Custom Error messages in custom policy - azure-ad-b2c

Is it possible to customize error messages for invalid credentials using azure b2c custom policy?
Ideally, we would like to show a different error message for invalid credentials, which is “Sorry, unrecognized username or password. Have you forgotten your password?”. Here the entire message is the hyperlink which should redirect to reset password screen.
P.S: We have changed the error messages using custom policy but facing difficulty in having the hyperlink and redirection to reset the password.
Any insight will be helpful.
Thanks in advance

You can customize the error messages by modifying the UserMessageIf* settings for the login-NonInteractive technical profile as follows:
<Metadata>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">Email or password is incorrect.</Item>
<Item Key="UserMessageIfInvalidPassword">Email or password is incorrect.</Item>
<Item Key="UserMessageIfOldPasswordUsed">Email or password is incorrect.</Item>
...
</Metadata>

The UserMessageIfInvalidPassword can only hold text, if I am not wrong, so you'll have to resort to workarounds unfortunately. Do you have the reset password mechanism also as a policy/technical profile?
The policies in general link to other policies/technical profiles through links that contain a reference to the ClaimsExchanges. For example, a user SignIn page that has SignUp links at the bottom, will contain a reference to the ClaimsExchange that will be called when the user decides to SignUp instead of SignIn.
In your case, if the password reset mechanism is a separate Policy, it could be possible to convert the policy link to an HTML link, and use the same as the error message for "UserMessageIfInvalidPassword". The policy would show the text, which would be rendered as as an HTML link.
It should also be possible to perform some of this workaround through the JS in the page.

Related

Sample username-signup-or-signin policy prompting for email address

I'm attempting to use the sample custom policy username-signup-or-signin. However, without any changes on my part, it is prompting for the email address on the sign-in screen instead of the username. You can see this by using the live demo link in GitHub.
I've attempted to look through the XML of the extension policy but can't figure out how to have it ask for the username instead of the email address. For example, the extension policy includes the following:
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />
It seems that would cause B2C to prompt for the username instead of email.
Does anyone have any suggestions?
You just need to change the placeholder text to ‘please enter your username’.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/language-customization?pivots=b2c-custom-policy

AuthnRequest signing

I'll try to make custom policy for Azure B2C to work with SAML 2.0 identity provider which require all requests to be signed. PartnerEntity parameter includes correct url which metadata defines IDPSSODescriptor element and WantAuthnRequestsSigned="true" attribute.
In custom policy TechnicalProfile I have these metadata elements but none of these seems not to make difference:
<Item Key="WantsSignedRequests">true</Item>
<Item Key="WantsSignedAssertions">true</Item>
<Item Key="XmlSignatureAlgorithm">Sha256</Item>
<Item Key="RequestsSigned">true</Item>
In CryptographicKeys I have SamlMessageSigning and SamlAssertionSigning keys with StorageReferenceId.
Trace logs shows that AuthnRequest is sent, but it doesn't have any Signature -elements so I guess that is the problem why sign-in process fails on identity provider side.
Any ideas how to proceed? Anyone know is it even possible to sign AuthnRequest with Azure B2C custom policy?
Just wanted to update that I got it working. Actual problem was not signing issue.
It seems that trace logs won't show that signed part of the request and I thought it was the problem.

Custom B2C policy with custom TOTP fails validation with error: "Please use page contract in content definitions when enabling JavaScript"

