We are using custom policies with ADB2C and are passing ui_locales in the signup_signin url for the localization. However, B2C doesn't propagate this to the Self Service Password Reset flow. We set it up following the instructions here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#self-service-password-reset-recommended
Is there a way to propagate ui_locales to Password Reset form in Custom Policies? The url for Password Reset is out of our control and is constructed by B2C itself.
• Yes, you can surely configure the page localization option for the ‘Password Reset’ policy page by configuring the ‘Azure AD B2C Embedded Password Reset’ flow wherein the default ‘Password Reset’ flow policy gives out the error code ‘AADB2C90118’ when a specific password reset policy is not invoked through the custom policy.
• Thus, to use the ‘Azure AD B2C Embedded Password Reset’ flow policy in your Azure AD B2C Custom policy, kindly follow the below link for more details wherein the ‘B2C_1A_Demo_SignUp_SignIn_SSPR’ custom policy is used instead of the default ‘SigninOrSignUp’ starter policy: -
https://github.com/azure-ad-b2c/samples/tree/master/policies/embedded-password-reset/policy
If you use the above specified custom policy, then ensure to include the below ‘Localization’ element in the ‘TrustedFrameworkExtensions.xml’ file such that supported languages are made available in the custom policy accordingly: -
<Localization Enabled="true">
<SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
<SupportedLanguage>en</SupportedLanguage>
<SupportedLanguage>es</SupportedLanguage>
</SupportedLanguages>
</Localization>
• Once, the above localization code is made available in the ‘TrustedFrameworkExtensions.xml’ file, ensure that the below option in the image occurs for you to translate the ‘Reset Password’ to be able to display as shown below such that when selected, the respective language is available for display and resetting the password.
To know more about this, please refer the below link for more details: -
AD B2C - ui_locales not propagated from SignIn to PasswordReset
Related
I have B2C tenant xxx.onmicrosoft.com and account admin#xxx.onmicrosoft.com.
I have API Connector (Azure Function called B2CRoleAssignment) that gets triggered before including application claims in token (Preview).
When I first attempt to sign into my SPA application with admin#xxx.onmicrosoft.com this is the following payload my API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"email":"admin#xxx.onmicrosoft.com",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
When I close my SPA application and open it again, this is the payload API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
How come the email claim is missing? On my Sign up and sign in User Flow I have selected Email Addresses application claim, but that doesn't seem to be working or doing anything at all.
The interesting thing is, this appears to only be a problem with accounts ending with #xxx.onmicrosoft.com.
• The email claim is missing during the sign in and signup user flow when selecting the API connector because the Azure function app is being considered by the Azure AD B2C as an untrusted domain website/application since the session is interrupted by closing and reopening the same due to which the session token might be considered expired/invalid immediately. As a result of which, the ‘email’ claim is omitted.
Thus, because of this, the email claim attribute might be returned null in the ‘application/json’ file as its value in the column might be missing or unknown. Hence, I would suggest you to please use the custom policies for signin or signup instead of default user flows in the Azure AD B2C console. Also, ensure that in the sign in and sign-up custom policy starter pack or the default custom policy in which editing needs to be done, do add the below claims in the custom policy output claims such that you will get the ‘email’ as an attribute in the response decoded token since adding the below claims will allow you to sign in through multiple claim attributes and you might not be getting email claim when using other claim types other than email.
<!-- This was already here -->
<OutputClaim ClaimTypeReferenceId="email" />
<!-- Added claim -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"
PartnerClaimType="email" />
To find the default custom policy starter pack, refer the below link for more details: -
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
Also, to know more regarding the above issue and its accepted solution, kindly refer to the below community link: -
Why is email not returned with api connector when SSO with azure b2c?
Hi I am trying to validate the users password with onprem-api.
Below is my trusted-framework base policy code.
The famework file will be avilable from the following Github link.
https://github.com/azure-ad-b2c/user-migration/issues/30
I am getting below error while executing the above policy
"Unable to validate the information provided."
