ValidationTechnicalProfile is not executed - B2C Custom Policy

Question

I am attempting to call a RESTful technical profile by using ValidationTechnicalProfile. I have checked application insights and I can see the OutputClaimsTransformations happening, but it skips over the ValidationTechnicalProfile and continues on with the next step. I have tried adding the RESTful technical profile as an Orchestration Step, and that works without any issues.

Can anyone see what I am doing wrong?

SignInWithIdProvider.xml

<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="__TenantId__" PolicyId="B2C_1A_SignInWithIdProvider" PublicPolicyUri="http://__TenantId__/B2C_1A_signin_idprovider">
<BasePolicy>
    <TenantId>__TenantId__</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
    <DefaultUserJourney ReferenceId="SignInWithIdProvider"/>
    <UserJourneyBehaviors>
        <SingleSignOn Scope="Policy"/>
        <SessionExpiryType>Rolling</SessionExpiryType>
        <SessionExpiryInSeconds>1800</SessionExpiryInSeconds>
        <JourneyFraming Enabled="true" Sources="__JourneyFramingSource__"/>
        <ScriptExecution>Allow</ScriptExecution>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
        <DisplayName>PolicyProfile</DisplayName>
        <Protocol Name="OpenIdConnect"/>
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
            <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
            <OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
            <OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
        </OutputClaims>
        <SubjectNamingInfo ClaimType="sub"/>
    </TechnicalProfile>
</RelyingParty>

Snippet from TrustFrameworkExtensions.xml

<ClaimsProvider>
<Domain>Signin</Domain>
<DisplayName>Signin using provider</DisplayName>
<TechnicalProfiles>
    <TechnicalProfile Id="OIDC-SignIn">
        <DisplayName>Sign-in</DisplayName>
        <Description>Login with provider</Description>
        <Protocol Name="OpenIdConnect"/>
        <Metadata>
            <Item Key="METADATA">__WellKnown__</Item>
            <Item Key="client_id">__SignInClientId__</Item>
            <Item Key="response_types">code</Item>
            <Item Key="scope">id profile</Item>
            <Item Key="response_mode">form_post</Item>
            <Item Key="HttpBinding">POST</Item>
            <Item Key="UsePolicyInRedirectUri">false</Item>
            <Item Key="SingleLogoutEnabled">false</Item>
        </Metadata>
        <CryptographicKeys>
            <Key Id="client_secret" StorageReferenceId="__SignInSecret__"/>
        </CryptographicKeys>
        <InputClaims>
            <InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="{Culture:RFC5646}"/>
        </InputClaims>
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
            <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
            <OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
            <OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
            <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
        </OutputClaims>
        <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
            <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
            <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
            <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
        </OutputClaimsTransformations>
        <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="REST-PostNewSession" ContinueOnError="true"/>
        </ValidationTechnicalProfiles>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
    </TechnicalProfile>
</TechnicalProfiles>

<ClaimsProvider>
<DisplayName>REST APIs</DisplayName>
<TechnicalProfiles>
    <TechnicalProfile Id="REST-PostNewSession">
        <DisplayName>Post new session</DisplayName>
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
        <Metadata>
            <Item Key="ServiceUrl">https://some.apim.url/post-method</Item>
            <Item Key="SendClaimsIn">Body</Item>
            <Item Key="AuthenticationType">Basic</Item>
        </Metadata>
        <CryptographicKeys>
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_UserName"/>
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Password"/>
        </CryptographicKeys>
        <InputClaims>
            <InputClaim ClaimTypeReferenceId="sessionId"/>
        </InputClaims>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
    </TechnicalProfile>
</TechnicalProfiles>

<UserJourney Id="SignInWithIdProvider">
<OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
        <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
                <Value>objectId</Value>
                <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
        </Preconditions>
        <ClaimsExchanges>
            <ClaimsExchange Id="idSignInExchange" TechnicalProfileReferenceId="OIDC-SignIn"/>
        </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
        <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
                <Value>authenticationSource</Value>
                <Value>localAccountAuthentication</Value>
                <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
        </Preconditions>
        <ClaimsExchanges>
            <ClaimsExchange Id="AlternativeSecurityId" TechnicalProfileReferenceId="AlternativeSecurityId-NoError"/>
        </ClaimsExchanges>
    </OrchestrationStep>
</UserJourney>

Answer 1

Validation technical profiles only work from selfAsserted technical profiles.

Only self-asserted technical profiles can use validation technical profiles. If you need to validate the output claims from non-self-asserted technical profiles, consider using an additional orchestration step in your user journey to accommodate the technical profile in charge of the validation.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile

Adding it as an orchestration step would work.