I have a custom policy with below technical profile to enable login from multiple Azure AD tenants. When I login with a valid work account the technical profile AAD-UserReadUsingAlternativeSecurityId is throwing an error. I have included the app insights output below. Since I have no control on how Azure AD B2C builds the graph api lookup within the technical profile, how can I go about finding and fixing the actual issue?
I checked the claim transformation that builds up the alternative security ID and found nothing, followed the starter pack and did not change anything
<TechnicalProfile Id="Common-AAD">
<DisplayName>Active Directory</DisplayName>
<!-- <DisplayName>Sign In</DisplayName> -->
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="client_id">dcaee4b4-61d6-45e6-88b2-b35a81e93077</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="METADATA">https://login.microsoftonline.com/common/.well-known/openid-configuration</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<!-- The key below allows you to specify each of the Azure AD tenants that can be used to sign in. Update the GUIDs below for each tenant. -->
<Item Key="ValidTokenIssuerPrefixes">
https://sts.windows.net/{GUID1-masked},
https://sts.windows.net/{GUID2-masked},
https://sts.windows.net/{GUID3-masked},
https://sts.windows.net/{GUID4-masked}
</Item>
<!-- The commented key below specifies that users from any tenant can sign-in. Uncomment if you would like anyone with an Azure AD account to be able to sign in. -->
<!-- <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>-->
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AZB2CSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<!-- <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub" /> -->
<!-- Mark: issuerUserId below originally mapped to sub -->
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<!-- <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> -->
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
"AAD Request to https://graph.windows.net/34d8169d-0e97-4cc7-a8d0-57c29404f1b1/users?api-version=1.6-integrationOnly&%24filter=alternativeSecurityIds%2fany(x%3ax%2ftype+eq+6+and+x%2fidentityProvider+eq+%27https%3a%2f%2fsts.windows.net%{GUID-MASKED}%2f%27+and+x%2fkey+eq+X%2738623361343134642D623331622D343638322D396662382D663461376161666164643966%27) using method GET as request body is malformed.\r\nResponse: \n{"odata.metadata":"https://graph.windows.net/34d8169d-0e97-4cc7-a8d0-57c29404f1b1/$metadata#directoryObjects","value":[]}\r\n",
And after policy runs the error that is displayed to the app/user is : AADB2C99002: An account could not be found for the provided user ID. which is normal I guess as the user look up fails
"Open your browser and go to the OpenID Connect metadata URL for the tenant. Find the issuer object and record its value. It should look similar to https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/.well-known/openid-configuration".
When I do that, I get an issuer like:
"https://login.microsoftonline.com/GUID/v2.0"
But you have:
https://sts.windows.net/{GUID1-masked}
(The documentation seems wrong anyway - their issuer is the "well-known" address).
You shouldnt be calling AAD-UserReadUsingAlternativeSecurityId, you chould instead call AAD-UserReadUsingAlternativeSecurityId-NoError in the case of social logins, like here.
See the social login journey here for comparison from the Starter Pack.
There is a full explanation here of how this works in the readme.
Related
I want to add LinkedIn as an identity provider to my azure b2c tenant.
I have already added Microsoft and Google as id providers.
However, when I added LinkedIn, it was impossible to retrieve an email address and put it in the azure b2c token.
Here is my custom policy base file: TrustFrameworkBase.xml
<ClaimsProvider>
<Domain>linkedin.com</Domain>
<DisplayName>LinkedIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="LinkedIn-OAuth2">
<DisplayName>LinkedIn</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="ProviderName">linkedin</Item>
<Item Key="authorization_endpoint">https://www.linkedin.com/oauth/v2/authorization</Item>
<Item Key="AccessTokenEndpoint">https://www.linkedin.com/oauth/v2/accessToken</Item>
<Item Key="ClaimsEndpoint">https://api.linkedin.com/v2/me</Item>
<Item Key="scope">r_emailaddress r_liteprofile</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="external_user_identity_claim_id">id</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="ResolveJsonPathsInJsonTokens">true</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="client_id">MyLinkedInClientId</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_LinkedInSecret" />
</CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="firstName.localized" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="lastName.localized" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="emailAddress" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="linkedin.com" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="ExtractGivenNameFromLinkedInResponse" />
<OutputClaimsTransformation ReferenceId="ExtractSurNameFromLinkedInResponse" />
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
As we can see, the ClaimsEndPoint is https://api.linkedin.com/v2/me
But, this end point does not give access to the email address.
Here is the documentation detailing it:
Sign-in with linked-in
We see that to get the email address, we need to call another end point: https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
I tried changing the ClaimsEndPoint to this but when uploading the custom policy, I got an error:
The policy being uploaded is not correctly formatted: '=' is an unexpected token.
I don't see what I could do to get the email address as a claim in the azure b2c token.
