Can you pass password claims between steps in Azure AD B2C Custom Policies?

Question

Can you pass password claims between steps in Azure AD B2C Custom Policies?

My symptom is that after signing up using a multiple page custom policy, a user cannot sign in until they reset their password.

I am asking this as I spent many hours debugging a problem that it turns out could not be fixed. I found the answer under another question (Azure AD B2C Multi steps custom policy) that was differently worded but had similar symptoms.

I am posting here in the hope it is more easily found and helpful to others. Apologies if you think this is a duplicate.

Answer 1

I was looking for the same and have found a way to do multi step sign up. I tried several methods, including a outputclaimstransformation to store the password in another claim, but that did not work out. Because I already needed to do some input validation against an API I found a way to also copy the password to a new claim (plaintextPassword) that is not scoped to one orchestration step. This claim can be used in a later step to create the user account with the password provided by the plaintextPassword claim.

Create a self asserted technical profile that has an inputclaim (the password) and a validation technical profile. In the validation technical profile you can copy the password to a claim of type string with an inputclaimstransformation. Then add the new claim as outputclaim to the validation profile and to the technical profile. See code below for an example:

  <ClaimType Id="plaintextPassword">
    <DisplayName>password</DisplayName>
    <DataType>string</DataType>
    <UserInputType>TextBox</UserInputType>
  </ClaimType>

  <ClaimType Id="password">
    <DisplayName>Your password</DisplayName>
    <DataType>string</DataType>
    <UserHelpText>Your password</UserHelpText>
    <UserInputType>Password</UserInputType>
  </ClaimType>

  <ClaimsTransformation Id="CopyPassword" TransformationMethod="FormatStringClaim">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="password" TransformationClaimType="inputClaim" />
    </InputClaims>
    <InputParameters>
      <InputParameter Id="stringFormat" DataType="string" Value="{0}" />
    </InputParameters>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="plaintextPassword" TransformationClaimType="outputClaim" />
    </OutputClaims>
  </ClaimsTransformation>

  <TechnicalProfile Id="SignUp-PasswordValidation">
    <DisplayName>Email signup</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
      <Item Key="ServiceUrl">url</Item>
      <Item Key="AuthenticationType">ClientCertificate</Item>
      <Item Key="SendClaimsIn">Body</Item>
    </Metadata>
    <CryptographicKeys>
      <Key Id="ClientCertificate" StorageReferenceId="B2C_1A_ClientCertificate" />
    </CryptographicKeys>
    <InputClaimsTransformations>
      <InputClaimsTransformation ReferenceId="CopyPassword" />
    </InputClaimsTransformations>
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="claim_to_validate" PartnerClaimType="claim_to_validate" />
    </InputClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="plaintextPassword" />
    </OutputClaims>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
  </TechnicalProfile>

  <TechnicalProfile Id="SignUp">
    <DisplayName>Email signup</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
      <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
      <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
      <Item Key="setting.retryLimit">3</Item>
    </Metadata>
    <CryptographicKeys>
      <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
    </CryptographicKeys>
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="email" />
    </InputClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="email" Required="true" />
      <OutputClaim ClaimTypeReferenceId="claim_to_validate" Required="true" />
      <OutputClaim ClaimTypeReferenceId="password" Required="true" />
      <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
      <OutputClaim ClaimTypeReferenceId="plaintextPassword" />
    </OutputClaims>
    <ValidationTechnicalProfiles>
      <ValidationTechnicalProfile ReferenceId="SignUp-Validation" />
    </ValidationTechnicalProfiles>
  </TechnicalProfile>

In the technical profile where you create the user in AAD add this line:

  <PersistedClaim ClaimTypeReferenceId="plaintextPassword" PartnerClaimType="password"/>

Answer 2

In short, no. See Azure AD B2C Multi steps custom policy.

A password claim is "scoped" to a given step. This means the orchestration step that collects the password claim from the end user must be the same step that writes it to the User object.