1

We are allowing External Azure AD users to signup and login to our application via a custom policy. The shell user that is being created in our adb2c directory does not get the UPN that I want in the user profile (screen shot below). I want the upn to be the value of the federated_upn claim which is numero1@notecorp111.onmicrosoft.com but it is setting the upn to the value of the email claim which is correo1@notecorp111.onmicrosoft.com. Can you let me know what I'm doing wrong? Thanks!

claims:
alternativeSecurityId: <Guid>
userPrincipalName: cpim_<guid>@tenantname.onmicrosoft.com
email: correo1@notecorp111.onmicrosoft.com
federated_upn: numero1@notecorp111.onmicrosoft.com

Technical Profile:

    <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
      <Metadata>
        <Item Key="Operation">Write</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
        <Item Key="UserMessageIfClaimsPrincipalAlreadyExists">You are already registered, please press the back button and sign in instead.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="AlternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />
      </InputClaims>
         <!-- Required claims -->
        <PersistedClaim ClaimTypeReferenceId="alternativeSecurityId" />
        <PersistedClaim ClaimTypeReferenceId="userPrincipalName" />
        <PersistedClaim ClaimTypeReferenceId="mailNickName" DefaultValue="unknown" />
        <PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
        <PersistedClaim ClaimTypeReferenceId="email"  PartnerClaimType="mail" /> 
        <PersistedClaim ClaimTypeReferenceId="federated_upn" PartnerClaimType="signInNames.emailAddress" />
      </PersistedClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
    </TechnicalProfile>


    <TechnicalProfile Id="AADCommon-OpenIdConnect">
      <DisplayName>Multi-Tenant AAD</DisplayName>
      <Description>Login with your Contoso account</Description>
      <Protocol Name="OpenIdConnect"/>
      <Metadata>
        <Item Key="METADATA">https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration</Item>
        <Item Key="client_id">xxxxxxxxxx</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">openid profile email</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
         <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_XXXXX"/>
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
        <OutputClaim ClaimTypeReferenceId="federated_upn" PartnerClaimType="upn"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="upn"/>       
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />            
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
    </TechnicalProfile>

Screen shot of the user profile here: adb2c user profile

Sdiego
  • 27
  • 4
  • 1
    When creating the alternativeSecurityId through the outputClaimsTransform of your federated IdP technical profile, pass the `federated_upn` into that claimsTransform instead of the issuerUserId. However, this will mean that if the users email changes at the federated IdP, they will lose access to this account. This issuerUserId is taking precedence over signInNames.emailAddress (which is an issuerUserId for issuerType:emailAddress). – Jas Suri - MSFT Oct 21 '21 at 08:53
  • Thanks for the response, Jas. This scenario is what I was trying to avoid. I want to save the upn from external aad as the upn in my adb2c user shell, and email under user details as the email in my adb2c user profile. This way if the email changes, I wont need to change the upn. I still dont understand how the email claim is getting saved as the upn right now in adb2c. issueUserId is a guid and the claims transformations are not using the email field so I dont get how it is getting saved as the upn. Can you clear this up? – Sdiego Oct 21 '21 at 16:14
  • Jas, I updated the post to include the federated IdP technical profile. I also verified that "signInNames.emailAddress": "numero1@notecorp111.onmicrosoft.com" which is the same value of federated_upn claim but it is still using correo1 email as the upn – Sdiego Oct 21 '21 at 16:34

1 Answers1

0

• You should include the ‘signInType’ and ‘issuerAssignedId’ attributes in the technical profile for ‘AADCommon-OpenIDConnect’ in the ‘Identities’ attribute section wherein the ‘signInType’ attribute will define the type of sign in to be used for the federated identity, i.e., email address or username likewise.

• And the ‘issuerAssignedId’ attribute specifies the unique identifier assigned to the user by the issuer wherein for a federated user account, it represents a federated account identifier. Also, please check the ‘issuer’ attribute which represents the issuer of the identity, i.e., the SaaS platform which is federated with Azure AD and whose users login to Azure AD B2C as shell users because the combination of ‘issuer’ and ‘issuerAssignedId’ is unique to the tenant and it defines the signin identity or UPN of the federated identity to be signed in.

Please find the below example on how to include the above attributes: -

      ‘ "identities": [
    {
      "signInType": "userName",
         "issuer": "contoso.onmicrosoft.com",
         "issuerAssignedId": "johnsmith"
   },
    {
       "signInType": "emailAddress",
         "issuer": "contoso.onmicrosoft.com",
          "issuerAssignedId": "jsmith@yahoo.com"
    },
    {
         "signInType": "federated",
         "issuer": "facebook.com",
         "issuerAssignedId": "5eecb0cd"
    }
  ] ‘

• Also, the ‘issuerAssignedId’ is a unique value for a given user per application or development account and it should be used to configure the Azure AD B2C policy with the same Application ID that was previously assigned by the federated SaaS platform within the same account. Once you include the above said attributes in the technical profile, the ‘federated_upn’ that will be assigned will be shown in the shell user profile as you have mentioned the provider of the identity and asserted it in the policy to be as validated.

Please find the below link for more information: -

https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes

Issue with getting UPN on a federated Azure AD B2C sign-up custom policy flow

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9