Reputation: 1458
Email Address Verification, in SubJourney with additional ValidationTechnicalProfile
We are trying to do Just In Time migration with the 'SubJourney' based password reset (e.g. forgot your password).
I need to be able to migrate the user prior to resetting their password via a REST call. However, when I add the entry for our ValidationTechnicalProfile REST call
<ValidationTechnicalProfile ReferenceId="REST-UserMigration-LocalAccount-LoalAccountUserExsist"/>
the UI changes. The email verification steps (enter email, verify code) just disappear, leaving me with enter password boxes.
It goes from this:
To this:
The only change is the addition of the ValidationTechnicalProfile Entry
<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress-Migration">
<DisplayName>Reset password using email address</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IpAddressClaimReferenceId">IpAddress</Item>
<Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<IncludeInSso>false</IncludeInSso>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
</OutputClaims>
<ValidationTechnicalProfiles>
<!--- Adding and removing this line --->
<ValidationTechnicalProfile ReferenceId="REST-UserMigration-LocalAccount-LoalAccountUserExsist"/>
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress"/>
</ValidationTechnicalProfiles>
</TechnicalProfile>
<TechnicalProfile Id="REST-UserMigration-LocalAccount-LoalAccountUserExsist">
<DisplayName>Migrate user password flow</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://somefunctapp-rest-api.azurewebsites.net/api/MigrateIfExists?code=ugqr4ESgMENWlRdILvuOWkksuLy-zoPm76stOuiHFtzFAzzuiHFKcw==</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AllowInsecureAuthInProduction">True</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
<InputClaim ClaimTypeReferenceId="password" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="migrationRequired" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="newPassword" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surName" />
<OutputClaim ClaimTypeReferenceId="sub" PartnerClaimType="userId" />
<OutputClaim ClaimTypeReferenceId="trueValue" DefaultValue="true"/>
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<SubJourney Id="PasswordReset-Mine" Type="Call">
<OrchestrationSteps>
<!-- Validate user's email address. Run this step only when user resets the password-->
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress-Migration" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Collect and persist a new password. Run this step only when user resets the password-->
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
</OrchestrationSteps>
</SubJourney>
What am I doing wrong? Happy to provide any additional information or screen shots.
Upvotes: 0
Views: 289
Answers (2)
Reputation: 221
Display claims mitigates these strange 'disappearing' behaviors. Output claims can have unexpected behaviors when the value exists in the claim bag. My recommendation is converting your output claims to display claims and see if this fixes the behavior before continuing investing the issue.
Upvotes: 1
Reputation: 263
In selfAsserted technical profiles, Only the output claims which are not output from validation technical profiles are displayed to the user. In your case, REST-UserMigration-LocalAccount-LoalAccountUserExsist has email in the output claims. Hence it won't be displayed to the user to enter information.
A good solution to such problems are to use display claims for displaying the claims to the user along with output claims.
Please refer to the docs here. Define a self-asserted technical profile in an Azure Active Directory B2C custom policy - Display Claims.
Upvotes: 0
Related Questions
- Bypassing Email Verification within Azure AD B2C during Signup Signin on Mobile app
- End user getting "Missing required element [Email Address]" error on Forcing password reset first logon
- Azure B2C passwordless sign up with only email in custom Policy
- Password reset custom policy - pass validated email id in multiple orchestration steps
- Azure AD B2C - Customize Email verification in separate steps
- AD B2C - How to set up custom email verification in Password Reset flow
- Azure AD B2C Password Reset - Skip Email Verification
- B2C password reset policy using signinname and verified email
- Azure AD B2C Password Reset policy without email verification step
- Howto Enable Email Verification in Azure AD B2C