CODEWITHSUNDEEP
azureopenidadfsazure-ad-b2c
Michael Chudinov
Michael Chudinov

Reputation: 2968

Claims from Azure B2C and ADFS as an Identity Provider

I'm using ADFS as an IdP for Azure B2C through OpenID Connect. Login works, but I do not receive any claims from ADFS. Here is a part of TrusFrameworkExtensions policy:

<OutputClaims>
          <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="UPN" />
          <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
          <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="Name" />
          <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
          <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
          <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="contosoAuthentication" />
          <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="OpenIDADFS" />
        </OutputClaims>

And here is the example of JWT token i receive:

{
"exp": 1536674800,
  "nbf": 1536671200,
  "ver": "1.0",
  "iss": "https://login.microsoftonline.com/2263fb1b-1249-4245-a174-cb9d518d7ce3/v2.0/",
  "sub": "f5fa8b7b-5e14-4b49-8f9f-33ea5c8b2149",
 "aud": "21d60a4b-6e33-4e22-b618-586882744560",
 "acr": "b2c_1a_signuporsigninfmdclient",
 "nonce": "defaultNonce",
 "iat": 1536671200,
 "auth_time": 1536671200,
 "idp": "OpenIDADFS",
 "name": "unknown"
}

No claims in here. Here is my ADFS setup with claims from AD enter image description here

The relying party policy SignUpOgSignIn

  <RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignInFmdClient" />
<TechnicalProfile Id="PolicyProfile">
  <DisplayName>PolicyProfile</DisplayName>
  <Protocol Name="OpenIdConnect" />
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    <OutputClaim ClaimTypeReferenceId="email" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
    <OutputClaim ClaimTypeReferenceId="identityProvider" />
  </OutputClaims>
  <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>

How to receive claims?

Upvotes: 3

Views: 427

Answers (1)

Marilee Turscak - MSFT
Marilee Turscak - MSFT

Reputation: 7728

For anyone else dealing with the same issue or similar issues, the necessary piece was to add <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="UPN" />

(per Jamie's comment)

For reference, the B2C custom policy Azure Sample is very helpful. https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAccounts/TrustFrameworkBase.xml

Upvotes: 3

Related Questions