1

My OIDC claims provider (Okta) provides the given_name and family_name values to my OIDC test harness app.

My Azure B2C claims provider uses the same scopes as my test app, but I can't get the given_name and family_name to be added to the B2C claim,

Scopes used when calling Okta CP:

<Item Key="scope">openid profile email</Item>

OutputClaims mapping in Okta CP:

<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" DefaultValue="default value from input ClaimsProvider: email"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" DefaultValue="default value from input ClaimsProvider: givenName"/>
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" DefaultValue="default value from input ClaimsProvider: surname"/>

This configuration doesn't seem to get the values for these two claims. It does get the "name" and "email" values, so I feel confident the scopes are being honored. Using DefaultValues to debug, I see this in the Azure SAML test app.


SAML Login Success
Attribute   Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress  JoeBlow@xyz.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name  Joe Blow
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname default value from input ClaimsProvider: givenName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname   default value from input ClaimsProvider: surname
http://schemas.microsoft.com/identity/claims/userprincipalname  JoeBlow@xyz.com
user594102
  • 21
  • 5
  • Have you tried with more than 1 user. The configuration looks good to me as per this link https://developer.okta.com/docs/reference/api/oidc/#token. Also, you can have a quick test by using the Azure Portal to Add OIDC Provider and quickly test before implementing in Custom Policies. Once it will work you can move to custom policy to get B2C response in the RP as SAML. – Rohit Prasad Jan 18 '21 at 13:07
  • Yes, all users exhibit the same missing claim. I have created an Okta federation where B2C is a SAML SP to the Okta IDP, that works with the claims. I have also tried the built-in B2C_1_SignUpIn flow. That does work, but that is not exactly the same scenario because I am trying to pass the two name attributes directly from the "input" claims provider to the output claim (skipping B2C user creation and using B2C only as a "router"), [as discussed here](https://stackoverflow.com/questions/65753773/could-an-azure-ad-b2c-custom-policy-theoretically-produce-a-token-from-social-id) – user594102 Jan 18 '21 at 14:00
  • I ran one more test against Azure AD via OIDC, it produces even fewer values (only "name"). Am I correct in thinking that any of the claims presented by the OIDC userinfo_endpoint should be available to my TechnicalProfile as an OutputClaim? – user594102 Jan 19 '21 at 00:49
  • You mean you are getting the details when you using user flows but not in the custom policy. If possible can you please share the User Journey file and also the technical profile related to it, so that will able to guide you properly on the solution part of it. – Rohit Prasad Jan 19 '21 at 13:16
  • I have uploaded the policy to [TrustFrameworkExtensionsGW.xml] (https://github.com/hkelley/AzureADB2CGateway/blob/main/TrustFrameworkExtensionsGW.xml) – user594102 Jan 19 '21 at 22:49

1 Answers1

3

Might be to late for the OP, but we just ran into this as well. It took us quite a while to find a solution.

  • Problem was not (in our case) the Azure AD B2C policy.
  • But instead the issue was with the Azure AD app registration (used for Ms + AAD accounts).
  • family_name+ given_name are optional claims

For those claims to be returned two things need to happen:

  • profile scope must be requested
  • configure the Azure AD app registration to return these 2 optional claims
    • This was the step we were missing

Here is the link to the doc explaining how to ensure an Azure AD app registration returns optional claims (its straight forward and only took 1min todo):
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims?WT.mc_id=AZ-MVP-5003445#configuring-optional-claims

ntziolis
  • 10,091
  • 1
  • 34
  • 50