I've registered SAML application using the MS ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
My SignUpOrSignin.xml has the outputclaim tags to return email attribute value as SAML response, but I'm getting rest of the attributed value except use account email in SAML response. I've confirmed that user account has valid email value in Azure B2C AD. Not sure what I am missing here? Do I need configure any other setting to get email attribute value in SAML response, please?
Add the outputClaim in AAD-UserReadUsingObjectId.
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="ATTRIBUTE_NAME" />
Usually the email is stored in the attribute: signInNames.emailAddress.
Related
I want to pass a parameter via the request URL to B2C and then be able to send this out as a claim in the access token. I am guessing I will need to capture this in a claimType. How do I go about this?
Thanks!
You can capture query string parameters using a Claims Resolver.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview#oauth2-key-value-parameters
For example, if you would like to capture the ?bandz=test query string parameter, you could resolve that via the {OAUTH-KV:bandz} claims resolver.
In your <RelyingParty>'s output claims, you could then refer to a claim and the value like this:
<OutputClaim ClaimTypeReferenceId="customClaimId" AlwaysUseDefaultValue="true" DefaultValue="{OAUTH-KV:bandz}" />
You would just need a Claim definition for customClaimId.
I have Azure AD configured as an identity provider. I wanted to know if it is possible to have Azure AD pass along the email address of the user and pass that along as a claim in the token we obtain when users log in. If not, how can I achieve this, I am new to B2C.
You can use Azure AD Custom claims to issue the "email" claim in the Azure AD Token that is returned to AAD B2C. This claim is only populated if the user has an Exchange Online inbox.
If you are using custom policies in Azure AD B2C, you can output the claim into the claimbag using:
<OutputClaim ClaimTypeReferenceId="aadEmail" PartnerClaimType="email" />
Where the ClaimTypeReferenceId is the claimbag claim that AAD B2C will store, and the PartnerClaimType is the name of the claim in the AAD Token you want to parse.
If the users do not have an EXO mailbox, then you could rely on the users UserPrincipalName coming back from Azure AD. That is in the claim called unique_name. So you could map that in the AAD technical profile by adding the following:
<OutputClaim ClaimTypeReferenceId="upn" PartnerClaimType="unique_name" />
If you are using AAD B2C User Flows, map it as per the doc step 11:
Email: unique_name
or
Email: email (if the users have EXO inboxes).
I have Azure B2C with custom policies with Local Login and Microsoft Account login enabled. I have started with the starter pack and made some modifications to add my custom logic for validate and add additional claims as explained here.
Everything works fine with Microsoft Account. But I am facing issues with Local Account Sign in.
email claim is only populated when the user signup but not on sign-in. In case of sign-in the email is part of "signInNames.emailAddress" claim. I tried making changes as explained here and here. I would like the email to be populate in email claim as my API uses this claim.
Additional calims returned from my REST API are not added to token only for Local Login. They are added for Microsoft Account.
thank you.
Update: For point 2, its a problem with my policy file and is now fixed.
There is a simple method to return email claim.
Just replace <OutputClaim ClaimTypeReferenceId="email" /> with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" /> in your SignUporSignIn.xml file.
You need to sign up new local user and then sign in to test it. You will see the email claim.
In fact, this solution has been provided by #Wayne Yang in the post you shared.
This article https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Documentation/Domain-and-login-hint%20Tips%20and%20Tricks.pdf explains how to pass the login_hint to an ADFS login page. My TechnicalProfile for the ADFS ClaimsProvider has the InputClaims defined as shown below. (The username contains the user login name from a previous user journey step.)
<InputClaims>
<InputClaim ClaimTypeReferenceId="username" PartnerClaimType="login_hint" />
</InputClaims>
Doing the exact same for an AAD Claims provider works just fine, but it does not work for the SAML2 protocol. According to the article it is supposed to work. Am I doing something wrong here?
I'm working on a REST API that sends a confirmation email for a custom policy. Can anyone tell me if there is a way to pass the current culture so I can send a localized email?
You can add an <InputClaim /> to the REST API technical profile for passing the current culture as follows:
<InputClaim ClaimTypeReferenceId="mkt" PartnerClaimType="mkt" DefaultValue="{Culture:RFC5646}" />
where "mkt" (market) is an example of a claim type that you can replace with your own one.
"{Culture:RFC5646}" is known as a claims resolver.
Be sure to add the claim type to the TrustFrameworkPolicy/BuildingBlocks/ClaimsSchema section.