Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
AAD - ClaimsMappingPolicy - Where can you view these outputs / errors?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 34%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Chad Bentz
26
Reputation points Microsoft Employee
Attempted to use AzureADServicePrincipalPolicy as per documentation - all samples fail during login with generic error when federating login (via b2c to aad OIDC SSO)
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 127cf693-6f09-4a68-9a11-e371928b65f2
Timestamp: 2020-06-18 16:12:42Z
Where can you view these ClaimsMappingPolicy outputs / errors? Sign-In logs show nothing of interest (shows success actually) so it must be post authentication.
Intention is to to use a claim mapping to send other mails claim:
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"othermail","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","JwtClaimType":"mail"}]}}') -DisplayName "AddOtherMailClaim" -Type "ClaimsMappingPolicy"
Even using the built in sample throws exception when linking policy to an SP:
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"employeeid","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid","JwtClaimType":"name"},{"Source":"company","ID":"tenantcountry","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country","JwtClaimType":"country"}]}}') -DisplayName "ExtraClaimsExample" -Type "ClaimsMappingPolicy"
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 34,036 Reputation points Microsoft Employee2020-06-29T20:31:45.32+00:00 You might try enabling logging to Application Insights and checking the audit logs, but other than that I am not sure if there is a way to log more info. Have you seen this related Stack Overflow post? https://stackoverflow.com/questions/57109533/logging-calls-to-identity-provider-with-custom-policies-in-azure-ad-b2c
This person got around this by using a reverse proxy to intercept all calls to the external IdP.
I have reached out to my contacts to see if there's another way to do this though.
-
Chad Bentz 26 Reputation points Microsoft Employee
2020-07-02T03:00:27.357+00:00 Thanks @MarileeTurscak for the feedback.
We do indeed have TelemetryEngine="ApplicationInsights" with DeveloperMode="true" on the B2C Gateway but unfortunately it only logs generic failure message - it is pretty clear there that the failure is in the IDP logic in the AAD (since i am assuming the policy was failing)"Message": "We encountered an error connecting to the identity provider. Please try again later."I had seen that SO suggestion, but i do not feel the request being made from B2C to AAD is the issue here - it is the processing within AAD that is failing (and i do not know where to look at logs to begin to troubleshoot)
-
Marilee Turscak-MSFT 34,036 Reputation points Microsoft Employee
2020-07-23T19:37:14.96+00:00 Have you validated the policies are working out of B2C? Can you share the AAD IdP setup?
Sign in to comment