Azure Question posted in
The official documentation to get you started can be found here.

Azure – AAD B2C Custom Policies example not returning email claim for username based sign in

I have followed the instructions of Deploy AAD B2C Custom Policies to deploy custom policies in my B2C directory.

I have deployed successfully the Username based journey quick deploy sample.

When running the endpoint of B2C_1A_DEMO_SUSI_USERNAME.

  • A signup returns the email claim.
  • A signin doesn’t return the email claim.

For the signin process to return the email claim,
do I modify the Technical Profile with ID SelfAsserted-LocalAccountSignin-Username of the B2C_1A_DEMO_TRUSTFRAMEWORKEXTENSIONS_USERNAME custom policy? And if so, what exactly should I add? And if not, what else should I look at?

Technical Profile SelfAsserted-LocalAccountSignin-Username:

<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Username">
    <DisplayName>Local Account Signin</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="SignUpTarget">SignUpWithLogonUsernameExchange</Item>
        <Item Key="setting.operatingMode">Username</Item>
        <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
    </Metadata>
    <IncludeInSso>false</IncludeInSso>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
        <OutputClaim ClaimTypeReferenceId="password" Required="true" />
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" />
    </OutputClaims>
    <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
    </ValidationTechnicalProfiles>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>

And for comparison, this is the LocalAccountSignUpWithLogonName Technical Profile which returns the email claim:

<TechnicalProfile Id="LocalAccountSignUpWithLogonName">
    <DisplayName>User ID signup</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
        <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
        <Item Key="LocalAccountType">Username</Item>
        <Item Key="LocalAccountProfile">true</Item>
        <Item Key="language.button_continue">Create</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" Required="true" />
        <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
        <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
        <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
        <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="newUser" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="givenName" Required="true" />
        <OutputClaim ClaimTypeReferenceId="surname" Required="true" />
    </OutputClaims>
    <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonName" />
    </ValidationTechnicalProfiles>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>

I have tried to add email as an Output Claim with the following line of code,

<OutputClaim ClaimTypeReferenceId="email" />

But it results in an exception error, I do not have insights enabled yet to trace it.

Tags:

2

Answers


  1. 0

    As per the sample:

    "At Sign Up, the user is asked to validate an email address. This email address will be associated to the user account by writing to a protected attribute: strongAuthenticationEmailAddress".

    So you need to output "strongAuthenticationEmailAddress" in "SelfAsserted-LocalAccountSignin-Username" and in the RP.

    If you want to output "email" in the RP:

    <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress"" PartnerClaimType="email" Required="true" />

    should work.

    Login or Signup to reply.
  2. 0

    A signin doesn’t return the email claim.

    If the claim was added after the signin had been provisioned, subsequent logins will by the old provisined user will not have that claim. Delete any singins that proceeded the adding of said claim and have them re-provision themselves.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search