Reputation: 1092
Custom Policies in Azure AD b2c - problems with Claims Provider guide
Trying to implement following scenario: implement Azure B2c and azure AD as one of identity providers. Only way to achieve it is using custom policies. I followed those tutorials: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom#prerequisites https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom#create-an-azure-ad-b2c-application The problem is when i trying to upload TrustFrameworkExtensions.xml got info that my tenant
makes a reference to ClaimType with id "issuerUserId" but neither the policy nor any of its base policies contain such an element.
Found similar issue here https://github.com/MicrosoftDocs/azure-docs/issues/27602 and replace issuerUserId by socialIdpUserId. It seems to be solved but during upload another issue came up:
makes a reference to ClaimsTransformation with id "CreateRandomUPNUserName" but neither the policy nor any of its base policies contain such an element.
Got claims provider configuration from the tutorial and now i dont really have any idea how to fix it. Thanks in advance for any help.
EDIT
Based on @CHris solution i make those files correct (no errors during uploading) but there is still some problems with parsing returning token. Has anyone made example from the second link up and running (Azure ad b2c and many azure ad injected in multitentant azure ad).
Upvotes: 10
Views: 3087
Answers (2)
Reputation: 21
I followed the instructions; I began from 'LocalAccounts' and got the same symptoms.
"LocalAccounts\TrustFrameworkBase.xml"
has a ClaimsSchema element;
<TrustFrameworkPolicy> <BuildingBlocks> <ClaimsSchema>
So does "SocialAndLocalAccounts\TrustFrameworkBase.xml"
BUT "SocialAndLocalAccounts\TrustFrameworkBase.xml" has more claims in the <ClaimsSchema> element, and an important comment
"The trust framework policy treats Azure AD as any other claims provider and all its restrictions are modelled in the policy."
This would suggest that LocalAccounts\TrustFrameworkBase.xml starter does not come with the necessary claims in <ClaimsSchema> to handle additional claims providers, including Azure AD.
Hence, copy the claims mentioned in the errors from SocialAndLocalAccounts\TrustFrameworkBase.xml to LocalAccounts\TrustFrameworkBase.xml
for example,
| error | resolution |
|---|---|
| Policy "B2C_1A_TrustFrameworkExtensions" of tenant "contoso.onmicrosoft.com" makes a reference to ClaimType with id "issuerUserId" but neither the policy nor any of its base policies contain such an element | copy this snippet from the other starter packs to your TrustFrameworkBase.xml;<ClaimType Id="issuerUserId"> |
| ` |
In fact, if you use MFA in Azure AD, you may need to refer to SocialAndLocalAccountsWithMfa\TrustFrameworkBase.xml
Then upload policies in the correct order;
| upload order | policy name (based on templates) |
|---|---|
| 1 | TrustFrameworkBase.xml |
| 2 | TrustFrameworkExtensions.xml |
| 3 | SignUpSignIn.xml |
Azure Active Directory B2C custom policy overview | Microsoft Learn Custom policy starter pack https://learn.microsoft.com/en-gb/azure/active-directory-b2c/custom-policy-overview#custom-policy-starter-pack
Azure AD B2C custom policy starter pack comes with several pre-built policies to get you started quickly. Each of these starter packs contains the smallest number of technical profiles and user journeys needed to achieve the scenarios described:
LocalAccounts - Enables the use of local accounts only.
May I suggest...
- Start with the intended scenario for that starter pack only
- Read Azure Active Directory B2C custom policy overview
There are Architecture Deep Dive videos from Microsoft on YouTube, but they are relatively shallow and not as good as videos for more popular services.
Upvotes: 2
Reputation: 3125
You need to add the ClaimType to the Base.xml
<ClaimType Id="issuerUserId">
<DisplayName>OID</DisplayName>
<DataType>string</DataType>
<UserHelpText/>
</ClaimType>
<ClaimType Id="alternativeSecurityId">
<DisplayName>AlternativeSecurityId</DisplayName>
<DataType>string</DataType>
<UserHelpText/>
</ClaimType>
Upvotes: 0
Related Questions
- Azure AD B2C Custom Policies - Include EmployeId claim
- Azure AD B2C: How to reference built in claims in custom policies?
- Why are claims being flagged as not supported in my custom policy?
- Azure B2C: Custom claim isn't written into AAD via custom policy
- Azure B2C External provider with custom claims and policies
- B2C custom policy 'ignoring' claims exchange
- Azure AD B2C Internal Error uploading Custom Policy
- Custom policies in Azure AD B2C
- Azure B2C Custom Policies: Invalid Request, client secret error
- Azure B2C Custom policies login error