question

Fr3ng-8996 avatar image
0 Votes"
Fr3ng-8996 asked MuqaddasMahmood-5050 edited

Azure AD B2C: Custom claims with custom policies

Hello,

I am implementing a custom policy to sign-in users with federated IDPs (external AzureAD tenants).
I need to insert a custom claim called CodiceFiscale and force users to add a value to it in the first sign-in experience.
I also need to insert the claim in the jwt token.

I've followed this Microsoft article: https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy and what I've done is:

  • added the claim in the claims list:

     <ClaimType Id="CodiceFiscale">
         <DisplayName>Codice Fiscale</DisplayName>
         <DataType>string</DataType>
         <UserHelpText>Users' CF</UserHelpText>
       </ClaimType>
    

  • add the claim in the selfasserted-social and SelfAsserted-ProfileUpdate input and output claims:

         <InputClaims>
             <InputClaim ClaimTypeReferenceId="CodiceFiscale" />
             [...]
           </InputClaims>
           <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="CodiceFiscale" />
             [...]
           </OutputClaims>
    

  • added the claim in the technical profile output claims in the Trust Framework Extension policy:

         <OutputClaims>
             [...]
             <OutputClaim ClaimTypeReferenceId="CodiceFiscale" PartnerClaimType="CodiceFiscale"/>
           </OutputClaims>
    

  • added the claim in the sign-in policy:

         <OutputClaims>
              [...]
              <OutputClaim ClaimTypeReferenceId="CodiceFiscale" PartnerClaimType="CodiceFiscale"/>
           </OutputClaims>
    


Now, if I sign-in I get the following error: The page cannot be displayed because an internal server error has occurred.

What am I missing?

Is it possible to add any custom claim or is there a list of claims that are supported by B2C?

Thank you!




azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered MuqaddasMahmood-5050 edited

Hi @Fr3ng-8996 · Thank you for reaching out.

As the attribute CodiceFiscale is not available in the Azure AD of your B2C tenant by default, you need to first update Azure AD schema of the B2C tenant. For this purpose, please follow the steps I have provided in my blog post here: http://cloud365.in/azure-ad-schema-extension-for-users-in-10-easy-steps/ and define the claims as extension_CodiceFiscale, as mentioned below:

  <ClaimType Id="extension_CodiceFiscale">
      <DisplayName>Codice Fiscale</DisplayName>
      <DataType>string</DataType>
      <UserHelpText>Users' CF</UserHelpText>
    </ClaimType>

Update below Technical Profiles:

  1. Under LocalAccountSignUpWithLogonEmail (for local account sign-up flow), add

        <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>
           </OutputClaims>
    

  2. Under SelfAsserted-Social (for federated account first-time user sign-in), add

        <InputClaims>
             <InputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />
           </InputClaims>
           <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>
           </OutputClaims>
    

  3. Under SelfAsserted-ProfileUpdate (for edit profile flow), add

        <InputClaims>
             <InputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />
           </InputClaims>
           <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>
           </OutputClaims>
    

  4. In your trustframeworkextensions file, add below claims providers:

      <ClaimsProvider>
           <DisplayName>Azure Active Directory</DisplayName>
           <TechnicalProfiles>
             <!-- Write data during a local account sign-up flow. -->
             <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
               <PersistedClaims>
                 <PersistedClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>
               </PersistedClaims>
             </TechnicalProfile>
             <!-- Write data during a federated account first-time sign-in flow. -->
             <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
               <PersistedClaims>
                 <PersistedClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>
               </PersistedClaims>
             </TechnicalProfile>
             <!-- Write data during edit profile flow. -->
             <TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">
               <PersistedClaims>
                 <PersistedClaim ClaimTypeReferenceId="extension_CodiceFiscale"/>
               </PersistedClaims>
             </TechnicalProfile>
             <!-- Read data after user resets the password. -->
             <TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
               <OutputClaims>  
                 <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />
                   </OutputClaims>
                 </TechnicalProfile>
                 <!-- Read data after user authenticates with a local account. -->
                 <TechnicalProfile Id="AAD-UserReadUsingObjectId">
                   <OutputClaims>  
                     <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />
                   </OutputClaims>
                 </TechnicalProfile>
                 <!-- Read data after user authenticates with a federated account. -->
                 <TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">
                   <OutputClaims>  
                     <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale" />
                   </OutputClaims>
                 </TechnicalProfile>
               </TechnicalProfiles>
             </ClaimsProvider>
    
  • Finally, In your signup_signin (RP) file, add below output claim:

       <OutputClaims>
           <OutputClaim ClaimTypeReferenceId="extension_CodiceFiscale" PartnerClaimType="CodiceFiscale" />
         </OutputClaims>
    


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Fr3ng-8996 · Just checking if you had a chance to test it out.

0 Votes 0 ·
Fr3ng-8996 avatar image Fr3ng-8996 amanpreetsingh-msft ·

Thank you! I'm checking this out real soon and send you a feedback!

0 Votes 0 ·

Hi @amanpreetsingh-msft !

I tried your procedure but when I try to upload the new SignIn (RP) policy I get this error:

"B2C_1A_SIGNIN_OPENID" of tenant "xxxxx.onmicrosoft.com".A required Metadata item with key "ApplicationObjectId" was not found in the TechnicalProfile with id "AAD-UserWriteUsingAlternativeSecurityId" in policy "B2C_1A_signin_OPENID" of tenant "xxxxx.onmicrosoft.com".A required Metadata item with key "ApplicationObjectId" was not found in the TechnicalProfile with id "AAD-UserWriteUsingAlternativeSecurityId" in policy "B2C_1A_signin_OPENID" of tenant "xxxxx.onmicrosoft.com".

0 Votes 0 ·

@Fr3ng-8996 · Please paste the entire code block in step 4 to the TrustFrameworkExtensions file rather than updating each individual Technical Profile in the TrustFrameworkBase file.

0 Votes 0 ·

@amanpreetsingh-msft what is going to be the maximum length of the custom claim which is being created by custom policy?I need the custom claim with the maximum length(data type "String")

0 Votes 0 ·