3

I am attempting to auto-link a social provider login to an existing local account. I'm using the auto-linking sample, but doing so having replaced the sample Facebook ClaimsProviders/etc with ones for Google. Using my version of B2C_1A_ACCOUNTLINK_SUSI, I can create and login to a local account successfully. I can also add the user successfully with Google (if I delete the user beforehand - no linking). So, I know that these both work individually.

Yet, when I create the local account and attempt to login using Google as the idp and link that, I get an error that there are no suitable claims providers found.

Has anyone tried this auto-linking sample with Google and seen any tweaks I may need to Input/Output claims or other? I have made several over the course of a couple of weekends trying to get this to work. AppInsights shows that it happens in AAD-FindLocalAccountWithSocialEmail (AzureActiveDirectoryProvider) and Exception is: No suitable claims providers were found.

Any suggestions appreciated. I can post my Google ClaimsProvider blocks if that would help diagnose.

r2musings
  • 63
  • 8

4 Answers4

1

Probably because the IdP was not enabled using the issuers collection.

In all your Google IdP technical profiles, make sure to have:

  <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="google.com" AlwaysUseDefaultValue="true" />

In Google-OAUTH-Link technical profile, make sure to have this:

<Metadata>
  <Item Key="ClaimTypeOnWhichToEnable">currentIssuers</Item>
  <Item Key="ClaimValueOnWhichToEnable">google.com</Item>
</Metadata> 
<!--snip-->
<OutputClaimsTransformations>
  <OutputClaimsTransformation ReferenceId="CreateUserIdentityToLink" />
  <OutputClaimsTransformation ReferenceId="AppendUserIdentityToLink" />
</OutputClaimsTransformations>
<EnabledForUserJourneys>OnItemExistenceInStringCollectionClaim</EnabledForUserJourneys>

In the HandleLinkLocalToSocial subjourney, make sure to add Google IdP in the linking steps:

        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.idpselections">
<!--snip preconditions-->
          <ClaimsProviderSelections DisplayOption="ShowSingleProvider">
            <ClaimsProviderSelection TargetClaimsExchangeId="LinkGoogleExchange1"/>
          </ClaimsProviderSelections>
        </OrchestrationStep>

        <OrchestrationStep Order="2" Type="ClaimsExchange">
<!--snip preconditions-->
          <ClaimsExchanges>
            <ClaimsExchange Id="LinkGoogleExchange1" TechnicalProfileReferenceId="Google-OAUTH-Link"/>
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="3" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<!--snip preconditions-->
          <ClaimsProviderSelections DisplayOption="ShowSingleProvider">
            <ClaimsProviderSelection TargetClaimsExchangeId="LinkGoogleExchange2"/>
        </OrchestrationStep>