Can you please help?
As per this, you need to make an additional API call and pass the access token you already have.
I try to get user image for MSA-OIDC TechnicalProfiles, but it's not working.
Somebody will help me? This is my Claims Provider.
For google and facebook this solution working perfectly. I will add that in Azure Ad Application I added permission for User.Read, email, profile. It's enough?
<ClaimsProvider>
<Domain>live.com</Domain>
<DisplayName>Microsoft</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="MSA-OIDC">
<DisplayName>Sign in with Microsoft</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="ProviderName">https://login.live.com</Item>
<Item Key="METADATA">https://login.live.com/.well-known/openid-configuration</Item>
<Item Key="response_types">code</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="scope">openid profile email</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="client_id">************************</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_MSASecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="picture" PartnerClaimType="picture" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
• I didn’t use the claims provider class as posted by you in the question, but I followed the Github solution as given below in the link and I successfully signed with the Microsoft account through the ‘Signin or Signup’ userflow. Also, I tried to signup using the Identity Experience Framework also through the custom policy and was successful in creating a Microsoft account in Azure AD B2C during signup. Please find the link below for your reference: -
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/identity-provider-microsoft-account.md
Microsoft account signup option through custom policy used from the above link: -
Also, for getting the profile picture image of Microsoft account in Azure B2C, you will have to already import the profile picture of that user in Azure B2C because there is no way to get the profile photo of a Microsoft account in Azure B2C even through custom policy. Also, please take note of the points in the link below: -
https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#to-retrieve-the-profile-photo-of-a-contact
The community thread link below states some probable steps that you can carry out in case of getting the profile user image: -
Get User profile pic using custom policy with azure B2C
I'd like to add Slack as an Identity Provider to my app using AAD B2C. Is there any example of how to build the Technical Profile for that?
I was able to create a Technical profile to connect to Slack, but I'm having a problem with sending a user_scope parameter instead of the scope parameter. The OAuth2 technical profile only supports "scope" parameter and I'm not able to find a way of sending "user_scope" instead.
I was also able to connect using endpoints that didn't include "v2" in them, but I'm not sure that's the right approach
This is the technical profile I'm using in the ClaimsProvider now. I have anothe ClaimsProvider for AAD multitenant. Didn't modify the relying party at all for Slack.
<TechnicalProfile Id="Slack-OAUTH">
<DisplayName>Slack</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="ProviderName">slack</Item>
<Item Key="authorization_endpoint">https://slack.com/oauth/v2/authorize</Item>
<Item Key="AccessTokenEndpoint">https://slack.com/api/oauth.v2.access</Item>
<Item Key="ClaimsEndpoint">https://slack.com/api/users.identity</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="client_id">ClientID</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="REFERENCE_TO_SECRET_IN_B2C_KEYS" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="user_scope" DefaultValue="identity.basic" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="slack" />
<OutputClaim ClaimTypeReferenceId="user" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="GetIdClaimFromJson" />
<OutputClaimsTransformation ReferenceId="GetNameClaimFromJson" />
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
The call to slack works and I'm getting a code back and being redirected to aadb2c, but then I get an exception back. Put the policy in development mode to drop logs into App Insights and got an exception saying: An invalid OAuth response was received: '{0}'.
'Message':'The given key was not present in the dictionary.','Data':{}
To enable sign-in for users from a Slack account, you need to create a Slack application project.
Sign in to the Slack API with your account credentials.
Select Create New App.
Enter an App Name and select a Development Slack Workspace.
Select Create App.
Under App Credentials, copy the values of Client ID and Client secret. You will need both of them to configure Slack as an identity provider in your tenant. Client secret is an important security credential.
Under Features, select OAuth and Permissions.
Add a new Redirect URL, enter https:/your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp.
Replace your-tenant-name with the name of your tenant. You need to use all lowercase letters when entering your tenant name even if the tenant is defined with uppercase letters in Azure AD B2C.
Click Save URLs.
Create a policy key
You need to store the client secret that you previously recorded in your Azure AD B2C tenant.
Sign in to the Azure portal.
Make sure you're using the directory that contains your Azure AD B2C tenant by clicking the Directory and subscription filter in the top menu and choosing the directory that contains your tenant.
Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
On the Overview page, select Identity Experience Framework - PREVIEW.
Select Policy Keys and then select Add.
For Options, choose Manual.
Enter a Name for the policy key. For example, SlackSecret. The prefix B2C_1A_ is added automatically to the name of your key.
In Secret, enter your client secret that you previously recorded.
For Key usage, select Signature.
Click Create.
