I would like to create a custom signup policy that will check if a user exists and if it does, it will update a claim on the users object. If the user does not exist I would like it to create the user as normal.
As for right now, if a user attempts to signup using an email that already exists for a user I get an error stating "A user with the specified ID already exists. Please choose a different one."
if I'm understanding your question correctly you can use the Graph to do this as referenced here.
Using this line:
https://graph.windows.net/myorganization/users?$filter=signInNames/any(x:x/value eq 'someone')&api-version=1.6
It will return an array. Either with the name or empty if it does not exist.
Related
Is it possible to direct a user to a user flow along with a value that we want to set on a custom attribute? We dont want the user to be able to edit this field, it is ok if they see it.
I would like to have a custom app where the user will fill out some info, the app will validate their info against an internal database and return a value we would like to store in a custom attribute (an internal username).
I would then like to send the user off to a sign up user flow where they can either create a local account or create an account with an external IDP and the custom attribute would be pre populated for them and not editable.
To pre-populate the claim, set it as an input field on the form.
To make it non-editable, copy it to a readonly claim and display the readonly claim as an output.
To pass the data, make the whole flow a sign-up flow.
You can call a REST API in the flow to validate the data. Store the return value in an extension attribute.
Then ask the user if they want to federate with an external IDP.
If so, do the federation and add the value to the social account.
If not, create a local account and add the value.
You would have to create an external account beforehand.
I figured out you can send back custom errors from a rest API. What I am ending up doing is gathering the data from the user, sending it to a custom API for validation, then if it validates properly, the API returns the custom attribute.
If the validation fails I can return errors to the B2C that will be shown on the sign up page.
Currently I only find documentation that allows me to change my email / username / phone number, but nothing talks about adding a user attribute as an authentication entity for the login.
Write the new identifier to signInNames.whatever, exactly like the “change identifier” samples work. They just overwrite an existing value, if one didn’t exist, it just gets created automatically.
You can’t add an identifier to /any/ attribute, it has to go into signInNames attribute, as that is uniquely constrained.
I am implementing MFA custom policy with Email or Phone option. I want to restrict user to login if phone number is not registered. In my current implementation it is showing a screen to input new number if it is not registered yet , I wanted to restrict user from adding new mobile if not found.
I tried playing with orchestration steps but not able to find the correct output claim to check if user is already registered or not?
You can’t really check per se, AAD B2C has a built in uniqueness checker if you write to the identifier field - signInNames. You can store the phone number in signInNames.phoneNumber and then your uniqueness check is handled by the policy itself when you try to write the value. That prevents any user enrolling a phone number that already exists on another account.
I am pre-creating federated users using the Graph API. Although I am using a SignUpSignIn custom policy, I want to be able to prevent a SignUp and show an error when a federated user is not already in the B2C directory. I have tried just removing the orchestration step that does SelfAsserted-Social but that didn't yield intended results.
Any help will be appreciated.
I was able to resolve this doing the following
Create a claim type to hold the message to the user
Create a claims transformation of type CreateStringClaim that populates the above claim type
Created a self-asserted technical profile that
a. hides the continue and cancel buttons
b. has an InputClaimsTransformation referencing 2. above.
c. has an Input claim of the claim type in 1. above
d. has an output claim of the claim type in 1. above
Remove/comment out the orchestration step that shows the self-asserted page for auth with social Idp
In the orchestration step that writes the federated account to AAD, I replace the referenced TP (AAD-UserWriteUsingAlternativeSecurityId) with the one in 3.
Later I will be using a ContentDefinition element to have the page that displays the error message contain a link that sends the user back to the beginning signin user journey.
I'm experiencing the same problem you had here, but unfortunately I'm not yet able to get what you did in those 5 steps.
I know 2 years have passed, but if still have access to the files which you used to do this that would be great!
In a situation, where the user is authenticated on another application (like oAuth or a custom security implementation), how can we simulate login?
What we intend to achieve is:
- use the user identifier key to check if the user exists
- if the user exists, set-up the session for the user
- basically, setup the attribute holder
- assign the user object, so that it is available thru getUser() method
So we are looking at signing-in programatically!
Any light on how do it in the simplest way?
if using sfDoctrineGuardPlugin, i'd do something like:
Redirect user to 3rd part oAuth provider
On success, user returns to you, either create them a new sfGuardUser object, or retrieve the appropriate one (you may need to adapt the schema to have somewhere to store extra oAuth data).
Call myUser()->signIn($user), where $user in the previously retrieved sfGuardUser object - eg: I use this in register actions to log people in after registration: $this->getUser()->signin($user);