Azure AD B2C Validation Profile for non-SelfAsserted Technical profiles

Question

From testing, it appears Validation Technical Profiles are only used when added to SelfAssserted Technical Profiles

E.g the following:

    <TechnicalProfile Id="ExternalIDP">
      <DisplayName>Some External IdP</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <!-- ... -->
      </Metadata>
      <OutputClaims>
        <!-- ... -->
      </OutputClaims>
      <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="FETCH-MORE-CLAIMS" />
      </ValidationTechnicalProfiles>
    </TechnicalProfile>

does not appear to call the FETCH-MORE-CLAIMS profile after authenticating to the external identity provider.

Is this correct, and if so, is there another way to always force a second technical profile to be called whenever a particular technical profile is called?

Answer 1

One possible way would be to set an output claim that indicates that was done, and then have an orchestration step after that with a condition on that claim, which then runs your TP as a claims exchange.

So an output claim like:

<OutputClaim ClaimTypeReferenceId="idp" DefaultValue="ThisIdp" AlwaysUseDefaultValue="true" />

You'd need to define that claim if it isn't already defined, or you can use another one you already have.

<OrchestrationStep Order="2" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> 
      <Value>idp</Value>
      <Value>ThisIdp</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="FetchMoreClaimsExchange" TechnicalProfileReferenceId="FETCH-MORE-CLAIMS" />
  </ClaimsExchanges>
</OrchestrationStep>

This orchestration step is skipped if idp != ThisIdp, so it would only run if your external idp was used.