ADB2C Social Log in - what is the difference between alternateSecurityId and userIdentity?

Question

I'm just getting confused bec I have seen examples of using alternativeSecurityIds and others using userIdentities? Are they one and the same?

Also, I want to update my azure ad multi-tenant federation using userIdentity instead of alternativeUserId, can I use any name for the issuer or does it need to take the value of PartnerClaimType="iss" like below?

<OutputClaim ClaimTypeReferenceId="issuer" PartnerClaimType="iss" />

rbrayb · Accepted Answer · 2022-03-03T19:30:53.093

The underlying Identity structure is the same.

Yes, I agree - very confusing.

The samples refer to userIdentities but the documentation still refers to alternativeSecurityId.

The feedback I have got is that userIdentities are the way to go.

Update

<ClaimsTransformation Id="CreateAlternativeSecurityId" TransformationMethod="CreateAlternativeSecurityId">
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="key"/>
        <InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider"/>
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId"/>
    </OutputClaims>
</ClaimsTransformation>

As you can see from above, that is how the identities are stored.

The post you linked to shows:

<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />

So if you change it, it won't match an entry in the table.

Thanks! I appreciate the response. I updated my post, by any chance do you know the answer to my issuer question? — Sdiego, Mar 03 '22 at 04:46
Issuer can use any value. It just must never change. The sample maps it from the iss claim incoming from AAD. — Jas Suri - MSFT, Mar 04 '22 at 01:00

ADB2C Social Log in - what is the difference between alternateSecurityId and userIdentity?

1 Answers1