I have created custom policies for social and local accounts based on the example from the Active Directory B2C custom policy starter pack for social and local accounts. I have enabled the login with Microsoft and Google and tested that both work, I have also enabled logging in with a local account.
When I log in with google I get the following claims
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,email,given_name,family_name,name,idp,at_hash
When I log into a custom Azure AD tenant the set of claims is missing 'email', but the email is listed in the 'name' claim
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,given_name,family_name, name,idp,at_hash
When I log in as a local account the set of claims is missing 'email' and there is no email listed in any of the fields.
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,given_name, family_name,name,at_hash
Finally, when I look at the list of users in the B2C admin, these are all different user entries...even though the email address is the same. So I have 2 questions,
How do I get a consistent set of claims in the id_token
How do I link all these accounts together at registration time (Same UPN)
I believe these may be related, which is why I am asking them together.
You probably want to see the policies, but I assure you they are exactly the same as the policies in the starter pack, all I've done is change the tenant names and added google and azure in the trust framework extensions file.
For the Azure AD email claim, add the following <OutputClaim /> to the Azure AD OpenID Connect technical profile:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
For the local account email claim, add the following <OutputClaim /> to the AAD-UserReadUsingObjectId technical profile:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
Related
This is the Azure B2C User Flow’s Application claims, where I can tick the Email Addresses and save it.
UserFlow Application Claims
How can I do this in custom policy? I am trying to add Multi-Tenant login to AAD B2C via custom policies and I need to select this ‘Email Addresses’ in the Application Claims from User Flow.
How can I select or activate this same ‘Email Addresses’ in custom policy XML files?
So far I tried adding -->> OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" <<-- to the technical profiles, but still no luck.
The claim you want is "preferred_username".
Try to add <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="preferred_username" />.
I have an Azure B2C tenant I'm setting up using policies and I'm facing the following problem. One of my social providers is configured as an Azure Active Directory but, when getting the token, the email is not included.
I have other providers like Google or LinkedIn where I've been able to collect the email using these OutputClaims inside the TechnicalProfile of each ClaimProvider.
Google
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
LinkedIn
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="elements[0].handle~.emailAddress" />
I'm wondering if there is a similar approach to what I need but the Azure Active Directory provide offers an email's PartnerClaimType.
I checked the doc for this kind of provider but found nothing. I checked as well the optional claims set and the email is mentioned but got no clue how to make it work.
Thank's for your time!
Try
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="unique_name" />
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#claims-in-an-id_token
I have Azure B2C with custom policies with Local Login and Microsoft Account login enabled. I have started with the starter pack and made some modifications to add my custom logic for validate and add additional claims as explained here.
Everything works fine with Microsoft Account. But I am facing issues with Local Account Sign in.
email claim is only populated when the user signup but not on sign-in. In case of sign-in the email is part of "signInNames.emailAddress" claim. I tried making changes as explained here and here. I would like the email to be populate in email claim as my API uses this claim.
Additional calims returned from my REST API are not added to token only for Local Login. They are added for Microsoft Account.
thank you.
Update: For point 2, its a problem with my policy file and is now fixed.
There is a simple method to return email claim.
Just replace <OutputClaim ClaimTypeReferenceId="email" /> with <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" /> in your SignUporSignIn.xml file.
You need to sign up new local user and then sign in to test it. You will see the email claim.
In fact, this solution has been provided by #Wayne Yang in the post you shared.
I'm using custom policies in order o integrate Azure B2C AD. I need to be able to use single sign on to Microsoft Business Accounts. I was able to make it work, nevertheless, it doesn't return the emails clain my tokens.
Here is what I did:
Downloaded the Start Pack “SocialAndLocalAccountsWithMfa”
I made the changes to the related files based in the articles
below(step 3 and 4)
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom
Return emails on custom policies
Any idea why it is not working? Thank you in advance!
It seems that the "emails" claim is being returned by a custom OutputClaimsTransformation, the configuration of which isn't available in the samples.
You need to get the email claims dynamically created.
Please see this thread which provides a workaround to your situation.
You must map to the email claim that is used by Azure AD B2C from the upn claim that is issued by Azure AD (which, by convention, should map to the email address for the work account) as follows:
<ClaimsProvider>
<Domain>commonaad</Domain>
<DisplayName>Common AAD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Common-AAD">
<DisplayName>Multi-Tenant AAD</DisplayName>
<Protocol Name="OpenIdConnect" />
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="upn" />
</OutputClaims>
...
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
The AAD-UserWriteUsingAlternativeSecurityId technical profile adds this email claim to the otherMails claim by invoking the CreateOtherMailsFromEmail claims transformation and then saves otherMails claim to the user object.
I have set up an Azure B2C tenant and used custom policies to add azure ad as an IDP so that users can sign up with their domain accounts. I can build a custom page where ask them for their email and then redirect them to the proper policy(one for work domain accounts and another for personal emails), so that they do not have to make the choice between work and personal emails. The problem is that I do not want to make the user enter the email once again. Is there a way/option to do this? I basically want to achieve something similar to what the common endpoint of Azure AD does for all accounts.
For a custom policy, if you add the "login_hint" query string parameter to the OpenID Connect authentication request, then you can default the login field to this login hint by adding the "DefaultValue" attribute to the "signInName" input claim for the "SelfAsserted-LocalAccountSignin-Email" technical profile as follows:
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<DisplayName>Local Account Signin</DisplayName>
...
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" DefaultValue="{OIDC:LoginHint}" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
...
</OutputClaims>
...
</TechnicalProfile>
The "DefaultValue" attribute references a claims resolver that sets the "signInName" claim type to the "login_hint" parameter of the OpenID Connect authentication request.
See the Set up direct sign-in using Azure Active Directory B2C article for more information about passing the "login_hint" query string parameter.