
"Content": {
"Time": "9:17 PM",
"Exception": {
"Kind": "Handled",
"HResult": "80004001",
"Message": "The method or operation is not implemented.",
"Data": {}
}
} } ]
EDIT
I found out that it works when using the authorize enpoint, but I get the error when I use the token endpoint.
To make things perectly clear, the only step in the actual orchestration is to get a ROPC token, for tests in dev environments. That works fine on a call to the token endpoint.
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="ResourceOwnerFlow" TechnicalProfileReferenceId="ResourceOwnerPasswordCredentials-OAUTH2" />
</ClaimsExchanges>
</OrchestrationStep>
<TechnicalProfile Id="ResourceOwnerPasswordCredentials-OAUTH2">
<DisplayName>Local Account SignIn - ROPC</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
<Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
<Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
<Item Key="METADATA">https://login.microsoftonline.com/{Settings:Tenant}/.well-known/openid-configuration</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/{Settings:Tenant}/oauth2/token</Item>
<Item Key="response_types">id_token</Item>
<Item Key="response_mode">query</Item>
<Item Key="scope">email openid</Item>
<Item Key="grant_type">password</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="logonIdentifier" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}"/>
<InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
<InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="{Settings:ProxyIdentityExperienceFrameworkAppId}" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="{Settings:IdentityExperienceFrameworkAppId}" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
But as soon as I try to add an orchestration step before like this, I get an error
<UserJourney Id="ResourceOwnerPasswordCredentials">
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="TEST-CheckIfThisIsAvailable" TechnicalProfileReferenceId="CheckIfThisIsAvailable" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="ResourceOwnerFlow" TechnicalProfileReferenceId="ResourceOwnerPasswordCredentials-OAUTH2" />
</ClaimsExchanges>
</OrchestrationStep>
If you are just setting the claim to a specific value, you could use
<InputClaim ClaimTypeReferenceId="isThisAvailable" DefaultValue="false" AlwaysUseDefaultValue="true" />
Related
I have an error in step 2 of a sub journey
<SubJourneys>
<SubJourney Id="CreativeFieldSignupSignin" Type="Transfer">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="CreativeField" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="CreativeField" TechnicalProfileReferenceId="OIDC-CreativeField" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Attempt to find the user account in the B2C directory. -->
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
</ClaimsExchanges>
</OrchestrationStep>
When I run the same orchestration steps in a user journey (not a sub journey), it runs without error. Is there some limitation on sub journeys where it can't access claims?
We are using the base AAD-UserReadUsingAlternativeSecurityId-NoError technical profile, which references the base AAD-UserReadUsingAlternativeSecurityId technical profile. I believe the line that is causing the error is
<InputClaim ClaimTypeReferenceId="AlternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />
I don't understand why our provider would return a null claim in a sub journey but not a normal user journey. The same technical profile OIDC-CreativeField was used in each.
Here is the OIDC-CreativeField profile:
<TechnicalProfile Id="OIDC-CreativeField">
<DisplayName>Test AAD</DisplayName>
<Description>Test AAD</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">https://login.microsoftonline.com/[tenant].onmicrosoft.com/v2.0/.well-known/openid-configuration</Item>
<Item Key="client_id">[client id]</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="[secret reference id]"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
We are using the base claim transformation CreateAlternativeSecurityId
<ClaimsTransformation Id="CreateAlternativeSecurityId" TransformationMethod="CreateAlternativeSecurityId">
<InputClaims>
<InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="key" />
<InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" />
</OutputClaims>
</ClaimsTransformation>
I did localisation in my custom policy, but in certain steps I'm calling REST API to validate some data. Response is coming in English, but now I need to translate that messages too as a part of localisation. Is there any way to do this in B2C?
