Azure AD B2C: Custom claims with custom policies

Fr3ng 1 Reputation point
2021-06-28T14:08:31.897+00:00

Hello,

I am implementing a custom policy to sign-in users with federated IDPs (external AzureAD tenants).
I need to insert a custom claim called CodiceFiscale and force users to add a value to it in the first sign-in experience.
I also need to insert the claim in the jwt token.

I've followed this Microsoft article: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy and what I've done is:

  • added the claim in the claims list: <ClaimType Id="CodiceFiscale">
    <DisplayName>Codice Fiscale</DisplayName>
    <DataType>string</DataType>
    <UserHelpText>Users' CF</UserHelpText>
    </ClaimType>
  • add the claim in the selfasserted-social and SelfAsserted-ProfileUpdate input and output claims: 
       <InputClaims>  
     <InputClaim ClaimTypeReferenceId="CodiceFiscale" />  
     [...]  
   </InputClaims>  
   <OutputClaims>  
     <OutputClaim ClaimTypeReferenceId="CodiceFiscale" />  
     [...]  
   </OutputClaims>
  • added the claim in the technical profile output claims in the Trust Framework Extension policy: 
       <OutputClaims>  
     [...]  
     <OutputClaim ClaimTypeReferenceId="CodiceFiscale" PartnerClaimType="CodiceFiscale"/>  
   </OutputClaims>
  • added the claim in the sign-in policy: 
       <OutputClaims>  
      [...]  
      <OutputClaim ClaimTypeReferenceId="CodiceFiscale" PartnerClaimType="CodiceFiscale"/>  
   </OutputClaims>

Now, if I sign-in I get the following error: The page cannot be displayed because an internal server error has occurred.

What am I missing?

Is it possible to add any custom claim or is there a list of claims that are supported by B2C?

Thank you!

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,636 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2021-06-29T14:52:49.133+00:00

    Hi @Fr3ng · Thank you for reaching out.

    As the attribute CodiceFiscale is not available in the Azure AD of your B2C tenant by default, you need to first update Azure AD schema of the B2C tenant. For this purpose, please follow the steps I have provided in my blog post here: http://cloud365.in/azure-ad-schema-extension-for-users-in-10-easy-steps/ and define the claims as extension_CodiceFiscale, as mentioned below: 

     <ClaimType Id="extension_CodiceFiscale">  
     <DisplayName>Codice Fiscale</DisplayName>  
     <DataType>string</DataType>  
     <UserHelpText>Users' CF</UserHelpText>  
   </ClaimType>

    Update below Technical Profiles:

    1. Under LocalAccountSignUpWithLogonEmail (for local account sign-up flow), add 
        <OutputClaims>  
    <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>  
  </OutputClaims>
    2. Under SelfAsserted-Social (for federated account first-time user sign-in), add 
        <InputClaims>  
    <InputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />  
  </InputClaims>  
  <OutputClaims>  
    <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>  
  </OutputClaims>
    3. Under SelfAsserted-ProfileUpdate (for edit profile flow), add 
        <InputClaims>  
    <InputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />  
  </InputClaims>  
  <OutputClaims>  
    <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>  
  </OutputClaims>
    4. In your trustframeworkextensions file, add below claims providers: 
      <ClaimsProvider>  
  <DisplayName>Azure Active Directory</DisplayName>  
  <TechnicalProfiles>  
    <!-- Write data during a local account sign-up flow. -->  
    <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">  
      <PersistedClaims>  
        <PersistedClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>  
      </PersistedClaims>  
    </TechnicalProfile>  
    <!-- Write data during a federated account first-time sign-in flow. -->  
    <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">  
      <PersistedClaims>  
        <PersistedClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>  
      </PersistedClaims>  
    </TechnicalProfile>  
    <!-- Write data during edit profile flow. -->  
    <TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">  
      <PersistedClaims>  
        <PersistedClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>  
      </PersistedClaims>  
    </TechnicalProfile>  
    <!-- Read data after user resets the password. -->  
    <TechnicalProfile Id="AAD-UserReadUsingEmailAddress">  
      <OutputClaims>    
        <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />  
          </OutputClaims>  
        </TechnicalProfile>  
        <!-- Read data after user authenticates with a local account. -->  
        <TechnicalProfile Id="AAD-UserReadUsingObjectId">  
          <OutputClaims>    
            <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />  
          </OutputClaims>  
        </TechnicalProfile>  
        <!-- Read data after user authenticates with a federated account. -->  
        <TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">  
          <OutputClaims>    
            <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />  
          </OutputClaims>  
        </TechnicalProfile>  
      </TechnicalProfiles>  
    </ClaimsProvider>
    • Finally, In your signup_signin (RP) file, add below output claim: 
       <OutputClaims>  
   <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale" PartnerClaimType="CodiceFiscale" />  
 </OutputClaims>

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.