I want to, during the sign in flow, ask the user for additional input, which would be used as an inputClaim in one of the next steps of the user journey in a custom policy. The value does not need to be persisted. Ideally, it would be done in the sign-in window, but also could be collected from a separate window.
I am able to modify the sign-up window in this way, though not the sign-in one. Looked up in https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy, but this again describes only the sign-up scenario.
There is a similar question asked by #Zzehan-jurangpathy here Getting user attribute in sign in flow in Azure B2C, though no answer that would actually be helpful.
You can't modify the standard sign-in flow. It just allows username and password.
You can add an extra page by adding a self-asserted technical profile e.g. here.
Related
I'm looking to create a custom policy in the following scenario
User is created in tenant by job that has custom attributes for users
case reference and Ni Number (i know how to do this)
User gets a sign in page. There is no sign up page
Sign in page has email, case ref, ni number that the user is required
to enter
sign in validation validates case ref and ni number against what is
held in B2C tenant
Looking at microsofts docs is baffling... whoever thought getting devs to edit and create the xml policy files was good idea beggars belief
Is it actually possible to validate against the info in the tenant through some sort of technical validation profile or something?
Create a self-asserted page with case ref, ni number etc. as output claims i.e they will appear on the form.
Add this page to the user journey after sign-in ("login-NonInteractive").
Read the user attributes ("AAD-UserReadUsingxxx).
You can compare the claims in the journey. Maybe easier to call a REST API to validate the information.
If good, send the JWT (the standard "SendClaims"). If not, display an error.
When i read the documentation from microsoft for Azure B2C, it mentions that we can collect user attributes during the sing up flow.
I have a requirement where i need to get a input from the user during the sign in flow. Other than the username and password entered during the sign in, i need the user to enter another field.
Is there an option to do the above in the sign in flow?
You need to use a custom policy.
It will allow you to add any extra pages and/or logic to any journey.
Samples: https://github.com/azure-ad-b2c/samples
Another way of collecting user input (eg. an additional field in the sign-up form) during sign-up without using custom policies is as follows:
In the Azure B2C set up an additional User Attribute of the type String
In the specific sign-in flow require this User Attribute to be collected.
If needed, you can customize the wording and default values used in the form by supplying a language override in the specific flow.
I've followed one of the provided samples to add TOTP multi factor authentication supported by a phone app:
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
I'm therefore able to offer users the ability to enter a TOTP code:
One of the things I'm considering is ensuring users still have access to their accounts if something goes wrong during the TOTP MFA process which we're using by default. I'd therefore like to be able to add an extra link to this page to send users through an alternative MFA route without successfully completing this one in case they encounter issues: "send a code via email instead".
As far as I can tell, the B2C screens expect users to only go forward through clicking continue. The best alternative instead of a link I can think of is a checkbox which sets a boolean claim to enable an email MFA OrchestrationStep. I find this a little less user-friendly than a simple link though as it adds an unnecessary extra click.
Ideal user flow:
Login --> Display TOTP MFA screen --> Enter MFA code OR click link to go to email MFA screen
Any help's appreciated!
This sample demonstrates how to use a display control to provide multiple options (Email or MFA) for a user to continue:
https://github.com/azure-ad-b2c/samples/tree/master/policies/pwd-reset-via-email-or-phone
You could use the same idea here, except instead of invoking the MFA technical profiles as part of the samples display control, you can invoke the call to the REST API technical profile to verify the code.
You will need to use some CSS/JS to make the page look nice so users can toggle what option they want to use.
I am pre-creating federated users using the Graph API. Although I am using a SignUpSignIn custom policy, I want to be able to prevent a SignUp and show an error when a federated user is not already in the B2C directory. I have tried just removing the orchestration step that does SelfAsserted-Social but that didn't yield intended results.
Any help will be appreciated.
I was able to resolve this doing the following
Create a claim type to hold the message to the user
Create a claims transformation of type CreateStringClaim that populates the above claim type
Created a self-asserted technical profile that
a. hides the continue and cancel buttons
b. has an InputClaimsTransformation referencing 2. above.
c. has an Input claim of the claim type in 1. above
d. has an output claim of the claim type in 1. above
Remove/comment out the orchestration step that shows the self-asserted page for auth with social Idp
In the orchestration step that writes the federated account to AAD, I replace the referenced TP (AAD-UserWriteUsingAlternativeSecurityId) with the one in 3.
Later I will be using a ContentDefinition element to have the page that displays the error message contain a link that sends the user back to the beginning signin user journey.
I'm experiencing the same problem you had here, but unfortunately I'm not yet able to get what you did in those 5 steps.
I know 2 years have passed, but if still have access to the files which you used to do this that would be great!
Right now the ProfileEdit.xml file that comes with active-directory-b2c-custom-policy-starterpack asks the user to sign in before actually letting them get to the Edit Profile page.
The use case I'm trying to accomplish is a little bit different. The user is already signed in to the app and there's a button Edit Profile that when clicked will take the user to the Edit Profile page. That is, there should be no Sign in again.
My app allows the user to sign in using: Facebook and Local Account Signin. The custom ProfileEdit B2C policy should know which one the user used to login and just redirect the user to the ProfileEdit policy directly.
I tried messing up with the ProfileEdit Technical Profile but the mods I did didn't work.
Can anyone more experienced with Azure B2C custom policies let me know how to achieve this?
This is normal, imagine someone got to the profile edit link and bookmarked it. Then logged out. Then launched profile edit -> you need them to login, otherwise things break.
So this is actually working perfectly already, just that you will get Single Sign On, such that once you have used the Sign In journey, the Profile Edit journey will skip the sign in step.
You can test it like this:
1. Open a new browser, and use the sign in journey, login and complete.
2. Open a new tab, and paste the Profile Edit link, remove the prompt=login query parameter.
3. Execute the link, you are taken straight to modifying your profile page, rather than seeing a sign in page.