We are using custom policy and are have added some fields in the signup page. We have a DateTimeDropdown claim type to allow a user to select date of birth. Below is the policy configuration for the claim:
<ClaimType Id="birthDate">
<DisplayName>Birth Date</DisplayName>
<DataType>date</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="birth_date" />
<Protocol Name="OpenIdConnect" PartnerClaimType="birth_date" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/birthdate" />
</DefaultPartnerClaimTypes>
<UserInputType>DateTimeDropdown</UserInputType>
</ClaimType>
This is how it renders on the page.
The Year selection gives a range starting from 1900 and goes up to 2050. Is there any way to configure to alter or limit the values present in this dropdown?
This can be done using Predicates and PredicateValidations.
Update your ClaimType to include a PredicateValidation;
<ClaimType Id="birthDate">
<DisplayName>Birth Date</DisplayName>
<DataType>date</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="birth_date" />
<Protocol Name="OpenIdConnect" PartnerClaimType="birth_date" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/birthdate" />
</DefaultPartnerClaimTypes>
<UserInputType>DateTimeDropdown</UserInputType>
<PredicateValidationReference Id="CustomDateRange" />
</ClaimType>
Then add the following in between </ClaimsSchema> and <ClaimsTransformation>;
<Predicates>
<Predicate Id="DateRange" Method="IsDateRange" HelpText="The date must be between 1920-01-01 and today.">
<Parameters>
<Parameter Id="Minimum">1920-01-01</Parameter>
<Parameter Id="Maximum">Today</Parameter>
</Parameters>
</Predicate>
</Predicates>
<PredicateValidations>
<PredicateValidation Id="CustomDateRange">
<PredicateGroups>
<PredicateGroup Id="DateRangeGroup">
<PredicateReferences>
<PredicateReference Id="DateRange" />
</PredicateReferences>
</PredicateGroup>
</PredicateGroups>
</PredicateValidation>
</PredicateValidations>
Related
I try to create an orchestration step that just set the value of a claim. I used the starter pack scenarios/phone-number-passwordless/Phone_Email_Base.xml as a sample with the DoesStrongAuthEmailExist TechnicalProfile So basicaly I have a Claim :
<ClaimType Id="isThisAvailable">
<DisplayName>Determines if something is available in an environment</DisplayName>
<DataType>string</DataType>
</ClaimType>
A claim transformation method :
<ClaimsTransformation Id="SetThisIsAvailableClaim" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="false" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isThisAvailable" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
A claim provider with TechnicalProfile :
<ClaimsProvider>
<DisplayName>Availability check</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="CheckIfThisIsAvailable">
<DisplayName>Test</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="SetThisIsAvailableClaim" />
</InputClaimsTransformations>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isThisAvailable" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
And the orchestration step which is the first of the journey :
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="TEST-CheckIfThisIsAvailable" TechnicalProfileReferenceId="CheckIfThisIsAvailable" />
</ClaimsExchanges>
</OrchestrationStep>
But when I call the user journey, I get this error in Dialog Insight :
The method or operation is not implemented
Note that I also tested putting the transformation in the OutputClaimsTransformations section of my TechnicalProfile without any success.
Here are the last log lines from dialog insight showing that it happens in step 1 :
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.MoveFirstOrchestrationStepHandler"
}, {
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"ORCH_CS": {
"c": "2022-11-11T21:17:53.9870141Z",
"k": "ORCH_CS",
"v": "1",
"p": true
}
}
} }, {
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.InvokeValidationProfileDirectHandler"
}, {
"Kind": "FatalException",
"Content": {
"Time": "9:17 PM",
"Exception": {
"Kind": "Handled",
"HResult": "80004001",
"Message": "The method or operation is not implemented.",
"Data": {}
}
} } ]
EDIT
I found out that it works when using the authorize enpoint, but I get the error when I use the token endpoint.
To make things perectly clear, the only step in the actual orchestration is to get a ROPC token, for tests in dev environments. That works fine on a call to the token endpoint.
