3

I have 2 claims that I want to store in the Directory for my application to use. These are not available for the user to edit however is available for the application to read from the Token.

The BuiltIn policies are able to retrieve the claims however, I have not had any success with retrieving these claims using Custom Policies.

Reading through Next Steps of the article “Creating and using custom attributes in a custom profile edit policy” the claims will need to be added to the RP and TechnicalProfile to read from Directory. I accordingly updated the RP and as well the TP's that read from Directory such as 

<TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">

Unable to figure out what might be missing to retreive the 2 extension claims.

Leniel Maccaferri
  • 100,159
  • 46
  • 371
  • 480
Jay Paddy
  • 171
  • 2
  • 8

2 Answers2

12

Assuming you are reading the custom claims in the user journeys and writing them via the Azure AD Graph API, then you must:

1: Add the custom claims as <ClaimType />s to the base policy.

<ClaimType Id="extension_UserAttribute1">
  <DisplayName>User Attribute 1</DisplayName>
  <DataType>string</DataType>
</ClaimType>
<ClaimType Id="extension_UserAttribute2">
  <DisplayName>User Attribute 2</DisplayName>
  <DataType>string</DataType>
</ClaimType>

2: Add the application and object identifiers for the extensions app to the "AAD-Common" technical profile which is required to read the custom claims from the Azure AD B2C directory.

<TechnicalProfile Id="AAD-Common">
  <DisplayName>Azure Active Directory</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ApplicationObjectId">Insert the object identifier for the b2c-extensions-app application here</Item>
    <Item Key="ClientId">Insert the application identifier for the b2c-extensions-app application here</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="TokenSigningKeyContainer" />
  </CryptographicKeys>
  ...
</TechnicalProfile>

Note: If you are wanting to read the custom claims in both built-in policies and custom policies, then you must use the application and object identifiers for the built-in b2c-extensions-app application rather than a custom extensions app as suggested by the Azure Active Directory B2C: Creating and using custom attributes in a custom profile edit policy tutorial.

3: Add the custom claims as <OutputClaim />s to the following technical profiles:

"AAD-UserReadUsingObjectId" for local account sign-in and profile editing

"AAD-UserReadUsingAlternativeSecurityId" for a social account sign-in and profile editing

"LocalAccountDiscoveryUsingEmailAddress" and "AAD-UserReadUsingEmailAddress" for a local account password reset

<OutputClaims>
  ...
  <OutputClaim ClaimTypeReferenceId="extension_UserAttribute1" />
  <OutputClaim ClaimTypeReferenceId="extension_UserAttribute2" />
</OutputClaims>

4: Issue the custom claims as <OutputClaim />s in any relying party policies.

Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
2

Thanks @ChrisPadget. For anybody still struggling. Make sure that the UserJourney Step that reads data from AD is actually available in your User Journey. In my case, I had to add:

<OrchestrationStep Order="2" Type="ClaimsExchange">
    <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    </ClaimsExchanges>
</OrchestrationStep>
Manu Meyer
  • 191
  • 6