Slack claims provider as follows:
<TechnicalProfile Id="Slack-OAUTH">
<DisplayName>Log in with your Slack account</DisplayName>
<Protocol Name="OAuth2"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="AccessTokenEndpoint">https://slack.com/api/oauth.access</Item>
<Item Key="authorization_endpoint">https://slack.com/oauth/authorize</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="ClaimsEndpoint">https://slack.com/api/users.identity</Item>
<Item Key="client_id">Your Slack App Registration Client ID</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">identity.basic</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_slackfederation"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="slackAuthentication" />
<OutputClaim ClaimTypeReferenceId="user" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="slack" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="GetIdClaimFromJson" />
<OutputClaimsTransformation ReferenceId="GetNameClaimFromJson" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
And supporting claims transforms:
<ClaimsTransformation Id="GetIdClaimFromJson" TransformationMethod="GetClaimFromJson">
<InputClaims>
<InputClaim ClaimTypeReferenceId="slackOAuthResponse" TransformationClaimType="inputJson" />
</InputClaims>
<InputParameters>
<InputParameter Id="claimToExtract" DataType="string" Value="id" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" TransformationClaimType="extractedClaim" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="GetNameClaimFromJson" TransformationMethod="GetClaimFromJson">
<InputClaims>
<InputClaim ClaimTypeReferenceId="slackOAuthResponse" TransformationClaimType="inputJson" />
</InputClaims>
<InputParameters>
<InputParameter Id="claimToExtract" DataType="string" Value="name" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" TransformationClaimType="extractedClaim" />
</OutputClaims>
</ClaimsTransformation>
I have been struggling with this same situation where user_scope isn't a valid parameter in my .net core web app.
I tried setting the auth endpoint to:
https://slack.com/oauth/v2/authorize?user_scope=identity.basic+identity.email+identity.team
and that did get past one hurdle, but after I sign in and am redirected back to my web app, it fails to process the claims. I'll update this partial answer if I can get it working, but hopefully, it will help someone figure this out.
It looks like there is not a lot of help and forums on the Azure B2C Custom policy framework.
I have used the following technical profile for my custom policy.
<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true" />
</InputClaims>
<OutputClaims>
<!-- Required claims -->
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
<!-- Optional claims -->
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="accountEnabled" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="AssertAccountEnabledIsTrue" />
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
This profile looks for the user and comes back with an error message if the user was not found in AD. However I want to show the user a button to sign up after the validation happens. How can I achieve this?
Any help will be appreciated!
Azure AD B2C Custom Policy is now a GA product and it has a lot of good documentation available.
What you want to achieve here very common and has been explained in starter pack. Its called a signuporsignin policy.
Walk through the article
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
You can also see the policies here
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAndLocalAccountsWithMfa/TrustFrameworkBase.xml
Look at this technical profile https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAndLocalAccountsWithMfa/TrustFrameworkBase.xml#L981
providing this metadata might help
<Metadata>
<Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>
<Item Key="setting.operatingMode">Email</Item>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
</Metadata>
I am using Azure AD B2C custom policies to get claims from a third party and map it to the claims which are returned in the Azure AD B2C token.
If the third party returns claims in the form of string, my User journey in the policy works fine. My problem is that the third party is returning the claims in the form of json. I couldn't find any relavant in the B2C policy's XML Schema that can handle this case.
Is there any way to do this using Azure AD B2C Custom policies ?
Though I don't know what third part identity provider you're using, but I think you can achieve add the provider by adding custom providers in custom policies.
First, according to your post , I assume that you're using the Oauth/OIDC provider.
Example: Add LinkedIn as an identity provider by using custom policies:
In the <ClaimsProviders> element, add the following XML snippet:
<ClaimsProvider>
<Domain>linkedin.com</Domain>
<DisplayName>LinkedIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="LinkedIn-OAUTH">
<DisplayName>LinkedIn</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="ProviderName">linkedin</Item>
<Item Key="authorization_endpoint">https://www.linkedin.com/oauth/v2/authorization</Item>
<Item Key="AccessTokenEndpoint">https://www.linkedin.com/oauth/v2/accessToken</Item>
<Item Key="ClaimsEndpoint">https://api.linkedin.com/v1/people/~:(id,first-name,last-name,email-address,headline)</Item>
<Item Key="ClaimsEndpointAccessTokenName">oauth2_access_token</Item>
<Item Key="ClaimsEndpointFormatName">format</Item>
<Item Key="ClaimsEndpointFormat">json</Item>
<Item Key="scope">r_emailaddress r_basicprofile</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="client_id">Your LinkedIn application client ID</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_LinkedInSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="firstName" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="lastName" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="emailAddress" />
<!--<OutputClaim ClaimTypeReferenceId="jobTitle" PartnerClaimType="headline" />-->
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="linkedin.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Also, you can add <Item Key="AccessTokenResponseFormat">json</Item> to claim json type of endpoint.
You can see more details about Adding LinkedIn as an identity provider by using custom policies in this document.
Additional:
I don't know what third identity provider you're using , if it helps ,please let me know.