Not able to read ‘custom_attributes’ claim in Azure B2C for salesforce’s OpenId protocol

Santaji Nalawade 0 Reputation points
2024-01-03T09:05:05.7333333+00:00

Salesforce is IDP and using OpenId protocol in custom policies in azure B2C. After successful authentication, I am able to read all other claims but not ‘custom_attributes’.

When I tried to connect Salesforce from sample C# app, its salesforce is correctly sending the custom attributes.

"custom_attributes": {

"customername": "ABC"

},

So, in B2C custom policies whenever I set ‘custom_attributes’ in OutputClaims, Login popup shows message ‘AADB2C: An exception has occurred.’ I tried with using OutputClaimsTransformation as well, but still same issue.

Can someone help me, how I can read custom_attributes of salesforce in custom policies of azure B2C?

Technical profile:

	<TechnicalProfile Id="Salesforce-OpenIdConnect">
      <DisplayName>Salesforce</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="METADATA">openidcofig meatadata path</Item>
        <Item Key="response_types">code</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="scope">openid id profile email</Item>
		<Item Key="issuer">issuer</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">0</Item>		
        <!-- Update the Client ID below to the Application ID -->
        <Item Key="client_id">clientid</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_Secret"/>
      </CryptographicKeys>				
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
   <OutputClaim ClaimTypeReferenceId="identityUrl" PartnerClaimType="aud" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
		<OutputClaim ClaimTypeReferenceId="custom_attributes" />		
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="GetCustomerNameClaimFromJson" /><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
    </TechnicalProfile>


	<ClaimType Id="custom_attributes">
		<DisplayName>custom_attributes</DisplayName>
		<DataType>string</DataType>		
		<DefaultPartnerClaimTypes>		  
          <Protocol Name="OpenIdConnect" PartnerClaimType="custom_attributes" />         
        </DefaultPartnerClaimTypes>				
	  </ClaimType>

Claim transformation

	<ClaimsTransformation Id="GetCustomerNameClaimFromJson" TransformationMethod="GetClaimFromJson">
	  <InputClaims>
		<InputClaim ClaimTypeReferenceId="custom_attributes" TransformationClaimType="inputJson" />
	  </InputClaims>
	  <InputParameters>
		<InputParameter Id="claimToExtract" DataType="string" Value="customername" />
	  </InputParameters>
	  <OutputClaims>
		<OutputClaim ClaimTypeReferenceId="customername" TransformationClaimType="extractedClaim" />
	  </OutputClaims>
	</ClaimsTransformation>

User Journey:

 <UserJourney Id="CustomSignUpSignIn">
      <OrchestrationSteps>

        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
    
			<ClaimsProviderSelection TargetClaimsExchangeId="SalesforceExchange" />
		</ClaimsProviderSelections>
        </OrchestrationStep>

        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).  -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
			<ClaimsExchange Id="SalesforceExchange" TechnicalProfileReferenceId="Salesforce-OpenIdConnect" />
		 </ClaimsExchanges>
        </OrchestrationStep>
		
        <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,652 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Om Patil 5 Reputation points
    2024-01-03T09:28:26.0133333+00:00 
    It seems like you are encountering an issue with reading the `custom_attributes` claim from Salesforce in Azure AD B2C custom policies. Here are a few suggestions to troubleshoot and resolve the issue:

1. **Check the Salesforce Claim Types:**
   Verify that the claim types used in your Azure AD B2C policy match the claim types that Salesforce is sending. In your Technical Profile, ensure that the `<OutputClaim ClaimTypeReferenceId="custom_attributes" />` corresponds to the claim type used by Salesforce.

   Update the `OutputClaims` section of your Technical Profile to:

   ```xml
   <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
      <OutputClaim ClaimTypeReferenceId="identityUrl" PartnerClaimType="aud" />
      <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
      <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
      <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
      <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
      <OutputClaim ClaimTypeReferenceId="custom_attributes" PartnerClaimType="custom_attributes" />
      <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
      <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
   </OutputClaims>
    1. Claim Transformation: Ensure that your claim transformation (GetCustomerNameClaimFromJson) is correctly extracting the customername claim from the custom_attributes claim. Double-check that the claim transformation is functioning as expected.
    2. Check Error Details: The error message "AADB2C: An exception has occurred" is a bit generic. To get more details about the error, you can enable debugging for your policies. Add the following snippet to your relying party policy to get more detailed information: 
         <RelyingParty>
      ...
      <TechnicalProfile Id="JwtIssuer">
         ...
         <OutputClaims>
            ...
         </OutputClaims>
      </TechnicalProfile>
   </RelyingParty>
      After enabling debugging, try the user journey again, and check the detailed logs for any specific error messages that might provide more insight into the issue.
    3. Check Salesforce Configuration: Verify that Salesforce is correctly sending the custom_attributes claim in the OpenID Connect response. You can use tools like jwt.io to inspect the contents of the ID token received from Salesforce and ensure that the custom_attributes claim is present.
    4. Update Claim Transformation: Modify the claim transformation to directly reference the custom_attributes claim. Instead of using InputClaim ClaimTypeReferenceId="custom_attributes", try using the raw inputJson claim: 
         <ClaimsTransformation Id="GetCustomerNameClaimFromJson" TransformationMethod="GetClaimFromJson">
      <InputClaims>
         <InputClaim ClaimTypeReferenceId="inputJson" TransformationClaimType="inputJson" />
      </InputClaims>
      <InputParameters>
         <InputParameter Id="claimToExtract" DataType="string" Value="customername" />
      </InputParameters>
      <OutputClaims>
         <OutputClaim ClaimTypeReferenceId="customername" TransformationClaimType="extractedClaim" />
      </OutputClaims>
   </ClaimsTransformation>
      Ensure that the inputJson claim contains the entire JSON payload, including the custom_attributes claim.
    5. Review Azure AD B2C Logs: Check the Azure AD B2C logs for any additional error messages or details. You can find these logs in the Azure portal under your Azure AD B2C resource, in the "Monitoring" section.

    By carefully reviewing and verifying each step, you should be able to identify and resolve the issue with reading the custom_attributes claim from Salesforce in your custom policies.