0

I am looking to meet a password complexity requirement using a claims transformation. When a user goes through the password reset journey, I want to prvent passwords similar to the username by comparing the newPassword claim to an extension attribute that contains the user's email prefix e.g. jdoe in jdoe@contoso.com. I don't want to use a REST technical profile.

Claims Transformation

  <ClaimsTransformation Id="CheckUserSuppliedPassword" TransformationMethod="CompareClaims">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="newPassword" TransformationClaimType="inputClaim1" />
      <InputClaim ClaimTypeReferenceId="userEmailPrefix" TransformationClaimType="inputClaim2" />
    </InputClaims>
    <InputParameters>
      <InputParameter Id="operator" DataType="string" Value="NOT EQUAL" />
      <InputParameter Id="ignoreCase" DataType="string" Value="true" />
    </InputParameters>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="SameAsEmailPrefix" TransformationClaimType="outputClaim" />
    </OutputClaims>
  </ClaimsTransformation>

I added another technical profile (MyLocalAccountCheckUserPassword) that calls the transformation. This technical profile is used as a validation technical profile that is referenced in the "LocalAccountWritePasswordUsingObjectId" technical profile of the Local Account claims provider. Below are both technical profiles.

<TechnicalProfile Id="MyLocalAccountCheckUserPassword">
  <DisplayName>Check User Password</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
  <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="newPassword" Required="true" />
    <InputClaim ClaimTypeReferenceId="reenterPassword" Required="false" />
  </InputClaims>
  
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="newPassword"/>
    <OutputClaim ClaimTypeReferenceId="reenterPassword" />
    <OutputClaim ClaimTypeReferenceId="SameAsEmailPrefix"/>
  </OutputClaims>

  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CheckUserSuppliedPassword"/>
  </OutputClaimsTransformations>
</TechnicalProfile>


    <TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">
      <DisplayName>Change password (username)</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" />

        <InputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" />

  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
    <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
    <OutputClaim ClaimTypeReferenceId="sameAsEmailPrefix" Required="true" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" />
    <ValidationTechnicalProfile ReferenceId="MyLocalAccountCheckUserPassword" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

For now, all I want to is to validate what's in the SameAsEmailMessage claim (true/false) to see if the comparison happaned as expected. So, I have added it as an output claim in the Relying party technical profile. But it doesn't show up as a claim after the password reset journey completes. Ultimately, I want to show an error message to the user on the local account sign in screen.

Please help.

Bandz
  • 253
  • 4
  • 15

1 Answers1

0

Add SameAsEmailPrefix as an output claim in the relyingparty section of your custom policy file.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Add it as an output claim in LocalAccountWritePasswordUsingObjectId too – Jas Suri - MSFT Sep 26 '20 at 23:59
  • To do the overall logic, have your claim transform call before the AAD-UserWritePasswordUsingObjectId VTP. Then add another claims transform TP to [assert](https://learn.microsoft.com/en-us/azure/active-directory-b2c/boolean-transformations#assertbooleanclaimisequaltovalue) that the SameAsEmailPrefix is FALSE. This CT can return the error too. – Jas Suri - MSFT Sep 27 '20 at 00:02
  • And a good reference sample to use these concepts is https://github.com/azure-ad-b2c/samples/tree/master/policies/banned-password-list-no-API – Jas Suri - MSFT Sep 27 '20 at 00:03
  • Thank you Jas. I am looking at the sample and it looks like it will work for me. However, I am yet to catch the part of the sample that actually prevents a user from setting the same (old) password during password reset. Can you please point me in the direction? – Bandz Sep 27 '20 at 02:08
  • Hey Jas, thank you for your help so far. However, I am still stuck on being able to prevent a user resetting the same password. Any insight will be appreciated. – Bandz Sep 30 '20 at 02:14
  • Hi @Bandz are you still looking for any help on this.? – Raghavendra beldona Oct 14 '20 at 14:21