0

I've registered SAML application using the MS ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy

My SignUpOrSignin.xml has the outputclaim tags to return email attribute value as SAML response, but I'm getting rest of the attributed value except use account email in SAML response. I've confirmed that user account has valid email value in Azure B2C AD. Not sure what I am missing here? Do I need configure any other setting to get email attribute value in SAML response, please?

enter image description here

Rajeesh Menoth
  • 1,704
  • 3
  • 17
  • 33
Karikalan
  • 107
  • 10
  • How have you confirmed that user account has valid email value in AAD B2C? Are you reading the attribute via any technical profile in your user journey? – Jas Suri - MSFT Jul 24 '21 at 16:08
  • Thanks Jas, 1. How have you confirmed that user account has valid email value in AAD B2C? Ans: Yes, its valid gmail-id. 2. Are you reading the attribute via any technical profile in your user journey? Ans: You're right, TrustFrameworkBase.xml -> TechnicalProfile Id = Login-NonInteractive outputclaims does not have email attribute. However, even after updating this to include email outputclaim, Still, not getting this attribute on SAML respose. Any sample pack of custom policies reference will be helpful pls. Thanks. – Karikalan Jul 24 '21 at 18:15

1 Answers1

2

Add the outputClaim in AAD-UserReadUsingObjectId.

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="ATTRIBUTE_NAME" />

Usually the email is stored in the attribute: signInNames.emailAddress.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Thanks Jas Suri, even after updating below settings, unable to get the email attribute response. In my SignUpOrSignin.xml -> Also TrustFramwWorkBase.xml -> -> and -> as well. – Karikalan Jul 24 '21 at 19:26
  • You’ve mapped it incorrectly. You’re putting the value of “signInNames” into the claim “email”, then outputting “signInNames” to the token (relying party section).. which is null. In the relyingParty section, use the outputClaim “email”, not signInNames. – Jas Suri - MSFT Jul 24 '21 at 20:07
  • Thanks Jas Suri, I've tried with this relyingparty settings still no luck. I was wondering if there anything else I am missing here? OR any sample pack with email-id attriute would be very helpful, pls? Thanks again. – Karikalan Jul 24 '21 at 20:46
  • The pattern is always the same. Identify the attribute the claim is persisted to, output it in the Read technical profile and Relying party section. – Jas Suri - MSFT Jul 24 '21 at 23:19
  • Thanks Jas Suri, Just noticed the effectiveness when we some default value in SignUpOrSignin.xml RelyingParty outputcliam, I can see that its returning the default value on SAML response. else there is no SAML response attribute at all. Can you pls suggest where it reads this from pls? – Karikalan Jul 25 '21 at 08:09
  • I’m able to get the expected SAML email attribute response and authentication is successful by referring the below forum. Thanks Jas Suri. https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/issues/24 https://stackoverflow.com/questions/47145452/return-emails-on-custom-policies – Karikalan Jul 25 '21 at 17:51