I am working on a IEF Policy that supports custom TOTP. I am using the following sample code as basis for my work: https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
I have created the Service that supports the TOTP requests that IEF will issue based on the policy definitions.
My problem is I get the following error when uploading the IEF policy
Validation failed: 1 validation error(s) found in policy "myPolicyName" of tenant "myb2cTenant.onmicrosoft.com".
Please use page contract in content definitions when enabling JavaScript.Please use page contract in content definitions when enabling JavaScript.
To this point, I am basically just modifying the sample policy files to include the specific information to work within my system. The sample policy files are divided into two: TrustFrameworkExtensions.xml and SignUpOrSignIn.xml
Loading the Extension file works, but I get the previously mention error when attempting to load the SignUpOrSignIn file.
I have found a couple of other StackOverflow posts referring to similar errors and the recommended solution does not solve the problem. The recommended solution suggest updating the element with the corresponding value as described here:Content Definitions and making sure that the Relying party allows JS execution as described here Allow JS execution
After that this is what the ContentDefintion looks like for my Policy:
<ContentDefinition Id="api.selfasserted.appfactor.registration">
<LoadUri>https://myurl/totp-ui/selfasserted-appfactor-registration.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:1.2.0</DataUri>
<Metadata>
<Item Key="DisplayName">App Factor</Item>
</Metadata>
</ContentDefinition>
Even with these updates the Policy still fails to load, and I am out of things to try or even troubleshoot.
Any ideas about what may be the cause for that error?
With special thanks to Dale Kirby, I now have the solution to this problem.
The error was not caused by the configuration in this TechnicalProfile that is provided in the sample's TrustFrameworkExtensions.xml.
<TechnicalProfile Id="AppFactor-VerifyTotpWebHook" ->
The actual reason for me getting the error was that several of the -TechnicalProfile- elements referenced from my TrustFrameworkBase.xml file, had the old URI in their DataURI (These Technical-Profiles are referenced by the TrustFrameworkExtensions.xml provided in the sample).
Once I updated all the outdated -DataURI- values in the TrustFrameworkBase.xml and TrustFrameworkExtensions.xml the error went away. The correct URIs are listed here: Page layout URIs

Azure B2C Custom Policies local account KMSI doesn't keep me signed in

I implemented the steps in the example - all worked as expect to this point - and then I followed the instructions to enable KMSI.
When testing Identity Experience Framework->Custom Policies->B2C_1A_signup_signin ->Run , I can switch on the tickbox "Keep me signed in" when signing in. However, I close this window (or keep it open for that matter), Run the custom policy again and asks me to sign in again ("Keep me signed in" shows unticked).
I have triple checked the changes in the tutorial and example and can't see any difference (other than in the example I don't have LoadURI and RecoveryURI.
I note I have not made changes as per ContentDefinitions and only followed the instructions in enable KMSI because I didn't think that was a requirement in the tutorial.
Please give me some guidance what may be wrong. Thank you for your help
You are using a wrong method to test the KMSI feature.
If you "Run the custom policy again", it will always ask you to reenter your credential, which is by-design.
You should follow the steps of Test your policy.
You can close the window after you sign in for the first time.
And then follow the step 4, 5 and 6:
Go back to the Azure portal. Go to the policy page, and then select Copy to copy the sign-in URL.
In the browser address bar, remove the &prompt=login query string parameter, which forces the user to enter their credentials on that
request.
In the browser, click Go. Now Azure AD B2C will issue an access token without prompting you to sign-in again.
UPDATE:
You don't need to replace the SignUpOrSignin.xml and TrustFrameworkExtensions.xml. Just refer to my changes:
Add the following code snippet into the BuildingBlocks element in TrustFrameworkExtensions.xml.
<ContentDefinitions>
<ContentDefinition Id="api.signuporsignin">
<LoadUri>~/tenant/default/unified.cshtml</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:unifiedssp:1.1.0</DataUri>
<Metadata>
<Item Key="DisplayName">Signin and Signup</Item>
</Metadata>
</ContentDefinition>
</ContentDefinitions>
And then add the following node as a child of the element. It must be located immediately after <DefaultUserJourney ReferenceId="User journey Id" />.
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" KeepAliveInDays="30" />
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
</UserJourneyBehaviors>
These are all the changes need to be made.
You don't need to remove &prompt=login in the files. Please see my screenshot above. After you copy the sign-in URL, it will be like this:
https://**.b2clogin.com/**.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SignUpOrSignIn&client_id=**&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Just remove the &prompt=login at the end of the URL and access it in a new window.

AD B2C custom policy custom claims getting error "Unable to validate the information provided." while signup

Using Identity Experience Framework and added two custom claims also configured the user inputs.
Changed TrustFrameworkBase based on https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-configure-signup-self-asserted-custom and able to view two text fields while signing up.
But after clicking on the "Create" button, getting the error:
"Unable to validate the information provided."
While signing up, if I am keeping both new fields empty, not getting this error and able to create the user.
i just ran into the same issue, and my solution was that I'm missing the Metadata tags in the "Azure Active Directory" claims provider, so B2C can read/write the extension attributes from the extension store app
<Metadata>
<Item Key="ApplicationObjectId">app object id here</Item>
<Item Key="ClientId">applicationId here</Item>
</Metadata>
See also: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-create-custom-attributes-profile-edit-custom
IT can either be the "default" extension app or your custom created one.

Resources