I'm looking for an option to add a button to a SelfAsserted technical profile, which executes another technical profile (a REST API in my case)
I already had a look into displayControls, which apparently at this time only supports a full verification process with some mandatory steps and fields. Is there any option to just have a single button added that can be assigned an action?
Related
I want to, during the sign in flow, ask the user for additional input, which would be used as an inputClaim in one of the next steps of the user journey in a custom policy. The value does not need to be persisted. Ideally, it would be done in the sign-in window, but also could be collected from a separate window.
I am able to modify the sign-up window in this way, though not the sign-in one. Looked up in https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy, but this again describes only the sign-up scenario.
There is a similar question asked by #Zzehan-jurangpathy here Getting user attribute in sign in flow in Azure B2C, though no answer that would actually be helpful.
You can't modify the standard sign-in flow. It just allows username and password.
You can add an extra page by adding a self-asserted technical profile e.g. here.
I've followed one of the provided samples to add TOTP multi factor authentication supported by a phone app:
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
I'm therefore able to offer users the ability to enter a TOTP code:
One of the things I'm considering is ensuring users still have access to their accounts if something goes wrong during the TOTP MFA process which we're using by default. I'd therefore like to be able to add an extra link to this page to send users through an alternative MFA route without successfully completing this one in case they encounter issues: "send a code via email instead".
As far as I can tell, the B2C screens expect users to only go forward through clicking continue. The best alternative instead of a link I can think of is a checkbox which sets a boolean claim to enable an email MFA OrchestrationStep. I find this a little less user-friendly than a simple link though as it adds an unnecessary extra click.
Ideal user flow:
Login --> Display TOTP MFA screen --> Enter MFA code OR click link to go to email MFA screen
Any help's appreciated!
This sample demonstrates how to use a display control to provide multiple options (Email or MFA) for a user to continue:
https://github.com/azure-ad-b2c/samples/tree/master/policies/pwd-reset-via-email-or-phone
You could use the same idea here, except instead of invoking the MFA technical profiles as part of the samples display control, you can invoke the call to the REST API technical profile to verify the code.
You will need to use some CSS/JS to make the page look nice so users can toggle what option they want to use.
I am pre-creating federated users using the Graph API. Although I am using a SignUpSignIn custom policy, I want to be able to prevent a SignUp and show an error when a federated user is not already in the B2C directory. I have tried just removing the orchestration step that does SelfAsserted-Social but that didn't yield intended results.
Any help will be appreciated.
I was able to resolve this doing the following
Create a claim type to hold the message to the user
Create a claims transformation of type CreateStringClaim that populates the above claim type
Created a self-asserted technical profile that
a. hides the continue and cancel buttons
b. has an InputClaimsTransformation referencing 2. above.
c. has an Input claim of the claim type in 1. above
d. has an output claim of the claim type in 1. above
Remove/comment out the orchestration step that shows the self-asserted page for auth with social Idp
In the orchestration step that writes the federated account to AAD, I replace the referenced TP (AAD-UserWriteUsingAlternativeSecurityId) with the one in 3.
Later I will be using a ContentDefinition element to have the page that displays the error message contain a link that sends the user back to the beginning signin user journey.
I'm experiencing the same problem you had here, but unfortunately I'm not yet able to get what you did in those 5 steps.
I know 2 years have passed, but if still have access to the files which you used to do this that would be great!
Starting from the custom policy starter pack, and the SocialAndLocalAccountsWithMfa example, I'd like to display an additional checkbox on the same screen where the user chooses "Send Code" or "Call Me".
I want the boolean value indicating if the user checked it to end up in a claim returned to the application.
Is this possible?
I've tried adding the custom claim as an <OutputClaim>, an <InputClaim> or both into the PhoneFactor-InputOrVerify technical profile. None of which had any effect in the UI.
Unfortunately, no, because both the urn:com:microsoft:aad:b2c:elements:multifactor:1.1.0 content definition and the PhoneFactorProtocolProvider profile type are specialized or fit-for-purpose for the multi-factor interaction.
I need some help with this sample:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom
I need to do the same but with signin policy, i need to validate the email with sql database and change a status column in database, and/or block access if the email is doesn't exist.
do you have some example for that?
Thanks
P.D: Excuse my english
The example you are pointing to is more useful for just retrieving additional claims for a user but not for validating the input. Since you are validating the email address, this example is more relevant:
Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as validation on user input
This is what I would suggest:
Host your database behind a Rest API so it can be called to validate the email address
Create a technical profile using Web.TPEngine.Providers.RestfulProvider that calls into your Rest API (see the example I linked above)
Add a ValidationTechnicalProfile to the SelfAssertedAttributeProvider technical profile that collects the email so it will validate it and show an error if validation fails
By adding validation such as this, the user will be blocked with an error message and will have the opportunity to fix the input (e.g. typos) and try again. You can also get additional claims about that email address from the Rest API by adding them in the OutputClaims of both the technical profiles.
You will need to determine whether this is the right place to change the flag in the DB or if that ought to be a separate operation. The reason is that if the user goes to the next step in the user journey and then abandons it and comes back later, what would their experience be.
If you want it as a separate step later in the user journey, then you would create it using the example you provided (i.e. as a separate step after all the required steps have executed in the user journey).
The steps will be very similar except you will need to modify a different UserJourney and RelyingParty.
Update <UserJourney Id="SignUpOrSignIn"> as described in step 4.
Update SignUpOrSignin.xml as described in step 5.