0

I have been slowly working through a custom policy to handle a JIT migration of an external IDP users to Azure B2C. It has been a long journey because there are many complexities in sorting out the components and the configuration steps using XML is a bit of a challenge. I am making some progress.

The basic use case is this: At sign in, the user/password is first checked against the B2C AD and if the user already exists just continue to sign in. If the user isn't in B2C AD, then check the external IDP with a REST call. I planned the response from the external IDP to be used in a binary way: If I get a 200 response, then add the user to B2C AD. If an error is returned then the user will be told to create an account.

I started with a couple of samples from a JIT Migration that I found. I had some difficulty navigating all the components with the social media logins, etc that I then reverted back to the "Local Accounts" sample found in the custom policy starterpack. I got the basic steps to work with no modification. I then added the technical profiles for the REST calls to the extensions file. I used the extension from one of the JIT migration samples and at least got the uploads to work. I am able to present a login prompt.

These are the scenarios and responses I see: 1) A user that I know is in B2C returns an error of "Unable to validate the information provided." 2) A user that I know is in the external IDP but not in B2C returns "We can't seem to find your account". 3) If I try a completely made up account that exists in neither, I see "The claims exchange 'REST-UserMigration-LocalAccount-SignIn' specified in step '1' returned HTTP error response with Code 'BadRequest' and Reason ''. "

So the question/struggle is how do I best sort out what is failing in each step. I have added app insights to the environment. I do see the traces in VS Code. But what should I look for? Here is the short responses ("Exceptions") for each of the errors listed above:

Scenario 1: The claim type "signInNames.emailAddress", designated as the identifier claim type, could not be found in the claims collection for the claims principal in tenant id "B2C_1A_JITMigration_signup_signin"

Scenario 2: A user with the specified credential could not be found.

Scenario 3: ErrorCodes: AADB2C90075

Rather than post of the code, here is the link to what I copied: https://github.com/azure-ad-b2c/user-migration/blob/master/jit-migration-v2/policy/TrustFrameworkExtensions.xml I can post up my exact code but basically I changed the tenant and the REST call. The Technical profile for the REST call snippet is:

        <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username"/>
        <InputClaim ClaimTypeReferenceId="password" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="needToMigrate" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="newPassword" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
      </OutputClaims>          
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
      </TechnicalProfile>

The input claims are fine but I am not sure how to modify the output claims. The REST API returns a single value of an authentication token which I don't need but is an indication that the authentication succeeded. It returns an error if the authentication fails. Basically an HTTP 200 is good, an HTTP 400 means the user doesn't exist. The goal is to use that API call as a binary indicator to either migrate or not migrate the user. Perhaps I cannot use the API in that way.

My hope is to solve each scenario step by step. Figure out why the scenario 1 doesn't work although the credential are correct. Then figure out why scenario 2 is correctly identifying that the user isn't found but wasn't automatically migrated. Finally, to figure out how to manage the 400 error returned by the API when the user doesn't exist in the external IDP.

I might need to tweak the user journeys or orchestration steps? Taking baby steps here.

Thanks

Pete Helgren
  • 438
  • 1
  • 7
  • 21
  • You need to share your policy files (there is nothing sensitive in these except your REST API endpoint). The first error is because one of the validation tech profiles fails to run properly in your Sign In technical profile. – Jas Suri - MSFT Apr 26 '21 at 11:56
  • Thanks. Yes, I discovered yesterday that I was missing the ProxyIdentityExperienceFramework App Id and the IdentityExperienceFramework App Id. Further I had incorrectly created the B2C_1A_TokenSigningKeyContainer and the B2C_1A_TokenEncryptionKeyContainer policy keys. I had failed to specify the key type as RSA. Fixed that and scenario #1 was fixed. Where do I add the policy files? Looks like comments are limited to a small number of characters. Edit the original question? – Pete Helgren Apr 26 '21 at 15:30
  • My tool https://aka.ms/iefsetup creates all those things for you automatically. You could host them online and share a link. – Jas Suri - MSFT Apr 28 '21 at 00:56
  • Thanks Jas. I was finally able to get it all to work the way I expected. There were so many learning steps that I ended up tackling them one by one. The two key takeaways are: Really understanding the ValidationTechnicalProfile and how they are used AND understanding how claims are used through the policy. Step by step was the only way and app insights was very helpful. – Pete Helgren Apr 29 '21 at 22:20

0 Answers0