        <OrchestrationStep Order="4" Type="ClaimsExchange">
<!--snip preconditions-->
          <ClaimsExchanges>
            <ClaimsExchange Id="LinkGoogleExchange2" TechnicalProfileReferenceId="Google-OAUTH-Link"/>
          </ClaimsExchanges>
        </OrchestrationStep>
Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Thanks for the help. The only thing I was missing from the above was the OutputClaim for identityProvider in my Google-OAuth-Link. I updated and tested and still getting same error. – r2musings Jan 18 '22 at 16:39
  • If you can post your policies to github, and link them, then we can take a look. – Jas Suri - MSFT Jan 18 '22 at 16:47
  • https://github.com/r2musings/r2b2caccountlinkgoogle – r2musings Jan 18 '22 at 21:25
  • One thing to note was that I had this error earlier and wasn't sure if it wanted AAD client_id or Google client_id. I tried both, but wasn't sure why it was needed there anyway and the sample didn't have it. ERROR: A required Metadata item with key "ClientId" was not found in the TechnicalProfile with id "AAD-FindLocalAccountWithSocialEmail" in policy "B2C_1A_AccountLink_SUSI" – r2musings Jan 18 '22 at 21:45
  • That is because you have not enabled your policy for extension attributes. Use the tool https://aka.ms/iefsetup to setup the environment fully. Otherwise see this [article](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-custom-policy). – Jas Suri - MSFT Jan 18 '22 at 22:44
  • I tried that several weeks ago when I started down the IEF process and it failed with 404 every time. So, I followed that article (weeks ago) and thought I had it setup correctly since I can login with create with local and social, but just not link them. – r2musings Jan 19 '22 at 01:06
  • The 404 that iefsetup returns has a base64-encoded msg that is this (decoded): AADSTS500202: User account '{EmailHidden}' from external identity provider 'live.com' is not supported for API version '2.0'. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint. – r2musings Jan 19 '22 at 01:07
  • "That is because you have not enabled your policy for extension attributes." - were you saying this is the reason for my original issue with No Suitable ClaimsProvider? – r2musings Jan 19 '22 at 01:10
  • Its possible. If you [use VSCode extension to parse B2C app insights logs](https://learn.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-with-application-insights?pivots=b2c-custom-policy#see-the-logs-in-vs-code-extension), it will be much easier to see what step the issue occurs, and also the status of the claimbag to help debug how the subjourney is executing. – Jas Suri - MSFT Jan 19 '22 at 08:50
  • Create a new account in your B2C tenant, somebody@contoso.onmicrosoft.com, and use that to run the setup tool. The tool states `Make sure to sign in with an Azure AD Work Or School account residing in the directory with Global Admin rights to the B2C tenant.` – Jas Suri - MSFT Jan 19 '22 at 08:51
  • Thanks. I have been using VSCode Extension with AppInsights already and it is helpful, but I still couldn't get things working hence the reason I posted here originally. I will try to run the setup without my live account. – r2musings Jan 19 '22 at 10:54
  • The IEFSetup ran. However, clicking the first link to register ProxyIdentityExperienceFramework just hangs and never completes. I tried several times including in Incognito. The B2C_1A_AccountLink_SUSI still fails with the No Suitable Claims Providers error. – r2musings Jan 19 '22 at 13:00
  • 1
    I appreciate your sticking with me, but I have to tell you my entire experience with IEF has been just terrible. The developer experience is just awful IMO. I do appreciate all of the docs and samples, but the experience is painful regardless. I have been using Azure b2c for multiple years, have done projects for clients with many non-IEF UserJourneys, and I have even done talks at Atlanta and Knoxville Azure User groups on b2c so I don't come at this as a novice. Yet, I have killed several weekends and countless hours JUST trying to get this linking working. There has to be a better way. – r2musings Jan 19 '22 at 13:05
  • 1
    I'm having exactly the same problem. I have SignUpOrSignIn working just fine within the SocialAndLocalAccounts Policies with local, Microsoft, Facebook and Google IDP's. I am unable to get Twitter working, but that is another issue. I have the VSCode extensions enable, and I configured my policy for extension attributes. I have a local account created, but when I try to link with Microsoft or Facebook (the only ones configured in linking) I get the "No suitable claims providers error" My code is almost completely from the sample code, so it does seem like the sample code is wrong – Joel Wehr Jun 10 '22 at 00:02
  • I suggest making a new post with exact setup, steps to reproduce the problem, error faced/observed, sample used, and a link to your policy files. – Jas Suri - MSFT Jun 10 '22 at 01:05
  • @JoelWehr any progress on the Twitter issue? The following link might help: https://github.com/azure-ad-b2c/samples/issues/443 – basquiatraphaeu Sep 14 '22 at 18:48
0

Had the same error using the auto-linking sample code. Check the output claims section of the technical profile AAD-FindLocalAccountWithSocialEmail. The claim currentUserIdentities is read from the directory there and is the input for the ExtractCurrentIssuers output claims transformation of this TP (which populates the currentIssuers claim and puts it into the claims bag). The problem seems to be a wrong PartnerClaimType value.

Try

<OutputClaim ClaimTypeReferenceId="currentUserIdentities" PartnerClaimType="identities"/>

instead of

<OutputClaim ClaimTypeReferenceId="currentUserIdentities" PartnerClaimType="userIdentities"/>

If the PartnerClaimType is wrong the result is empty and an empty currentIssuers string collection leads to the error (in Google-OAUTH-Link TP) you described. Would be nice if App-Insights could show the values of claims collections.

assitopia
  • 1
  • 1
0

I have same problem relates to auto-account-linking sample, for my case I have only fix it by add output claim in AAD-FindLocalAccountWithSocialEmail Tehnical profile. Hopefully can help others

<OutputClaims>
  <!-- sinp-->
  <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
</OutputClaims>
Bahtyar
  • 25
  • 6
0

Issue is due to the hasPassword extension property. It doesn't exist by default for existing local B2C user profiles. Add true for that property to B2C user account, and it will start working. You will have to use Graph API to add value, so basically PATCH to user endpoint:

PATCH /v1.0/users/83bda93c-f782-431c-b969-12b5304c0668 HTTP/1.1
Host: graph.microsoft.com
Content-Type: application/json
Authorization: Bearer eyJ0...

{    
    "extension_83a963aa6ce74511923b85511f0f8dc7_haspassword" : true
}

See here for full discussion: https://bytemeta.vip/repo/azure-ad-b2c/samples/issues/430

Jussi Palo
  • 848
  • 9
  • 26