I'm looking for an example of how to unlink an Azure Work/School account from a B2C user. I've used this sample policy Account-Linkage-Unified and can successfully link a Work/School account, but the unlinking uses the below Metadata tag to find the entry in the "identities" collection to present the Unlink button... but a work/school account's Issuer is https://login.microsoftonline.com/{tenant Id}/v2.0
<Metadata>
<Item Key="ClaimValueOnWhichToEnable">login.microsoftonline.com</Item>
</Metadata>
I need a way to have this match the value pulled back from the identities collection if it matches "login.microsoftonline.com".
Any suggestion is appreciated.
I ended up creating a custom attribute in which to place the issuer value in (https://login.microsoftonline.com/3b7daec3-d31c-xxxx-b5d4-e6e5facd1080/v2.0), so that when unlinking, the technical profile can pull this from the user and find the correct identity in the collection to remove.
Related
I have B2C tenant xxx.onmicrosoft.com and account admin#xxx.onmicrosoft.com.
I have API Connector (Azure Function called B2CRoleAssignment) that gets triggered before including application claims in token (Preview).
When I first attempt to sign into my SPA application with admin#xxx.onmicrosoft.com this is the following payload my API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"email":"admin#xxx.onmicrosoft.com",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
When I close my SPA application and open it again, this is the payload API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
How come the email claim is missing? On my Sign up and sign in User Flow I have selected Email Addresses application claim, but that doesn't seem to be working or doing anything at all.
The interesting thing is, this appears to only be a problem with accounts ending with #xxx.onmicrosoft.com.
• The email claim is missing during the sign in and signup user flow when selecting the API connector because the Azure function app is being considered by the Azure AD B2C as an untrusted domain website/application since the session is interrupted by closing and reopening the same due to which the session token might be considered expired/invalid immediately. As a result of which, the ‘email’ claim is omitted.
Thus, because of this, the email claim attribute might be returned null in the ‘application/json’ file as its value in the column might be missing or unknown. Hence, I would suggest you to please use the custom policies for signin or signup instead of default user flows in the Azure AD B2C console. Also, ensure that in the sign in and sign-up custom policy starter pack or the default custom policy in which editing needs to be done, do add the below claims in the custom policy output claims such that you will get the ‘email’ as an attribute in the response decoded token since adding the below claims will allow you to sign in through multiple claim attributes and you might not be getting email claim when using other claim types other than email.
<!-- This was already here -->
<OutputClaim ClaimTypeReferenceId="email" />
<!-- Added claim -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"
PartnerClaimType="email" />
To find the default custom policy starter pack, refer the below link for more details: -
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
Also, to know more regarding the above issue and its accepted solution, kindly refer to the below community link: -
Why is email not returned with api connector when SSO with azure b2c?
Hi I am trying to validate the users password with onprem-api.
Below is my trusted-framework base policy code.
The famework file will be avilable from the following Github link.
https://github.com/azure-ad-b2c/user-migration/issues/30
I am getting below error while executing the above policy
"Unable to validate the information provided."
Can you please help me what i am missing here.
Thanks,
Shiva
Please check below points:
Unable to validate the information provided
This issue may occur if we put the wrong IDs or values in the extensions policy for the Identity Experience Framework and Proxy Identity Experience Frame work applications or if the extension property itself not registered successfully.
Please check if custom attribute for the B2C or extension attribute is properly registered ,So that that property is used in technical profile to be validated. Define custom attributes in Azure Active Directory B2C | Microsoft Docs
Please make sure the metadata details are all correct.To enable custom attributes in your policy,we need to provide Application ID and Application Object ID before using extension property in the AAD-Common technical profile metadata. modify-your-custom-policy as such.
