I need help to solve a problem I have, we need to create a custom policy, which we already have created, but we need to read the value of the user's employeeid in Azure AD, so that when you sign in the first time, this is registered in B2C with that value. I put images to understand it:
Azure AD:
but when I sign in, the user in Azure AD B2C doesn't have the employeeid:
I defined in the custom policy the claim:
<ClaimType Id="extension_employeeid">
<DisplayName>EmployeeId</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="employeeid" />
<Protocol Name="OpenIdConnect" PartnerClaimType="employeeid" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid" />
</DefaultPartnerClaimTypes>
<UserHelpText>Your EmployeeId. </UserHelpText>
<!--<UserInputType>Readonly</UserInputType>-->
<UserInputType>TextBox</UserInputType>
</ClaimType>
but the value of employeeid that is returned is empty.
How I can fix it?
Please check the User profile attributes in AAD B2C to get extension attributes for builtin attributes and employeeId is identifier attributes.
Use PersistedClaims to write data to the user profile i.e.; Write data during a federated account first-time sign-in flow and OutputClaims to read data from the user profile within the respective Active Directory technical profiles.
In your trustframeworkextensions file
<!-- Write data during a federated account first-time sign-in flow. -->
<TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
<InputClaims>
<InputClaim ClaimTypeReferenceId=" extension_EmployeeId " />
</InputClaims>
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId=" extension_EmployeeId " />
</PersistedClaims>
<OutputClaims>
ClaimTypeReferenceId="extension_EmployeeId" PartnerClaimType="extn.EmployeeId" " Required="true" />
</OutputClaims>
</TechnicalProfile>
Make TechnicalProfile Id =”AAD-UserReadUsingObjectId” to Read data
after user authenticates with a local account.
If SAML is sending a claim "employeeId" than the mapping is
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="employeeId" />
Or try Technical Profile to output with PartnerClaimType as extension_employeeNumber
Also see Azure AD B2C: Custom claims with custom policies - Microsoft Q&A
Make sure to enable extension attributes in the custom policy,
provide Application ID and Application Object ID in the AAD-Common
technical profile metadata
Azure Active Directory
See: application properties
Please note that the Claim you set in SignUpOrSignin will be only
returned after your sign-up at that time. The custom attribute won't
be stored into Azure AD. Make sure to set the value of extension in
Base policy file .
References:
azure ad b2c - B2C SAML missing claims - Stack Overflow
Reading Extension Claims in Azure AD B2C - Stack Overflow
I have Azure AD configured as an identity provider. I wanted to know if it is possible to have Azure AD pass along the email address of the user and pass that along as a claim in the token we obtain when users log in. If not, how can I achieve this, I am new to B2C.
You can use Azure AD Custom claims to issue the "email" claim in the Azure AD Token that is returned to AAD B2C. This claim is only populated if the user has an Exchange Online inbox.
If you are using custom policies in Azure AD B2C, you can output the claim into the claimbag using:
<OutputClaim ClaimTypeReferenceId="aadEmail" PartnerClaimType="email" />
Where the ClaimTypeReferenceId is the claimbag claim that AAD B2C will store, and the PartnerClaimType is the name of the claim in the AAD Token you want to parse.
If the users do not have an EXO mailbox, then you could rely on the users UserPrincipalName coming back from Azure AD. That is in the claim called unique_name. So you could map that in the AAD technical profile by adding the following:
<OutputClaim ClaimTypeReferenceId="upn" PartnerClaimType="unique_name" />
If you are using AAD B2C User Flows, map it as per the doc step 11:
Email: unique_name
or
Email: email (if the users have EXO inboxes).
I followed this manual to register SAML to my azure b2c: https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
With this I am able to define SAML claims in my new TechnicalProfile with for example
<OutputClaim ClaimTypeReferenceId="surname"/>
Now, I have application which expects EXACTLY some attributes with a specific name. Setting PartnerClaimType to some custom string will result in a saml attribute with that string as attribut name:
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="LastName" />
This will result in:
<saml:Attribute Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="Surname">
<saml:AttributeValue xsi:type="xs:string">Peters</saml:AttributeValue>
</saml:Attribute>
But I can just configure claims on that profile - I need to specify it in the app registration in azure.
So the 1st application needs attribute "surname", next needs "FamilyName" and 3rd needs "LastName".
How can I use the claim defined in the policy and change it in the app? I saw there is some property "optionalClaims" in the manifest and there are "saml2Token". But the documentation of this did not helped me (https://learn.microsoft.com/de-de/azure/active-directory/develop/active-directory-optional-claims).
If you are connecting 3 SAML Relying Parties, you would have 3 Application Registrations, and 3 Relying Party technical profiles as part of your Custom Policy. Each Relying party section would have the required claims mappings.
I need to provide IdP (SAML 2.0) the SingleLogoutService Location of our Azure B2C tenant, i.e., something like
<md:EntityDescriptor …
<md:SPSSODescriptor …
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://login.microsoftonline.com/<TENANT>.onmicrosoft.com/saml2" />
What would that Location be? I was able to figure out the ACS which is
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/te/<TENANT>.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer"
index="1" isDefault="true"/>
I assume the Single Logout Service is something similar but cannot find any reference what it would be.
You can get the Azure AD B2C metadata at:
https://login.microsoftonline.com/te/<tenant>/<policy>/samlp/metadata
The Single Logout service location should be:
https://login.microsoftonline.com/te/<tenant>/<policy>/samlp/sso/logout
I have created custom policies for social and local accounts based on the example from the Active Directory B2C custom policy starter pack for social and local accounts. I have enabled the login with Microsoft and Google and tested that both work, I have also enabled logging in with a local account.
When I log in with google I get the following claims
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,email,given_name,family_name,name,idp,at_hash
When I log into a custom Azure AD tenant the set of claims is missing 'email', but the email is listed in the 'name' claim
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,given_name,family_name, name,idp,at_hash
When I log in as a local account the set of claims is missing 'email' and there is no email listed in any of the fields.
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,given_name, family_name,name,at_hash
Finally, when I look at the list of users in the B2C admin, these are all different user entries...even though the email address is the same. So I have 2 questions,
How do I get a consistent set of claims in the id_token
How do I link all these accounts together at registration time (Same UPN)
I believe these may be related, which is why I am asking them together.
You probably want to see the policies, but I assure you they are exactly the same as the policies in the starter pack, all I've done is change the tenant names and added google and azure in the trust framework extensions file.
For the Azure AD email claim, add the following <OutputClaim /> to the Azure AD OpenID Connect technical profile:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
For the local account email claim, add the following <OutputClaim /> to the AAD-UserReadUsingObjectId technical profile:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />