9

Trying to implement following scenario: implement Azure B2c and azure AD as one of identity providers. Only way to achieve it is using custom policies. I followed those tutorials: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom#prerequisites https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom#create-an-azure-ad-b2c-application The problem is when i trying to upload TrustFrameworkExtensions.xml got info that my tenant

makes a reference to ClaimType with id "issuerUserId" but neither the policy nor any of its base policies contain such an element.

Found similar issue here https://github.com/MicrosoftDocs/azure-docs/issues/27602 and replace issuerUserId by socialIdpUserId. It seems to be solved but during upload another issue came up:

makes a reference to ClaimsTransformation with id "CreateRandomUPNUserName" but neither the policy nor any of its base policies contain such an element.

Got claims provider configuration from the tutorial and now i dont really have any idea how to fix it. Thanks in advance for any help.

EDIT

Based on @CHris solution i make those files correct (no errors during uploading) but there is still some problems with parsing returning token. Has anyone made example from the second link up and running (Azure ad b2c and many azure ad injected in multitentant azure ad).

Kamil Będkowski
  • 1,092
  • 4
  • 16
  • 36
  • Your base policy doesn't include the claims transformation I guess? – juunas Oct 01 '19 at 09:30
  • Got both files from link nr 1 guide and tried to implement solution from link nr 2. Assumed that there will be working with each other. In brief - probably not but i dont know where and how put them. – Kamil Będkowski Oct 01 '19 at 09:32
  • Why not using the `Generic Open Id provider` to add `Azure AD` https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp ? This way you dont need custom policy. – Thomas Oct 01 '19 at 09:46
  • 1
    Hi @KamilBędkowski Which custom policy starter pack did you begin with? You must use one of the **SocialAccounts** ones. – Chris Padgett Oct 01 '19 at 10:49
  • Thomas i cant because i want to use many azure ads as a one provider. @ChrisPadgett i used -thanks it but still there is a problem. – Kamil Będkowski Oct 07 '19 at 11:47
  • I am having the same issue, this question has a lot of upvotes. I think people like me are coming here from Google after following that same tutorial which is clearly leaving some important information out. – Victorio Berra Mar 17 '23 at 17:58

2 Answers2

1

I followed the instructions; I began from 'LocalAccounts' and got the same symptoms.

"LocalAccounts\TrustFrameworkBase.xml" has a ClaimsSchema element;

<TrustFrameworkPolicy>
 <BuildingBlocks>
  <ClaimsSchema>

So does "SocialAndLocalAccounts\TrustFrameworkBase.xml"

BUT "SocialAndLocalAccounts\TrustFrameworkBase.xml" has more claims in the <ClaimsSchema> element, and an important comment

"The trust framework policy treats Azure AD as any other claims provider and all its restrictions are modelled in the policy."

This would suggest that LocalAccounts\TrustFrameworkBase.xml starter does not come with the necessary claims in <ClaimsSchema> to handle additional claims providers, including Azure AD.

Hence, copy the claims mentioned in the errors from SocialAndLocalAccounts\TrustFrameworkBase.xml to LocalAccounts\TrustFrameworkBase.xml

for example,

error resolution
Policy "B2C_1A_TrustFrameworkExtensions" of tenant "contoso.onmicrosoft.com" makes a reference to ClaimType with id "issuerUserId" but neither the policy nor any of its base policies contain such an element copy this snippet from the other starter packs to your TrustFrameworkBase.xml;<ClaimType Id="issuerUserId">
`

In fact, if you use MFA in Azure AD, you may need to refer to SocialAndLocalAccountsWithMfa\TrustFrameworkBase.xml

Then upload policies in the correct order;

upload order policy name (based on templates)
1 TrustFrameworkBase.xml
2 TrustFrameworkExtensions.xml
3 SignUpSignIn.xml

Azure Active Directory B2C custom policy overview | Microsoft Learn Custom policy starter pack https://learn.microsoft.com/en-gb/azure/active-directory-b2c/custom-policy-overview#custom-policy-starter-pack

Azure AD B2C custom policy starter pack comes with several pre-built policies to get you started quickly. Each of these starter packs contains the smallest number of technical profiles and user journeys needed to achieve the scenarios described:

LocalAccounts - Enables the use of local accounts only.

May I suggest...

  1. Start with the intended scenario for that starter pack only
  2. Read Azure Active Directory B2C custom policy overview

There are Architecture Deep Dive videos from Microsoft on YouTube, but they are relatively shallow and not as good as videos for more popular services.

Anwar Mahmood
  • 11
  • 2
0

You need to add the ClaimType to the Base.xml

      <ClaimType Id="issuerUserId">
        <DisplayName>OID</DisplayName>
        <DataType>string</DataType>
        <UserHelpText/>
      </ClaimType>

      <ClaimType Id="alternativeSecurityId">
        <DisplayName>AlternativeSecurityId</DisplayName>
        <DataType>string</DataType>
        <UserHelpText/>
      </ClaimType>
Victorio Berra
  • 2,760
  • 2
  • 28
  • 53