I have followed the instructions of Deploy AAD B2C Custom Policies to deploy custom policies in my B2C directory.
I have deployed successfully the Username based journey quick deploy sample.
When running the endpoint of B2C_1A_DEMO_SUSI_USERNAME
.
- A signup returns the
email
claim. - A signin doesn’t return the
email
claim.
For the signin process to return the email
claim,
do I modify the Technical Profile with ID SelfAsserted-LocalAccountSignin-Username
of the B2C_1A_DEMO_TRUSTFRAMEWORKEXTENSIONS_USERNAME
custom policy? And if so, what exactly should I add? And if not, what else should I look at?
Technical Profile SelfAsserted-LocalAccountSignin-Username
:
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Username">
<DisplayName>Local Account Signin</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="SignUpTarget">SignUpWithLogonUsernameExchange</Item>
<Item Key="setting.operatingMode">Username</Item>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
<OutputClaim ClaimTypeReferenceId="password" Required="true" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
And for comparison, this is the LocalAccountSignUpWithLogonName
Technical Profile which returns the email
claim:
<TechnicalProfile Id="LocalAccountSignUpWithLogonName">
<DisplayName>User ID signup</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IpAddressClaimReferenceId">IpAddress</Item>
<Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
<Item Key="LocalAccountType">Username</Item>
<Item Key="LocalAccountProfile">true</Item>
<Item Key="language.button_continue">Create</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" Required="true" />
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
<OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="newUser" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="givenName" Required="true" />
<OutputClaim ClaimTypeReferenceId="surname" Required="true" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonName" />
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
I have tried to add email
as an Output Claim with the following line of code,
<OutputClaim ClaimTypeReferenceId="email" />
But it results in an exception error, I do not have insights enabled yet to trace it.
2
Answers
As per the sample:
"At Sign Up, the user is asked to validate an email address. This email address will be associated to the user account by writing to a protected attribute: strongAuthenticationEmailAddress".
So you need to output "strongAuthenticationEmailAddress" in "SelfAsserted-LocalAccountSignin-Username" and in the RP.
If you want to output "email" in the RP:
should work.
If the claim was added after the signin had been provisioned, subsequent logins will by the old provisined user will not have that claim. Delete any singins that proceeded the adding of said claim and have them re-provision themselves.