Here is the response I'm getting from API:
{
"userMessage": "Password is incorrect",
"version":"1.0.0",
"status": 409,
"code": "API12345",
"requestId":"50f0bd91-2ff4-4b8f-828f-00f170519ddb",
"developerMessage":"Verbose description of problem and how to fix it.",
"moreInfo": "https://restapi/error/API12345/moreinfo"
}
You can send the localisation parameter to the REST API and have it return a localised error. Or you can return back an error code from the API instead of an error string. Then use the following example to have this done in policy:
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="errorCode">
<DisplayName>errorCode</DisplayName>
<DataType>string</DataType>
<UserHelpText>A claim responsible for holding response codes to send to the relying party</UserHelpText>
</ClaimType>
<ClaimType Id="messageValue">
<DisplayName>Message</DisplayName>
<DataType>string</DataType>
<UserHelpText>A claim responsible for holding response messages to send to the relying party</UserHelpText>
<UserInputType>Paragraph</UserInputType>
<Restriction>
<Enumeration Text="errorCode1" Value="will get overidden by localization" />
<Enumeration Text="errorCode2" Value="will get overidden by localization" />
</Restriction>
</ClaimType>
</ClaimsSchema>
<ClaimsTransformations>
<ClaimsTransformation Id="SetMessageId" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="errorCode1" /> <!-- Toggle for errorCode2 -->
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="errorCode" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="GetLocalizedMessage" TransformationMethod="GetMappedValueFromLocalizedCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="errorCode" TransformationClaimType="mapFromClaim" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="messageValue" TransformationClaimType="restrictionValueClaim" />
</OutputClaims>
</ClaimsTransformation>
</ClaimsTransformations>
<ContentDefinitions>
<ContentDefinition Id="api.selfasserted">
<LocalizedResourcesReferences MergeBehavior="Prepend">
<LocalizedResourcesReference Language="en" LocalizedResourcesReferenceId="api.selfasserted.en" />
<LocalizedResourcesReference Language="es" LocalizedResourcesReferenceId="api.selfasserted.es" />
</LocalizedResourcesReferences>
</ContentDefinition>
</ContentDefinitions>
<Localization Enabled="true">
<SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
<SupportedLanguage>en</SupportedLanguage>
<SupportedLanguage>es</SupportedLanguage>
</SupportedLanguages>
<LocalizedResources Id="api.selfasserted.en">
<LocalizedCollections>
<LocalizedCollection ElementType="ClaimType" ElementId="messageValue" TargetCollection="Restriction">
<Item Text="errorCode1" Value="First message in english" />
<Item Text="errorCode2" Value="Second message in english" />
</LocalizedCollection>
</LocalizedCollections>
</LocalizedResources>
<LocalizedResources Id="api.selfasserted.es">
<LocalizedCollections>
<LocalizedCollection ElementType="ClaimType" ElementId="messageValue" TargetCollection="Restriction">
<Item Text="errorCode1" Value="Primer mensaje en español" />
<Item Text="errorCode2" Value="Segundo mensaje en español" />
</LocalizedCollection>
</LocalizedCollections>
</LocalizedResources>
</Localization>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Self Asserted</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-WelcomePage">
<DisplayName>User profile</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
</Metadata>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="SetMessageId" />
<InputClaimsTransformation ReferenceId="GetLocalizedMessage" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="messageValue" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email"/>
<OutputClaim ClaimTypeReferenceId="messageValue"/>
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="Localization_Tester">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="SelfAsserted-WelcomePage" TechnicalProfileReferenceId="SelfAsserted-WelcomePage" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserReadUsingEmailAddress" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
I've followed the B2C - ADFS article.
I connect to ADFS, authenticate successfully but then B2C throws the above error.
I am using the latest SocialandLocalAccounts template.
My XML in the Extensions XML.
<ClaimsProvider>
<Domain>ABC.com</Domain>
<DisplayName>ABC ADFS</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="ABC-SAML2">
<DisplayName>ABC staff</DisplayName>
<Description>Login with your ADFS account</Description>
<Protocol Name="SAML2"/>
<Metadata>
<Item Key="WantsEncryptedAssertions">false</Item>
<Item Key="PartnerEntity">https://my-adfs.southeastasia.cloudapp.azure.com/federationmetadata/2007-06/federationmetadata.xml</Item>
<Item Key="XmlSignatureAlgorithm">Sha256</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlCert"/>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlCert"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="ABC.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="SignUpSignInADFS">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="ABCExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
<ClaimsExchange Id="ABCExchange" TechnicalProfileReferenceId="ABC-SAML2" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
</UserJourneys>
This is what is returned in the SAML token from ADFS:
<AttributeStatement>
<Attribute Name="userPrincipalName">
<AttributeValue>user1#test.dev.com</AttributeValue>
</Attribute>
<Attribute Name="family_name">
<AttributeValue>Test</AttributeValue>
</Attribute>
<Attribute Name="given_name">
<AttributeValue>User1</AttributeValue>
</Attribute>
<Attribute Name="email">
<AttributeValue>user1#company.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>User1 Test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>user1#company.com</AttributeValue>
</Attribute>
</AttributeStatement>
As above, make sure you are using "SocialAndLocalAccounts".
I have created custom policy using Identity Experience Framework. I am able to signup and signin user using the local account but when I am trying to use Facebook as social login I am running into some error.
Issue: When I click Facebook login (Social Login) from my custom policy, I am being redirected to FB for login, but after login from FB I am seeing below error from application insights.
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true,
""RecorderRecord"": {
""Values"": [
{
""Key"": ""SendErrorTechnicalProfile"",
""Value"": ""OAuth2ProtocolProvider""
},
{
""Key"": ""Exception"",
""Value"": {
""Kind"": ""Handled"",
""HResult"": ""80131500"",
""Message"": ""An exception was caught when making a request to URL \""https://graph.facebook.com/oauth/access_token\"" using method \""Get\"". The exception status code was \""ProtocolError\"" with the following message: {scrubbed}."",
""Data"": {},
""Exception"": {
""Kind"": ""Handled"",
""HResult"": ""80131509"",
""Message"": ""The remote server returned an error: (400) Bad Request."",
""Data"": {}
}
}
}
]
}
}
},
any thoughts?