Can you please help me what i am missing here.
Thanks,
Shiva
Please check below points:
Unable to validate the information provided
This issue may occur if we put the wrong IDs or values in the extensions policy for the Identity Experience Framework and Proxy Identity Experience Frame work applications or if the extension property itself not registered successfully.
Please check if custom attribute for the B2C or extension attribute is properly registered ,So that that property is used in technical profile to be validated. Define custom attributes in Azure Active Directory B2C | Microsoft Docs
Please make sure the metadata details are all correct.To enable custom attributes in your policy,we need to provide Application ID and Application Object ID before using extension property in the AAD-Common technical profile metadata. modify-your-custom-policy as such.
<Metadata>
<Item Key="ApplicationObjectId"> objectId here</Item>
<Item Key="ClientId"> appId here</Item>
</Metadata>
Also please check if,datatype of custom attribute mentioned is correct and the received claim matches the data type .See b2c-custom-policy-starterpack/issues
References:
c# -"Unable to validate the information provided"DNA integration - Stack Overflow
azure ad B2C force password reset. Unable to validate the information provided · Issue GitHub
I am trying to change or upload a user profile while signup or profile update in azure active directory b2c using custom policy. I found a "thumbnailPhoto" property having datatype Edm.Stream by using this I am trying to create a custom ClaimType like this. but it's not working please help in changing user profile through custom policy
<ClaimType Id="thumbnailPhoto">
<DisplayName>ProfilePicture</DisplayName>
<DataType>stream</DataType>
<UserHelpText>Upload profile picture</UserHelpText>
</ClaimType>
Thanks and Azure B2C support below predefined data types.
Reference:- https://learn.microsoft.com/en-us/azure/active-directory-b2c/claimsschema#datatype
stream
When you upload policy, you will get error - The 'http://schemas.microsoft.com/online/cpim/schemas/2013/06:DataType' element is invalid - The value 'stream' is invalid according to its datatype 'http://schemas.microsoft.com/online/cpim/schemas/2013/06:DataType' - The Enumeration constraint failed.
Proposed Solution:-
You need to use custom development using HTML or B2C with graph api.You can try to use the profilePhoto resource type which lets you get/update a photo.
This may work:
GET https://graph.windows.net/myorganization/users/{user_id}/thumbnailPhoto?api-version
PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version
I have a trust framework SignUpOrSignIn custom policy user flow which sets 3 extension attributes for an app.
I can see these 3 claims and their default values in the token.
However, when I GET the user via MS Graph API (https://graph.microsoft.com/beta/{tenantId}/users/{userId}), I do not see these extension attributes.
Once I PATCH the user, I can then see the value via the GET to the {userId} segment as expected.
PATCH
{
"extension_{appId}_subscription_expiry":"2020-04-10"
}
Why are any extension attributes not returned until they've been subsequently PATCHed?
Although you have set default values for the 3 extension attributes in your custom policy, you can only see them in the token after your sign-up at that time. But you didn't store them into Azure AD.
I guess that you just add such a code <OutputClaim ClaimTypeReferenceId="extension_subscription_expiry" AlwaysUseDefaultValue="true" DefaultValue="xxx" /> in your SignUpOrSignIn.xml file.
But if you want to store the values into Azure AD, you should write the custom claim to the user profile by using AAD-UserWriteUsingLogonEmail TechnicalProfile. See Read and write a claim.
You should finish all the steps listed in this document: Add claims and customize user input using custom policies in Azure Active Directory B2C
I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.
I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.
The problem can be reproduced using the custom policies described in this guide:
Get started with custom policies.
Additional information:
I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid> in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
The problem result in the following logging:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
The most common reason for this that Grant Permissions has not been executed.
On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:
Select Grant Permissions, and then confirm by selecting Yes.
Edit:
Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here.
Since this is the first SO article that pops up on this question, I'll add that another possibility to check when hitting this problem is, make sure the Proxy app type is Native, not Web.