Azure B2C: Where to Create DateTime Extension Attribute to be used in Custom Policy- Portal or Custom Policy or Both?

Question

I need to use an extension attribute in custom policy of data type "DateTime". I defined the claim type as follows.

<ClaimType Id="extension_myAttribute">
        <DisplayName>myAttrbute</DisplayName>
        <DataType>dateTime</DataType>
        <UserHelpText>This is for X</UserHelpText>
      </ClaimType>

I want to be able to compare this attribute with the current time and consequently direct the user journey. However, when I look in application insights, the value is "undefined" and as a result comparing it to to a claim type containing the current time does me no good. The attribute is also missing as a claim even though I added it to OutputClaims in the Relying Party file.

Q1. Is it sufficient to declare it this way? Q2. Do I need to create it under User Attributes in the portal as well? I am not sure because in the portal only the data types int, boolean and string are available. Can I use any of these in place of dateTime?

EDIT Here is the transformation that uses the attribute

  <ClaimsTransformation Id="SetMyAttribute" TransformationMethod="GetCurrentDateTime">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="extension_MyAttribute" TransformationClaimType="currentDateTime" />
    </OutputClaims>
  </ClaimsTransformation>

Thank you for your help!

score 1 · Answer 1 · answered Jul 30 '20 at 13:16

1

Yes as you defined in custom policy that is enough. You are right you can't create custom attribute of type dateTime in Portal.

Please refer this link: https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-after-90-days

This is to do Password Reset after 90 days. This will for sure relate to what you are trying to implement.

answered Jul 30 '20 at 13:16

Rohit Prasad

455
1
4
9

Thank you @Rohit. I took a look at that and looks like I did exactly what the author did as far as declaration of the claim type and it's use. Looks like I need to provide more information. I will add an edit in a few minutes. – Bandz Jul 30 '20 at 15:40

score 0 · Answer 2 · answered Jul 30 '20 at 16:46

0

You need to call your claimtransformation as in input or output claims transformation from a technical profile. And the reference that technical profile from your user journey. Then it will be output and issued into the token.

answered Jul 30 '20 at 16:46

Jas Suri - MSFT

10,605
2
10
20

Thank you Jas. As @Rohit suggested, I took a look at the sample. In the sample, AAD-UserWriteUsingLogonEmail and AAD-UserWritePasswordUsingObjectId technical profiles are used to call the SetPasswordResetOn claims transformation that populates the extension_passwordResetOn attribute with the current time. The TPs then persist the attribute in AAD. The problem is extension_passwordResetOn is populated during signup and during password reset but I want to be able to populate my extension attribute during user sign in. How can I have the attribute written to AAD after user signs in? – Bandz Aug 01 '20 at 08:06

score 0 · Accepted Answer · answered Aug 01 '20 at 10:30

Really grateful to you both for your attempts. In my scenario, I needed to update my extension attribute during a signin and not a sign up as in the suggested sample. To resolve, I added an additional AAD-XXX technical profile in the Azure AD claims provider that could perform a 'write' operation but with RaiseErrorIfClaimsPrincipalAlreadyExists => 'false'. This allowed me to be able to call my claims transformation in an InputClaimtsTransformation element and then write to AAD using a PersistedClaims element. Something like below. I hope this helps someone else.

<TechnicalProfile Id="AAD-XXXX">
  <Metadata>
    <Item Key="Operation">Write</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
  </Metadata>
  <InputClaimsTransformations>
    <!--call claims transformation-->
    <InputClaimsTransformation ReferenceId="MyClaimsTransformation" />
  </InputClaimsTransformations>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" />
  </InputClaims>
  <PersistedClaims>
    <!-- Required claims -->
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <PersistedClaim ClaimTypeReferenceId="userPrincipalName" />
    <PersistedClaim ClaimTypeReferenceId="displayName" />
    <PersistedClaim ClaimTypeReferenceId="extension_MyExtensionAttribute" />
  </PersistedClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" /> 
</TechnicalProfile>

Thanks for your answer.. But for some reason my TechnicalProfile doesn't seem to be executing. In my I tried to include it via: ` ` — Adam Nemitoff, Feb 03 '21 at 02:41
I answered my own question in the user journey I added an orchestration step: ` ` — Adam Nemitoff, Feb 03 '21 at 14:42

Azure B2C: Where to Create DateTime Extension Attribute to be used in Custom Policy- Portal or Custom Policy or Both?

3 Answers3

Linked