I'm working on a REST API that sends a confirmation email for a custom policy. Can anyone tell me if there is a way to pass the current culture so I can send a localized email?
You can add an <InputClaim /> to the REST API technical profile for passing the current culture as follows:
<InputClaim ClaimTypeReferenceId="mkt" PartnerClaimType="mkt" DefaultValue="{Culture:RFC5646}" />
where "mkt" (market) is an example of a claim type that you can replace with your own one.
"{Culture:RFC5646}" is known as a claims resolver.
Be sure to add the claim type to the TrustFrameworkPolicy/BuildingBlocks/ClaimsSchema section.
Related
I am looking to capture an email address from a specific internal domain during signup, but I don't want to users to enter the domain portion of the address. However I am trying to figure out the best way to signal the user to NOT enter the domain.
I would like to customize the default login page to include the domain shown after the textbox, something like below.
I know I could write a whole custom UI page to do this, but I was hoping to be able to do this with just a simpler customization of the default UI. Is this possible?
• I would suggest you to please use the ‘login_hint’ and ‘domain_hint’ query parameters in the 2C custom policy regarding the need to show a domain name during the signup user flow. By specifying the ‘login_hint’ parameter in the signup custom policy, Azure AD B2C automatically populates the sign-in name while the user only needs to enter the password for his credentials though the user gets the option to change the sign-in name that is automatically populated from the custom policy to enter the sign-in name of his choice.
Similarly, regarding the domain, the ‘domain_hint’ query parameter provides a hint by auto-populating the domain name for the social IDP for which the sign-in is recommended. These two options mostly satisfy your requirement of not requiring a user to enter the domain name during login. Kindly find the below samples of the above query parameters for your reference: -
Domain hint: -
<ClaimsProvider>
<!-- Add the domain hint value to the claims provider -->
<Domain>facebook.com</Domain>
<DisplayName>Facebook</DisplayName>
<TechnicalProfiles>
...
Login hint: -
<ClaimsProvider>
<DisplayName>Local Account</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<InputClaims>
<!-- Add the login hint value to the sign-in names claim type -->
<InputClaim ClaimTypeReferenceId="signInName" DefaultValue="{OIDC:LoginHint}" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
For more information on the above, kindly refer the below documentation links: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/direct-signin?pivots=b2c-custom-policy
Azure B2C with domain hint instead of IdP buttons
I created my Azure AD B2C custom policies to authenticate users.
I also added a custom attribute to ask the user for a unique information, something like the SSN.
I've already set the custom attribute as required and I put a restriction based on a regex, but I can't find a way, in the docs, to verify if the value already exists in the directory and give an error if that condition is true while the user signs up.
In this question, the suggestion is to call a rest api that uses Microsoft Graph Api to verify if the value set to the custom attribute already exists:
Azure B2C: Querying AAD using a custom claim?
Is it the only solution or, meanwhile, has been released a way to do this check directly from Azure AD B2C custom policy?
Add a technical policy like:
<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_attribute"/>
</OutputClaims>
</TechnicalProfile
This "merges" with the TP in the base so that when your policy reads AAD, it will also read your extension attribute.
Then in your user journey add a precondition of "ClaimsExist".
I have been slowly working through a custom policy to handle a JIT migration of an external IDP users to Azure B2C. It has been a long journey because there are many complexities in sorting out the components and the configuration steps using XML is a bit of a challenge. I am making some progress.
The basic use case is this: At sign in, the user/password is first checked against the B2C AD and if the user already exists just continue to sign in. If the user isn't in B2C AD, then check the external IDP with a REST call. I planned the response from the external IDP to be used in a binary way: If I get a 200 response, then add the user to B2C AD. If an error is returned then the user will be told to create an account.
I started with a couple of samples from a JIT Migration that I found. I had some difficulty navigating all the components with the social media logins, etc that I then reverted back to the "Local Accounts" sample found in the custom policy starterpack. I got the basic steps to work with no modification. I then added the technical profiles for the REST calls to the extensions file. I used the extension from one of the JIT migration samples and at least got the uploads to work. I am able to present a login prompt.
