When is ValidationTechnicalProfile executed?

Question

At what stage in the processing of a TechnicalProfile X is the ValidationTP or IncludedTP executed? Before X produces OutputClaims? After?

Say my TP has the following claim. It also has a ValidationTP Y. Can Y persist 'email' (is it available to it)?

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />

Alternatively, say my TP X uses another Y as ValidationTP and Y inputs and outputs some claims (Input/OutputClaim). Are they available for output from X? Do I even need to mark them as OutputClaims if they are marked as OutputClaims in the ValidationTP?

Answer 1

A validation technical profile is executed after the self-asserted technical profile, which refers to validation technical profile, has executed.

1. Claims that are declared as output from the self-asserted technical profile are passed to the validation technical profile.

In the following example, the email claim is passed from the LocalAccountSignUpWithLogonEmail self-asserted technical profile to the AAD-UserWriteUsingLogonEmail validation technical profile:

<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
  </PersistedClaims>
</TechnicalProfile>
<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

2. Claims that are declared as output from one validation technical profile that is referenced by a self-asserted technical profile are passed to other validation technical profiles that are referenced by this self-asserted technical profile.

In the following example, the objectId claim is passed from the AAD-UserWriteUsingLogonEmail validation technical profile to the REST-API-Signup validation technical profile:

<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
  </OutputClaims>
</TechnicalProfile>
<TechnicalProfile Id="REST-API-Signup">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" />
  </InputClaims>
</TechnicalProfile>
<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
    <ValidationTechnicalProfile ReferenceId="REST-API-Signup" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

3. Claims that are declared as output from a validation technical profile and the self-asserted technical profile that refers to this validation technical profile are passed to other orchestration steps.

In the following example, the objectId claim is passed from the AAD-UserWriteUsingLogonEmail validation technical profile "through" the LocalAccountSignUpWithLogonEmail self-asserted technical profile to other orchestration steps:

<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
  </OutputClaims>
</TechnicalProfile>
<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

For more information, see the Technical profile flow section of the About technical profiles in Azure Active Directory B2C custom policies article.