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="ResourceOwnerFlow" TechnicalProfileReferenceId="ResourceOwnerPasswordCredentials-OAUTH2" />
</ClaimsExchanges>
</OrchestrationStep>
<TechnicalProfile Id="ResourceOwnerPasswordCredentials-OAUTH2">
<DisplayName>Local Account SignIn - ROPC</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
<Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
<Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
<Item Key="METADATA">https://login.microsoftonline.com/{Settings:Tenant}/.well-known/openid-configuration</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/{Settings:Tenant}/oauth2/token</Item>
<Item Key="response_types">id_token</Item>
<Item Key="response_mode">query</Item>
<Item Key="scope">email openid</Item>
<Item Key="grant_type">password</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="logonIdentifier" PartnerClaimType="username" Required="true" DefaultValue="{OIDC:Username}"/>
<InputClaim ClaimTypeReferenceId="password" Required="true" DefaultValue="{OIDC:Password}" />
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
<InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="{Settings:ProxyIdentityExperienceFrameworkAppId}" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="{Settings:IdentityExperienceFrameworkAppId}" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
But as soon as I try to add an orchestration step before like this, I get an error
<UserJourney Id="ResourceOwnerPasswordCredentials">
<PreserveOriginalAssertion>false</PreserveOriginalAssertion>
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="TEST-CheckIfThisIsAvailable" TechnicalProfileReferenceId="CheckIfThisIsAvailable" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="ResourceOwnerFlow" TechnicalProfileReferenceId="ResourceOwnerPasswordCredentials-OAUTH2" />
</ClaimsExchanges>
</OrchestrationStep>
If you are just setting the claim to a specific value, you could use
<InputClaim ClaimTypeReferenceId="isThisAvailable" DefaultValue="false" AlwaysUseDefaultValue="true" />
I'm creating a SAML 2.0 Service Provider.
The IDP i'm connecting to requires an AttributeConsumingService with the parameters listed below in the metadata:
<AttributeConsumingService index="0" isDefault="true">
<ServiceName xml:lang="da">MyServiceName</ServiceName>
<RequestedAttribute Name="https://data.gov.dk/model/core/specVersion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />
<RequestedAttribute Name="https://data.gov.dk/concept/core/nsis/loa" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />
<RequestedAttribute Name="https://data.gov.dk/model/core/eid/professional/cvr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />
<RequestedAttribute Name="https://data.gov.dk/model/core/eid/professional/orgName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />
</AttributeConsumingService>
With my current setup this is not returned in my b2c service provider metadata.
How would i go about having my B2C custom policy creating this?
My custom policy:
<TechnicalProfile Id="NemLogin-SAML3">
<DisplayName>NemLogin3</DisplayName>
<Description>Login with your NemLogin3 account</Description>
<Protocol Name="SAML2" />
<Metadata>
<Item Key="IssuerUri">myIssuerId</Item>
<Item Key="PartnerEntity">https://www.nemlog-in.dk/media/zrrb0a1e/oio_saml_3_test-devtest4-idp-metadata-xml.txt</Item>
<Item Key="NameIdPolicyFormat">urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</Item>
<Item Key="ResponsesSigned">false</Item>
<Item Key="WantsEncryptedAssertions">true</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_Test" />
<Key Id="SamlAssertionDecryption" StorageReferenceId="B2C_1A_Test" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="assertionSubjectName" />
<OutputClaim ClaimTypeReferenceId="specVersion" Required="true" />
<OutputClaim ClaimTypeReferenceId="loa" Required="true" />
<OutputClaim ClaimTypeReferenceId="cvr" Required="true" />
<OutputClaim ClaimTypeReferenceId="orgName" Required="true" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp" />
</TechnicalProfile>
Definition of claims in my policy:
<ClaimType Id="loa">
<DisplayName>Level of assurance</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="loa" />
<Protocol Name="SAML2" PartnerClaimType="https://data.gov.dk/concept/core/nsis/loa" />
</DefaultPartnerClaimTypes>
</ClaimType>
<ClaimType Id="cvr">
<DisplayName>Cvr</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="cvr" />
<Protocol Name="SAML2" PartnerClaimType="https://data.gov.dk/model/core/eid/professional/cvr" />
</DefaultPartnerClaimTypes>
</ClaimType>
<ClaimType Id="orgName">
<DisplayName>Organisation Name</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="orgName" />
<Protocol Name="SAML2" PartnerClaimType="https://data.gov.dk/model/core/eid/professional/orgName" />
</DefaultPartnerClaimTypes>
</ClaimType>
<ClaimType Id="specVersion">
<DisplayName>Spec Version</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="specVersion" />
<Protocol Name="SAML2" PartnerClaimType="dk:gov:saml:attribute:SpecVer" />
</DefaultPartnerClaimTypes>
</ClaimType>
I did localisation in my custom policy, but in certain steps I'm calling REST API to validate some data. Response is coming in English, but now I need to translate that messages too as a part of localisation. Is there any way to do this in B2C?