These are the scenarios and responses I see: 1) A user that I know is in B2C returns an error of "Unable to validate the information provided." 2) A user that I know is in the external IDP but not in B2C returns "We can't seem to find your account". 3) If I try a completely made up account that exists in neither, I see "The claims exchange 'REST-UserMigration-LocalAccount-SignIn' specified in step '1' returned HTTP error response with Code 'BadRequest' and Reason ''. "
So the question/struggle is how do I best sort out what is failing in each step. I have added app insights to the environment. I do see the traces in VS Code. But what should I look for? Here is the short responses ("Exceptions") for each of the errors listed above:
Scenario 1: The claim type "signInNames.emailAddress", designated as the identifier claim type, could not be found in the claims collection for the claims principal in tenant id "B2C_1A_JITMigration_signup_signin"
Scenario 2: A user with the specified credential could not be found.
Scenario 3: ErrorCodes: AADB2C90075
Rather than post of the code, here is the link to what I copied: https://github.com/azure-ad-b2c/user-migration/blob/master/jit-migration-v2/policy/TrustFrameworkExtensions.xml I can post up my exact code but basically I changed the tenant and the REST call. The Technical profile for the REST call snippet is:
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username"/>
<InputClaim ClaimTypeReferenceId="password" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="needToMigrate" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="newPassword" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
The input claims are fine but I am not sure how to modify the output claims. The REST API returns a single value of an authentication token which I don't need but is an indication that the authentication succeeded. It returns an error if the authentication fails. Basically an HTTP 200 is good, an HTTP 400 means the user doesn't exist. The goal is to use that API call as a binary indicator to either migrate or not migrate the user. Perhaps I cannot use the API in that way.
My hope is to solve each scenario step by step. Figure out why the scenario 1 doesn't work although the credential are correct. Then figure out why scenario 2 is correctly identifying that the user isn't found but wasn't automatically migrated. Finally, to figure out how to manage the 400 error returned by the API when the user doesn't exist in the external IDP.
I might need to tweak the user journeys or orchestration steps? Taking baby steps here.
Thanks
I have Azure B2C with custom policies with Local Login and Microsoft Account login enabled. I have started with the starter pack and made some modifications to add my custom logic for validate and add additional claims as explained here.
Everything works fine with Microsoft Account. But I am facing issues with Local Account Sign in.
email claim is only populated when the user signup but not on sign-in. In case of sign-in the email is part of "signInNames.emailAddress" claim. I tried making changes as explained here and here. I would like the email to be populate in email claim as my API uses this claim.
Additional calims returned from my REST API are not added to token only for Local Login. They are added for Microsoft Account.
thank you.
Update: For point 2, its a problem with my policy file and is now fixed.
There is a simple method to return email claim.
Just replace <OutputClaim ClaimTypeReferenceId="email" /> with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" /> in your SignUporSignIn.xml file.
You need to sign up new local user and then sign in to test it. You will see the email claim.
In fact, this solution has been provided by #Wayne Yang in the post you shared.
I'm using custom policies with a CombinedSignInAndSignUp for social accounts and LocalAccountSigninEmailExchange.
Using the domain_hint I can skip the selection for social accounts and go directly to e.g. google sign in.
I also want to set domain_hint to "LocalAccount" and then ONLY show the local account sign in.
I guess I can do that by adding a first step in the UserJourney to check if domain_hint="LocalAccount" and if the ClaimEquals skip the social providers.
I can get the value as output claim when I specify:
<OutputClaim ClaimTypeReferenceId="domain_hint" AlwaysUseDefaultValue="true" DefaultValue="{OIDC:DomainHint}"/>
But how do I get the value as Precondition in an OrchestrationStep???
You can use the {OIDC:DomainHint} claims resolver.