I created my Azure AD B2C custom policies to authenticate users.
I also added a custom attribute to ask the user for a unique information, something like the SSN.
I've already set the custom attribute as required and I put a restriction based on a regex, but I can't find a way, in the docs, to verify if the value already exists in the directory and give an error if that condition is true while the user signs up.
In this question, the suggestion is to call a rest api that uses Microsoft Graph Api to verify if the value set to the custom attribute already exists:
Azure B2C: Querying AAD using a custom claim?
Is it the only solution or, meanwhile, has been released a way to do this check directly from Azure AD B2C custom policy?
Add a technical policy like:
<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_attribute"/>
</OutputClaims>
</TechnicalProfile
This "merges" with the TP in the base so that when your policy reads AAD, it will also read your extension attribute.
Then in your user journey add a precondition of "ClaimsExist".
Related
I am currently creating sign-up(CombinedSignInAndSignUp) page using custom policies. I was wondering if it is possible to have a sign-up page with the social IDP selection (Facebook, Linkedin) and SignUpWithLogonEmailExchange button.
Based on the Social IDP you are selecting, you have to create different technical profiles for each.
Technical profiles are the mechanisms that are used to interact with the party (Facebook/LinkedIn) defined within ClaimsProvider definition whereas ClaimsProvider defines a party that the custom policy interacts with.
To configure LinkedIn as an identity provider:
In the extension file of your policy, define a LinkedIn account as a claims provider by adding it to the ClaimsProviders element.
Open the SocialAndLocalAccounts/TrustFrameworkExtensions.xml file in your editor and find ClaimsProviders element
If ClaimsProviders element does not exist, add it under the root element
Add a new ClaimsProvider
Replace the value of client_id with the client ID of the LinkedIn application and Save.
To configure Facebook as an identity provider:
In the SocialAndLocalAccounts/TrustFrameworkExtensions.xml file, replace the value of client_id with the Facebook application ID:
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<!--Replace the value of client_id in this technical profile with the Facebook app ID"-->
<Item Key="client_id">00000000000000</Item>
Please find below links if they are helpful,
References:
Ref1
Ref2, Ref3, Ref4
This is the Azure B2C User Flow’s Application claims, where I can tick the Email Addresses and save it.
UserFlow Application Claims
How can I do this in custom policy? I am trying to add Multi-Tenant login to AAD B2C via custom policies and I need to select this ‘Email Addresses’ in the Application Claims from User Flow.
How can I select or activate this same ‘Email Addresses’ in custom policy XML files?
So far I tried adding -->> OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" <<-- to the technical profiles, but still no luck.
The claim you want is "preferred_username".
Try to add <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="preferred_username" />.
I am writing a custom policy for Azure B2C. A part of this policy is to use a custom claims provider to get some information from an Azure function and put it in the token. When calling this function a code is required to be put in as a query parameter on the call.
My policy works fine however I don't want to hard code that key or even the URL for the azure function. Is there anyway to set this URL/key as a policy key and refer to it within the policy. This way I won't need to maintain separate policies for each environment.
The metadata section of the claimsprovider in question.
<Metadata>
<Item Key="ServiceUrl">https://azurefuntiongoeashere/api/functionname?code=keygoeshere</Item>
<Item Key="SendClaimsIn">Body</Item>
If you secure your REST API with a conventional method like certificate/basic auth, or OAUTH, you can use a policy key.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api
I have Azure B2C with custom policies with Local Login and Microsoft Account login enabled. I have started with the starter pack and made some modifications to add my custom logic for validate and add additional claims as explained here.
Everything works fine with Microsoft Account. But I am facing issues with Local Account Sign in.
email claim is only populated when the user signup but not on sign-in. In case of sign-in the email is part of "signInNames.emailAddress" claim. I tried making changes as explained here and here. I would like the email to be populate in email claim as my API uses this claim.
Additional calims returned from my REST API are not added to token only for Local Login. They are added for Microsoft Account.
thank you.
Update: For point 2, its a problem with my policy file and is now fixed.
There is a simple method to return email claim.
Just replace <OutputClaim ClaimTypeReferenceId="email" /> with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" /> in your SignUporSignIn.xml file.
You need to sign up new local user and then sign in to test it. You will see the email claim.
In fact, this solution has been provided by #Wayne Yang in the post you shared.
I'm using custom policies with a CombinedSignInAndSignUp for social accounts and LocalAccountSigninEmailExchange.
Using the domain_hint I can skip the selection for social accounts and go directly to e.g. google sign in.
I also want to set domain_hint to "LocalAccount" and then ONLY show the local account sign in.
I guess I can do that by adding a first step in the UserJourney to check if domain_hint="LocalAccount" and if the ClaimEquals skip the social providers.
I can get the value as output claim when I specify:
<OutputClaim ClaimTypeReferenceId="domain_hint" AlwaysUseDefaultValue="true" DefaultValue="{OIDC:DomainHint}"/>
But how do I get the value as Precondition in an OrchestrationStep???
You can use the {OIDC:DomainHint} claims resolver.