Here is the response I'm getting from API:
{
"userMessage": "Password is incorrect",
"version":"1.0.0",
"status": 409,
"code": "API12345",
"requestId":"50f0bd91-2ff4-4b8f-828f-00f170519ddb",
"developerMessage":"Verbose description of problem and how to fix it.",
"moreInfo": "https://restapi/error/API12345/moreinfo"
}
You can send the localisation parameter to the REST API and have it return a localised error. Or you can return back an error code from the API instead of an error string. Then use the following example to have this done in policy:
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="errorCode">
<DisplayName>errorCode</DisplayName>
<DataType>string</DataType>
<UserHelpText>A claim responsible for holding response codes to send to the relying party</UserHelpText>
</ClaimType>
<ClaimType Id="messageValue">
<DisplayName>Message</DisplayName>
<DataType>string</DataType>
<UserHelpText>A claim responsible for holding response messages to send to the relying party</UserHelpText>
<UserInputType>Paragraph</UserInputType>
<Restriction>
<Enumeration Text="errorCode1" Value="will get overidden by localization" />
<Enumeration Text="errorCode2" Value="will get overidden by localization" />
</Restriction>
</ClaimType>
</ClaimsSchema>
<ClaimsTransformations>
<ClaimsTransformation Id="SetMessageId" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="errorCode1" /> <!-- Toggle for errorCode2 -->
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="errorCode" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="GetLocalizedMessage" TransformationMethod="GetMappedValueFromLocalizedCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="errorCode" TransformationClaimType="mapFromClaim" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="messageValue" TransformationClaimType="restrictionValueClaim" />
</OutputClaims>
</ClaimsTransformation>
</ClaimsTransformations>
<ContentDefinitions>
<ContentDefinition Id="api.selfasserted">
<LocalizedResourcesReferences MergeBehavior="Prepend">
<LocalizedResourcesReference Language="en" LocalizedResourcesReferenceId="api.selfasserted.en" />
<LocalizedResourcesReference Language="es" LocalizedResourcesReferenceId="api.selfasserted.es" />
</LocalizedResourcesReferences>
</ContentDefinition>
</ContentDefinitions>
<Localization Enabled="true">
<SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
<SupportedLanguage>en</SupportedLanguage>
<SupportedLanguage>es</SupportedLanguage>
</SupportedLanguages>
<LocalizedResources Id="api.selfasserted.en">
<LocalizedCollections>
<LocalizedCollection ElementType="ClaimType" ElementId="messageValue" TargetCollection="Restriction">
<Item Text="errorCode1" Value="First message in english" />
<Item Text="errorCode2" Value="Second message in english" />
</LocalizedCollection>
</LocalizedCollections>
</LocalizedResources>
<LocalizedResources Id="api.selfasserted.es">
<LocalizedCollections>
<LocalizedCollection ElementType="ClaimType" ElementId="messageValue" TargetCollection="Restriction">
<Item Text="errorCode1" Value="Primer mensaje en español" />
<Item Text="errorCode2" Value="Segundo mensaje en español" />
</LocalizedCollection>
</LocalizedCollections>
</LocalizedResources>
</Localization>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Self Asserted</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-WelcomePage">
<DisplayName>User profile</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
</Metadata>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="SetMessageId" />
<InputClaimsTransformation ReferenceId="GetLocalizedMessage" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="messageValue" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email"/>
<OutputClaim ClaimTypeReferenceId="messageValue"/>
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="Localization_Tester">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="SelfAsserted-WelcomePage" TechnicalProfileReferenceId="SelfAsserted-WelcomePage" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserReadUsingEmailAddress" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
I have created custom policy using Identity Experience Framework. I am able to signup and signin user using the local account but when I am trying to use Facebook as social login I am running into some error.
Issue: When I click Facebook login (Social Login) from my custom policy, I am being redirected to FB for login, but after login from FB I am seeing below error from application insights.
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true,
""RecorderRecord"": {
""Values"": [
{
""Key"": ""SendErrorTechnicalProfile"",
""Value"": ""OAuth2ProtocolProvider""
},
{
""Key"": ""Exception"",
""Value"": {
""Kind"": ""Handled"",
""HResult"": ""80131500"",
""Message"": ""An exception was caught when making a request to URL \""https://graph.facebook.com/oauth/access_token\"" using method \""Get\"". The exception status code was \""ProtocolError\"" with the following message: {scrubbed}."",
""Data"": {},
""Exception"": {
""Kind"": ""Handled"",
""HResult"": ""80131509"",
""Message"": ""The remote server returned an error: (400) Bad Request."",
""Data"": {}
}
}
}
]
}
}
},
any thoughts?
