500 Internal Server Error in Azure AD B2C - azure-ad-b2c

When I try to execute my sign-up policy I'm receiving:
Why?


I was trying to display the field but I hadn't defined the <UserInputType> node.
<ClaimType Id="extension_HelloWorld">
<DisplayName>Hello World</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="HelloWorld" />
<Protocol Name="OpenIdConnect" PartnerClaimType="HelloWorld" />
</DefaultPartnerClaimTypes>
<!-- I had the following line commented out -->
<!--<UserInputType>Readonly</UserInputType>-->
</ClaimType>

Related

ADB2C Rest API not save custom attribute to profile

I enabled custom policy in ADB2C and to add more claims I used a rest API to return data for the custom attribute
the response from RESTAPI looks like below :
{
"version" : "1.0.0",
"action" : "Continue",
"extension_<client_id>_empid" : 15,
"extension_empid" :15,
}
and in the claims, I can read this value but actually this value not saving to the user profile so when I fetch the data using graph it's not coming back How I can override this value to user profile

Assuming extension_empid claim is defined like this:
<ClaimType Id="extension_empid">
<DisplayName>Employee ID</DisplayName>
<DataType>long</DataType>
</ClaimType>
it seems obtaining(parsing from JSON) claim is missing from your REST API, in Restful technical profile OutputClaims collection should contain the element:
<TechnicalProfile Id="getEmployeeInfoAPI">
<DisplayName>Get Employee info</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="extension_empid" PartnerClaimType="extension_empid" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
And finally in AAD-UserWriteUsingLogonEmail technical profile, PersistedClaims element should contain the element to persist the data to the directory:
<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
...
<PersistedClaims>
...
<PersistedClaim ClaimTypeReferenceId="extension_empid" />
</PersistedClaims>
</TechnicalProfile>

what is maximum character length of email in Azure Custom ADB2C policy

what is maximum character length of email in Azure Custom ADB2C policy
this is my claim type
<ClaimType Id="signInName">
<DisplayName>Email Address</DisplayName>
<DataType>string</DataType>
<UserHelpText />
<UserInputType>TextBox</UserInputType>
<Restriction>
<Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_`{}~-]+#[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." />
</Restriction>
</ClaimType>

As long as it's a valid email it should work (ie charachters#domain.com).
B2C doesn't have limitation on valid email address.

Azure B2C - Send Groups In Claims to SAML SP Using REST API That Queries Graph

I am trying to return group claim in a SignupSign custom policy in Azure B2C to the SAML test app found here https://samltestapp2.azurewebsites.net/. Here's of what I have done so far: -
Created a HTTP trigger PowerShell Azure Function that returns a comma-separated list of groups a user belongs to after querying the MS Graph API. I call it outside B2C and it works fine.
In the TrustFrameworkExtensions.xml file, added a claim type element like so
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="groups">
<DisplayName>Comma delimited list of group names</DisplayName>
<DataType>stringCollection</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="groups" />
<Protocol Name="OpenIdConnect" PartnerClaimType="groups" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" />
</DefaultPartnerClaimTypes>
<UserInputType>Readonly</UserInputType>
</ClaimType>
</ClaimsSchema>
In the TrustFrameworkExtensions.xml I also added a Technical profile and an orchestration step like so
<TechnicalProfile Id="GetUserGroups">
<DisplayName>Retrieves security groups assigned to the user</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://morphitgraphapicall.azurewebsites.net/api/GetGroupsFromGraph?objectID=objectId</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="SendClaimsIn">QueryString</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
</Metadata>
<InputClaims>
<InputClaim Required="true" ClaimTypeReferenceId="objectId" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groups" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
...
<OrchestrationStep Order="7" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="GetUserGroups" TechnicalProfileReferenceId="GetUserGroups" />
</ClaimsExchanges>
</OrchestrationStep>
In the relying party file, added an output claim like so
relying party file output claim
But I can't seem to get the groups claim passed to the SP application. I can tell that the REST API is being called because being on the Azure Functions consumption plan, there is a cold start if I haven't called the function for a bit which leads to a pause after sign-in.
Thank you.

Add restrictions to custom policy and make claim optional Azure B2C

I am trying to collect user details using LocalAccountSignUpWithLogonName custom policy.I have added <OutputClaim ClaimTypeReferenceId="email" />
to LocalAccountSignUpWithLogonName as outputclaim. I want to make the email field optional, but if user enter the email I want to enable the restrictions.Below is my email claim
<ClaimType Id="email">
<DisplayName>Your Email Address</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="email" />
</DefaultPartnerClaimTypes>
<UserHelpText>Email address that can be used to contact you.</UserHelpText>
<UserInputType>TextBox</UserInputType>
<Restriction>
<Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_{}~-]+#[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." />
</Restriction>
But when I add the pattern restriction to claim, its making the field mandatory.

I achieved it by changing the regular expression from RegularExpression="^[a-zA-Z0-9.+!#$%&'^_{}~-]+#[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" to RegularExpression="^$|^[a-zA-Z0-9.+!#$%&'^_{}~-]+#[a-zA-Z0-9-]+(?:.[a-zA-Z0-9-]+)*$" `.
I had to prefix the expression with ^$| which accept blank/empty or the actual email.

How do I get Azure AD B2C's built-in claims to be returned in the token when I'm using a custom policy?

I've been using the built-in SignUpOrSignIn policy for a while, but I'm now moving to a custom policy.
When I set up the built-in policy, I was able to choose from a list of built-in application claims (like displayName and jobTitle), and select which ones I wanted to be returned in the token when the user signed in.
Now I'm setting up the custom policy I want to do the same thing, but I can't get it to work.
So far, in TrustFrameworkBase I have added a ClaimType of jobTitle:
<ClaimType Id="jobTitle">
<DisplayName>Job Title</DisplayName>
<DataType>string</DataType>
<UserHelpText>Job title.</UserHelpText>
</ClaimType>
I've added the following OutputClaim to the TechnicalProfile with ID login-NonInteractive:
<OutputClaim ClaimTypeReferenceId="jobTitle" PartnerClaimType="jobTitle" />
And I've added the following OutputClaim to the TechnicalProfile with ID SelfAsserted-LocalAccountSignin-Email:
<OutputClaim ClaimTypeReferenceId="jobTitle" />
But the jobTitle claim doesn't come through with the others in the token. I've done the same for given_name and that does work. If I change the first OutputClaim to:
<OutputClaim ClaimTypeReferenceId="jobTitle" PartnerClaimType="given_name" />
then a jobTitle claim does come through, but with the value of the given_name claim. This implies I'm just using the wrong PartnerClaimType but there doesn't seem to be a list of them anywhere.
How can I get the built-in job title attribute to be returned as a claim in the token when the user signs in using their local B2C account?

If you only want to read the jobTitle claim (or other claims) for the user and then issue it (or them) in the token, then you must:
1) Declare the jobTitle claim:
<ClaimType Id="jobTitle">
<DisplayName>Job Title</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="job_title" />
<Protocol Name="OpenIdConnect" PartnerClaimType="job_title" />
</DefaultPartnerClaimTypes>
</ClaimType>
2) Add the jobTitle claim as an output claim to the AAD-UserReadUsingObjectId technical profile:
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="jobTitle" />
</OutputClaims>
...
</TechnicalProfile>
3) Add the jobTitle claim as an output claim to the relying party technical profile:
<RelyingParty>
...
<TechnicalProfile Id="PolicyProfile">
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="jobTitle" />
</OutputClaims>
...
</TechnicalProfile>
</RelyingParty>

Resources