2

My company has to federate with several external IdPs (using industry-standard solutions such as AD FS, F5, etc) which issue group claims.

When a user has multiple groups, these IdPs issue a response with the claim in the following format:

"groups": ["Domain Users", "US Users", "Administrators"]

But when a user has only a single group:

"groups": "Domain Users"

Here is the b2cGroups ClaimType as defined in TrustFrameworkExtensions:

<ClaimType Id="b2cGroups">
    <DisplayName>Groups</DisplayName>
    <DataType>stringCollection</DataType>
    <AdminHelpText>User's groups.</AdminHelpText>
</ClaimType>

And the OutputClaim in the external IdP TechnicalProfile:

<OutputClaim ClaimTypeReferenceId="b2cGroups" PartnerClaimType="groups" />

In the current configuration, B2C throws a fatal exception when a user has only a single group:

The data type 'String' of the claim with id 'groups' does not match the DataType 'StringCollection' of ClaimType with id 'b2cGroups' specified in the policy.

I can alter the claim definition from stringCollection to string:

<ClaimType Id="b2cGroups">
    <DisplayName>Groups</DisplayName>
    <DataType>string</DataType>
    <AdminHelpText>User's groups.</AdminHelpText>
</ClaimType>

But now when a user has multiple groups:

The data type 'StringCollection' of the claim with id 'groups' does not match the DataType 'String' of ClaimType with id 'b2cGroups' specified in the policy.

The exception happens during execution of the OIDC or SAML2 technical profile itself, so I can't use a claims transformation to manipulate the data. It seems B2C has no leniency for this potential inconsistency in data types, which is right in theory, but in practice, the major federated identity solutions (such as AD FS, which is also a MS product) don't adhere to this standard.

This has become a major issue that, left unresolved, will force us to tear up our existing B2C infrastructure and migrate to another CIAM solution. Is there a fix, or hack that I can apply to mitigate this issue?

Daniel Krasnove
  • 204
  • 3
  • 6
  • I was getting similar exception where external IDP sending multiple group/role names, I added following in ClaimType definiiation – Rajendra Thorat Sep 26 '22 at 10:14

1 Answers1

0

The only workaround would be to not return the claim in the IdP technical profile, instead call an API in a subsequent step and have it fetch the value from the IdP and always return an array back to B2C.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • 1
    I have removed the claim in the interim, but if I understand correctly, the only way to receive this claim is to arrange a secondary method of acquiring it from the IdP, such as with a call to a separate API provided by the client? I am seeing the same issue when a user has multiple names, emails, etc. This seems to be how AD FS issues claims as multiple client IdPs on AD FS exhibit the same behavior. Is there no native solution using an AD FS OIDC/SAML2 technical profile? Unfortunately, we can't ask all our clients using AD FS to change their configuration just for us. – Daniel Krasnove Apr 02 '21 at 22:14
  • You can call the api directly inside your B2C custom policy and issue the group value into the token for your client to have. There is no native solution that B2C has in general for this scenario, we are explicit with the claim data type. – Jas Suri - MSFT Apr 02 '21 at 22:18
  • 1
    Hmm...this is what I was afraid of. Our clients, whose IdPs we are trying to federate with, do not expose APIs to retrieve claims, so a RESTful technical profile cannot be used. – Daniel Krasnove Apr 02 '21 at 22:44