<TechnicalProfiles>
<TechnicalProfile Id="Facebook-OAUTH">
<!-- The text in the following DisplayName element is shown to the user on the claims provider selection screen. -->
<DisplayName>Facebook</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="ProviderName">facebook</Item>
<Item Key="authorization_endpoint">https://www.facebook.com/dialog/oauth</Item>
<Item Key="AccessTokenEndpoint">https://graph.facebook.com/oauth/access_token</Item>
<Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email,picture</Item>
<Item Key="scope">email</Item>
<Item Key="HttpBinding">GET</Item>
<Item Key="client_id">xxxxxxxx</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_FacebookSecret" />
</CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="first_name" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="facebook.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="extension_picture" PartnerClaimType="picture"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
You must also add the following item to <Metadata />:
<Item Key="AccessTokenResponseFormat">json</Item>
See this blog post for more information.
You have add as well...
<Metadata>
<Item Key="AccessTokenResponseFormat">json</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
</OutputClaims>
I'm trying to clone a custom policy from an ADB2C tenant to another one uploading the XML file through the "identity experience framework" interface
but I get the following error:
Unable to upload policy. Reason : Validation failed: 1 validation error(s) found in policy "B2C_1A_B2C_1_SIGNUPIN" of tenant "tenant.onmicrosoft.com".Policy 'B2C_1A_B2C_1_SignUpIn' of tenant 'tenat.onmicrosoft.com' is not allowed to inherit from the specified base policy. Inheritance chain: {
"TenantId": "tenant.onmicrosoft.com",
"PolicyId": "base-v1",
"TenantObjectId": "xxxx...",
"Root": true,
"Derived": {
"TenantId": "tenant.onmicrosoft.com",
"PolicyId": "B2C_1A_B2C_1_SignUpIn",
"TenantObjectId": "yyyy...",
"Rule": "All",
"InheritanceAllowed": false,
"Reason": "Policy 'B2C_1A_B2C_1_SignUpIn' in tenant 'yyyyy...' is blocked from inheriting policies from 'xxxx...' as the basic policy constraint handler 'B2CBasicPoliciesOnly' cannot match the policy id to a prefix or registered policy id."
}
}
This is the policy content:
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
TenantId="tenant.onmicrosoft.com" TenantObjectId="xxx...."
PolicyId="B2C_1_SignUpIn" PublicPolicyUri="http://tenant.onmicrosoft.com/">
<BasePolicy>
<TenantId>tenant.onmicrosoft.com</TenantId>
<PolicyId>base-v1</PolicyId>
</BasePolicy>
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="displayName">
<DisplayName>Username</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="givenName">
<DisplayName>First Name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="surname">
<DisplayName>Last name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="extension_Service">
<DisplayName>Service Name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
</ClaimsSchema>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>PhoneFactor</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="PhoneFactor-Common">
<EnabledForUserJourneys>OnClaimsExistence</EnabledForUserJourneys>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Token Issuer</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="JwtIssuer">
<Metadata>
<Item Key="token_lifetime_secs">3600</Item>
<Item Key="id_token_lifetime_secs">3600</Item>
<Item Key="refresh_token_lifetime_secs">1209600</Item>
<Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
<Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
<Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Self Asserted</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-Input">
<InputClaims>
<InputClaim ClaimTypeReferenceId="displayName" />
<InputClaim ClaimTypeReferenceId="givenName" />
<InputClaim ClaimTypeReferenceId="surname" />
<InputClaim ClaimTypeReferenceId="extension_Organization" />
<InputClaim ClaimTypeReferenceId="extension_Department" />
<InputClaim ClaimTypeReferenceId="extension_Service" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" Required="true" />
<OutputClaim ClaimTypeReferenceId="givenName" Required="true" />
<OutputClaim ClaimTypeReferenceId="surname" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Department" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Service" Required="true" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-ReadCommon">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" />
<OutputClaim ClaimTypeReferenceId="extension_Department" />
<OutputClaim ClaimTypeReferenceId="extension_Service" />
</OutputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AAD-WriteCommon">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="displayName" />
<PersistedClaim ClaimTypeReferenceId="givenName" />
<PersistedClaim ClaimTypeReferenceId="surname" />
<PersistedClaim ClaimTypeReferenceId="extension_Organization" />
<PersistedClaim ClaimTypeReferenceId="extension_Department" />
<PersistedClaim ClaimTypeReferenceId="extension_Service" />
</PersistedClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="B2CSignUpOrSignInWithPassword">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signinandsignupwithpassword">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId="B2CSignUpOrSignInWithPassword" />
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" />
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="emails" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="newUser" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" />
<OutputClaim ClaimTypeReferenceId="extension_Service" />
<OutputClaim ClaimTypeReferenceId="extension_Department" />
<OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
Downloading standard policies and then uploading them (whether with or without modification) is not supported.
Looks like thats what you tried which makes your standard policy a custom policy. Custom policies cannot have base-v1 in the inheritance hierarchy. The base-v1 policies are strictly meant to be used by the standard policies.
The error indicates that your (now) custom policy is inheriting from base-v1.