Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure AD B2C - "emails" claim in custom policy

I'm looking for a way to add an emails claim (collection of emails) to a custom policy for Azure AD B2C. This application claim is available from the Azure Portal directly but I cannot find a way to implement this in a custom policy which I need to create.

What I want to achieve is to have Azure AD B2C authentication for my WebApp users and Azure AD authentication as custom Authentication Provider for employees so It means I will need to add emails claim twice - for Local accounts and for Azure AD.

I followed this guide to make custom policy so I've added a new ClaimsProvider to TrustFrameworkExtensions.xml file.

When I download Sign Up & Sign In policy created in Azure Portal then I can see the following Output Claim:

<OutputClaim ClaimTypeReferenceId="emails" />

I tried to put that line to my custom policy but it does not return emails claim.

Any ideas?

like image 841
Sebastian Możejko Avatar asked Oct 16 '17 19:10

Sebastian Możejko


People also ask

What are claims in Azure AD B2C?

Claims. When you use Azure AD B2C, you have fine-grained control over the content of your tokens. You can configure user flows and custom policies to send certain sets of user data in claims that are required for your application. These claims can include standard properties such as displayName and emailAddress.

How do I create a custom policy in Azure B2C?

On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch. In the Azure portal, search for and select Azure AD B2C. On the overview page, under Policies, select Identity Experience Framework. Select Policy Keys and then select Add.

How do I customize my Azure AD B2C login page?

In the Azure portal, search for and select Azure AD B2C. In the left-hand menu, select User flows, and then select the B2C_1_signupsignin1 user flow. Select Page layouts, and then under Unified sign-up or sign-in page, select Yes for Use custom page content. In Custom page URI, enter the URI for the custom-ui.

What is the difference between Azure AD and Azure AD B2C?

Azure AD is Microsoft's solution for managing employee access to SaaS apps and it has features designed for this purpose such as licensing and Conditional Access. Azure AD B2C provides an identity and access management platform for building web and mobile applications.


1 Answers

I couldn't find an answer this either - it looks like the "emails" claim is being returned by a custom OutputClaimsTransformation, the configuration of which isn't available in the samples.

I did find the this answer on SO which helped, but it covers updated the "otherMails" claim for NEW users and I had existing users on the basic policies who I couldn't update in that way.

It seems that emails is being populated by concatenating "otherMails" (in the case of social signups) with the first entry in the "signInNames" array.

I ended up doing the following to get the "emails" claim dynamically created.

Create two new ClaimTypes in TrustFrameworkExtensions.xml

  <ClaimType Id="emails">
    <DisplayName>Emails</DisplayName>
    <DataType>stringCollection</DataType>
    <UserHelpText>User's email addresses</UserHelpText>
  </ClaimType>

 <ClaimType Id="firstOtherMail">
    <DisplayName>First Other mail</DisplayName>
    <DataType>string</DataType>
    <UserHelpText>Other Mail</UserHelpText>
  </ClaimType>

Create 3 new ClaimsTransformations in TrustFrameworkExtensions.xml

<ClaimsTransformation Id="GetFirstOtherMail" TransformationMethod="GetSingleItemFromStringCollection">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
    </InputClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="firstOtherMail" TransformationClaimType="extractedItem" />
    </OutputClaims>
  </ClaimsTransformation>

  <ClaimsTransformation Id="CopyFirstOtherMailToEmail" TransformationMethod="AddItemToStringCollection">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="firstOtherMail" TransformationClaimType="item" />
      <InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
    </InputClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
    </OutputClaims>
  </ClaimsTransformation>

  <ClaimsTransformation Id="CopySignInNamesEmailToEmails" TransformationMethod="AddItemToStringCollection">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="signInNames.emailAddress" TransformationClaimType="item" />
      <InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
    </InputClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
    </OutputClaims>
  </ClaimsTransformation>

Create a new TechnicalProfile in TrustFrameworkExtensions.xml:

<!-- The following technical profile is used to create the emails collection after user authenticates. -->
    <TechnicalProfile Id="AAD-UserCreateEmailsClaim">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="emails" />           
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="GetFirstOtherMail"/>
        <OutputClaimsTransformation ReferenceId="CopySignInNamesEmailToEmails"/>
        <OutputClaimsTransformation ReferenceId="CopyFirstOtherMailToEmail"/>
      </OutputClaimsTransformations>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

Add a new OrchestrationStep to the SignUpOrSignIn UserJourney just before the last step (SendClaims) in SignUpOrSignIn

    <OrchestrationStep Order="8" Type="ClaimsExchange">
      <ClaimsExchanges>
        <!-- create the emails claim combining signInNames and otherMails -->
        <ClaimsExchange Id="AADUserCreateEmailsClaim" TechnicalProfileReferenceId="AAD-UserCreateEmailsClaim" />
      </ClaimsExchanges>
    </OrchestrationStep>


    <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

Edit the PolicyProfile TechnicalProfile and add the OutputClaim:

 <OutputClaim ClaimTypeReferenceId="emails" />
like image 83
RNDThoughts Avatar answered Sep 22 '22 15:09

RNDThoughts