<TechnicalProfiles>
<TechnicalProfile Id="Facebook-OAUTH">
<!-- The text in the following DisplayName element is shown to the user on the claims provider selection screen. -->
<DisplayName>Facebook</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="ProviderName">facebook</Item>
<Item Key="authorization_endpoint">https://www.facebook.com/dialog/oauth</Item>
<Item Key="AccessTokenEndpoint">https://graph.facebook.com/oauth/access_token</Item>
<Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email,picture</Item>
<Item Key="scope">email</Item>
<Item Key="HttpBinding">GET</Item>
<Item Key="client_id">xxxxxxxx</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_FacebookSecret" />
</CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="first_name" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="facebook.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="extension_picture" PartnerClaimType="picture"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
You must also add the following item to <Metadata />:
<Item Key="AccessTokenResponseFormat">json</Item>
See this blog post for more information.
You have add as well...
<Metadata>
<Item Key="AccessTokenResponseFormat">json</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
</OutputClaims>
I'm trying to clone a custom policy from an ADB2C tenant to another one uploading the XML file through the "identity experience framework" interface
but I get the following error:
Unable to upload policy. Reason : Validation failed: 1 validation error(s) found in policy "B2C_1A_B2C_1_SIGNUPIN" of tenant "tenant.onmicrosoft.com".Policy 'B2C_1A_B2C_1_SignUpIn' of tenant 'tenat.onmicrosoft.com' is not allowed to inherit from the specified base policy. Inheritance chain: {
"TenantId": "tenant.onmicrosoft.com",
"PolicyId": "base-v1",
"TenantObjectId": "xxxx...",
"Root": true,
"Derived": {
"TenantId": "tenant.onmicrosoft.com",
"PolicyId": "B2C_1A_B2C_1_SignUpIn",
"TenantObjectId": "yyyy...",
"Rule": "All",
"InheritanceAllowed": false,
"Reason": "Policy 'B2C_1A_B2C_1_SignUpIn' in tenant 'yyyyy...' is blocked from inheriting policies from 'xxxx...' as the basic policy constraint handler 'B2CBasicPoliciesOnly' cannot match the policy id to a prefix or registered policy id."
}
}
This is the policy content:
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
TenantId="tenant.onmicrosoft.com" TenantObjectId="xxx...."
PolicyId="B2C_1_SignUpIn" PublicPolicyUri="http://tenant.onmicrosoft.com/">
<BasePolicy>
<TenantId>tenant.onmicrosoft.com</TenantId>
<PolicyId>base-v1</PolicyId>
</BasePolicy>
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="displayName">
<DisplayName>Username</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="givenName">
<DisplayName>First Name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="surname">
<DisplayName>Last name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="extension_Service">
<DisplayName>Service Name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
</ClaimsSchema>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>PhoneFactor</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="PhoneFactor-Common">
<EnabledForUserJourneys>OnClaimsExistence</EnabledForUserJourneys>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Token Issuer</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="JwtIssuer">
<Metadata>
<Item Key="token_lifetime_secs">3600</Item>
<Item Key="id_token_lifetime_secs">3600</Item>
<Item Key="refresh_token_lifetime_secs">1209600</Item>
<Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
<Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
<Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Self Asserted</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-Input">
<InputClaims>
<InputClaim ClaimTypeReferenceId="displayName" />
<InputClaim ClaimTypeReferenceId="givenName" />
<InputClaim ClaimTypeReferenceId="surname" />
<InputClaim ClaimTypeReferenceId="extension_Organization" />
<InputClaim ClaimTypeReferenceId="extension_Department" />
<InputClaim ClaimTypeReferenceId="extension_Service" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" Required="true" />
<OutputClaim ClaimTypeReferenceId="givenName" Required="true" />
<OutputClaim ClaimTypeReferenceId="surname" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Department" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Service" Required="true" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-ReadCommon">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" />
<OutputClaim ClaimTypeReferenceId="extension_Department" />
<OutputClaim ClaimTypeReferenceId="extension_Service" />
</OutputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AAD-WriteCommon">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="displayName" />
<PersistedClaim ClaimTypeReferenceId="givenName" />
<PersistedClaim ClaimTypeReferenceId="surname" />
<PersistedClaim ClaimTypeReferenceId="extension_Organization" />
<PersistedClaim ClaimTypeReferenceId="extension_Department" />
<PersistedClaim ClaimTypeReferenceId="extension_Service" />
</PersistedClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="B2CSignUpOrSignInWithPassword">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signinandsignupwithpassword">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId="B2CSignUpOrSignInWithPassword" />
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" />
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="emails" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="newUser" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" />
<OutputClaim ClaimTypeReferenceId="extension_Service" />
<OutputClaim ClaimTypeReferenceId="extension_Department" />
<OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
Downloading standard policies and then uploading them (whether with or without modification) is not supported.
Looks like thats what you tried which makes your standard policy a custom policy. Custom policies cannot have base-v1 in the inheritance hierarchy. The base-v1 policies are strictly meant to be used by the standard policies.
The error indicates that your (now) custom policy is inheriting from base-v1.