I am working on a email or phone custom policy and able to make it work for Signin Flow but while working on password reset for the same approach email Id is not getting passed in orcahestration step.
When the user clicks on password reset He is presented with a screen to validate email. Once the user validates the email id he is presented with a screen to either select Email or Phone as a multi factor option.
If the user selects Phone everything is working fine but when Email is selected the text box is not able to retain the email id validated in first step.
I am using the same sign in flow https://github.com/azure-ad-b2c/samples/tree/master/policies/mfa-email-or-phone for password reset as I wanted the same behavior but not able to find the exact issue. Any help is appreciated. Thanks in advance!
You need to populate the readOnlyEmail claim before getting to the emailVerification page.
See how this is done for Sign Up
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CopySignInNameToReadOnly" />
</OutputClaimsTransformations>
</TechnicalProfile>
You need to do the exact same as this, but for the Technical Profile name which occurs before the 2nd screenshot, and on or after a technical profile where the email was collected.
Related
I am looking to capture an email address from a specific internal domain during signup, but I don't want to users to enter the domain portion of the address. However I am trying to figure out the best way to signal the user to NOT enter the domain.
I would like to customize the default login page to include the domain shown after the textbox, something like below.
I know I could write a whole custom UI page to do this, but I was hoping to be able to do this with just a simpler customization of the default UI. Is this possible?
• I would suggest you to please use the ‘login_hint’ and ‘domain_hint’ query parameters in the 2C custom policy regarding the need to show a domain name during the signup user flow. By specifying the ‘login_hint’ parameter in the signup custom policy, Azure AD B2C automatically populates the sign-in name while the user only needs to enter the password for his credentials though the user gets the option to change the sign-in name that is automatically populated from the custom policy to enter the sign-in name of his choice.
Similarly, regarding the domain, the ‘domain_hint’ query parameter provides a hint by auto-populating the domain name for the social IDP for which the sign-in is recommended. These two options mostly satisfy your requirement of not requiring a user to enter the domain name during login. Kindly find the below samples of the above query parameters for your reference: -
Domain hint: -
<ClaimsProvider>
<!-- Add the domain hint value to the claims provider -->
<Domain>facebook.com</Domain>
<DisplayName>Facebook</DisplayName>
<TechnicalProfiles>
...
Login hint: -
<ClaimsProvider>
<DisplayName>Local Account</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<InputClaims>
<!-- Add the login hint value to the sign-in names claim type -->
<InputClaim ClaimTypeReferenceId="signInName" DefaultValue="{OIDC:LoginHint}" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
For more information on the above, kindly refer the below documentation links: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/direct-signin?pivots=b2c-custom-policy
Azure B2C with domain hint instead of IdP buttons
I'm attempting to use the sample custom policy username-signup-or-signin. However, without any changes on my part, it is prompting for the email address on the sign-in screen instead of the username. You can see this by using the live demo link in GitHub.
I've attempted to look through the XML of the extension policy but can't figure out how to have it ask for the username instead of the email address. For example, the extension policy includes the following:
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />
It seems that would cause B2C to prompt for the username instead of email.
Does anyone have any suggestions?
You just need to change the placeholder text to ‘please enter your username’.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/language-customization?pivots=b2c-custom-policy
I've a custom policy for sign up & sign in and, in the last step, I ask the user to enter the email, where I send a verification code and verify the code (following one of the examples provided by Microsoft). However, I'd like to store, in the "contact info" the email that the person entered.
I tried multiple ways using "PersistedClaims", but it doesn't seem to work.
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
</PersistedClaims>
I got no error when I load the policy, but when I sign up, I still don't see the email in the Contact Info inside the user's profile in Azure AD B2C.
I believe that I'm using the wrong claim, but I couldn't figure out what it the "Contact info -> Email" claim.
Please, could someone tell me which claim and how to store it?
Thank you
Change “email” to “mail”.
Change “signInName.emailAddress” to “signInName” (if this is during sign up)
I have Azure B2C with custom policies with Local Login and Microsoft Account login enabled. I have started with the starter pack and made some modifications to add my custom logic for validate and add additional claims as explained here.
Everything works fine with Microsoft Account. But I am facing issues with Local Account Sign in.
email claim is only populated when the user signup but not on sign-in. In case of sign-in the email is part of "signInNames.emailAddress" claim. I tried making changes as explained here and here. I would like the email to be populate in email claim as my API uses this claim.
Additional calims returned from my REST API are not added to token only for Local Login. They are added for Microsoft Account.
thank you.
Update: For point 2, its a problem with my policy file and is now fixed.
There is a simple method to return email claim.
Just replace <OutputClaim ClaimTypeReferenceId="email" /> with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" /> in your SignUporSignIn.xml file.
You need to sign up new local user and then sign in to test it. You will see the email claim.
In fact, this solution has been provided by #Wayne Yang in the post you shared.
Is it possible to customize error messages for invalid credentials using azure b2c custom policy?
Ideally, we would like to show a different error message for invalid credentials, which is “Sorry, unrecognized username or password. Have you forgotten your password?”. Here the entire message is the hyperlink which should redirect to reset password screen.
P.S: We have changed the error messages using custom policy but facing difficulty in having the hyperlink and redirection to reset the password.
Any insight will be helpful.
Thanks in advance
You can customize the error messages by modifying the UserMessageIf* settings for the login-NonInteractive technical profile as follows:
<Metadata>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">Email or password is incorrect.</Item>
<Item Key="UserMessageIfInvalidPassword">Email or password is incorrect.</Item>
<Item Key="UserMessageIfOldPasswordUsed">Email or password is incorrect.</Item>
...
</Metadata>
The UserMessageIfInvalidPassword can only hold text, if I am not wrong, so you'll have to resort to workarounds unfortunately. Do you have the reset password mechanism also as a policy/technical profile?
The policies in general link to other policies/technical profiles through links that contain a reference to the ClaimsExchanges. For example, a user SignIn page that has SignUp links at the bottom, will contain a reference to the ClaimsExchange that will be called when the user decides to SignUp instead of SignIn.
In your case, if the password reset mechanism is a separate Policy, it could be possible to convert the policy link to an HTML link, and use the same as the error message for "UserMessageIfInvalidPassword". The policy would show the text, which would be rendered as as an HTML link.
It should also be possible to perform some of this workaround through the JS in the page.