<Metadata>
<Item Key="ApplicationObjectId"> objectId here</Item>
<Item Key="ClientId"> appId here</Item>
</Metadata>
Also please check if,datatype of custom attribute mentioned is correct and the received claim matches the data type .See b2c-custom-policy-starterpack/issues
References:
c# -"Unable to validate the information provided"DNA integration - Stack Overflow
azure ad B2C force password reset. Unable to validate the information provided · Issue GitHub
I have a trust framework SignUpOrSignIn custom policy user flow which sets 3 extension attributes for an app.
I can see these 3 claims and their default values in the token.
However, when I GET the user via MS Graph API (https://graph.microsoft.com/beta/{tenantId}/users/{userId}), I do not see these extension attributes.
Once I PATCH the user, I can then see the value via the GET to the {userId} segment as expected.
PATCH
{
"extension_{appId}_subscription_expiry":"2020-04-10"
}
Why are any extension attributes not returned until they've been subsequently PATCHed?
Although you have set default values for the 3 extension attributes in your custom policy, you can only see them in the token after your sign-up at that time. But you didn't store them into Azure AD.
I guess that you just add such a code <OutputClaim ClaimTypeReferenceId="extension_subscription_expiry" AlwaysUseDefaultValue="true" DefaultValue="xxx" /> in your SignUpOrSignIn.xml file.
But if you want to store the values into Azure AD, you should write the custom claim to the user profile by using AAD-UserWriteUsingLogonEmail TechnicalProfile. See Read and write a claim.
You should finish all the steps listed in this document: Add claims and customize user input using custom policies in Azure Active Directory B2C
I am using B2C custom polices and I would like to prevent a user from changing their password more than once per day. Is it possible to get the date of the last password change and do this check in a custom policy?
Have a look at this policy which uses the concept of storing a dateTime on the user object to do some conditional control:
https://github.com/azure-ad-b2c/samples/blob/master/policies/force-password-reset-after-90-days
and
https://github.com/azure-ad-b2c/samples/tree/master/policies/mfa-absolute-timeout-and-ip-change-trigger
You can store the date on the user object extension attribute upon successful password change. Then when the user tries to reset the password, check this timestamp and compare to 24hrs using a claimsTransform. Store a boolean result in a claim. This can be done using an orchestration step that is of type claims transformation which calls a dateComparison transform.
You can do this calculation and set a claim value before the self asserted technical profile which shows the password reset screen. Then after the user verifies their email you can use an output claims transform to make sure this boolean is false, and otherwise throw an error using the metadata item as shwon below in the self asserted technical profile where you collect the email:
<Metadata>
<Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Custom error message if account is disabled.</Item>
</Metadata>
I try to build an invitation flow using custom policies.
My approach was to combine the invitation part of the WingTipGamesB2C policies with the custom policy starter pack.
The invitation seems to work fine; when using the invitation link and providing the user data (display name, password), the user is created in the Azure AD.
But I am not able to login with this user; the sign in dialog shows "Invalid username or password." (while with a wrong password "Your password is incorrect" is shown).
Using the builtin signin policy, the login works as expected.
b2crecorder shows the following log:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Using validation endpoint at: https://login.microsoftonline.com/foo.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(c693a69c-4a15-4ef5-b85d-a9a6a3f3298f) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
This looks like the same error as in this question, but should be a different problem, as the problem was the "forceChangePasswordNextLogin" flag in there, while the users that are created by the invitation should not have this flag.
I checked that the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps are correctly created and permissions are granted. They are also referenced as documented in the TrustFrameworkExtensions.xml.
How can I fix this? What can I do to further debug this problem? I used both Application Insights and the b2crecorder without getting enough information about the failure.
Additional information:
* The custom signup does also not work
* Signing up/in via 3rd party IDP (Google) works
I just found out what my problem was; In the login-NonInteractive technical profile, I replaced the strange looking <Item Key="ProviderName">https://sts.windows.net/</Item> by some nice looking name, assuming that it was just some irrelevant string (e.g for the google IdP, I could use <Item Key="ProviderName">Google</Item> ...)
Well, it seems to be important. When restoring the original providername, signin works perfectly.
Just answering my own question here, as I hope this will save somebody else's time.