0

I need help to solve a problem I have, we need to create a custom policy, which we already have created, but we need to read the value of the user's employeeid in Azure AD, so that when you sign in the first time, this is registered in B2C with that value. I put images to understand it:

Azure AD: enter image description here

but when I sign in, the user in Azure AD B2C doesn't have the employeeid: enter image description here

I defined in the custom policy the claim:

<ClaimType Id="extension_employeeid">
        <DisplayName>EmployeeId</DisplayName>
        <DataType>string</DataType>
        <DefaultPartnerClaimTypes>
          <Protocol Name="OAuth2" PartnerClaimType="employeeid" />
          <Protocol Name="OpenIdConnect" PartnerClaimType="employeeid" />
          <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid" />
        </DefaultPartnerClaimTypes>
        <UserHelpText>Your EmployeeId. </UserHelpText>
        <!--<UserInputType>Readonly</UserInputType>-->
        <UserInputType>TextBox</UserInputType>
  </ClaimType>

but the value of employeeid that is returned is empty. How I can fix it?

Daniel Vega Ruiz
  • 75
  • 9

1 Answers1

0

Please check the User profile attributes in AAD B2C to get extension attributes for builtin attributes and employeeId is identifier attributes.

Use PersistedClaims to write data to the user profile i.e.; Write data during a federated account first-time sign-in flow and OutputClaims to read data from the user profile within the respective Active Directory technical profiles.

In your trustframeworkextensions file

<!-- Write data during a federated account first-time sign-in flow. -->
<TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
<InputClaims>
  <InputClaim ClaimTypeReferenceId=" extension_EmployeeId "  />
</InputClaims>
<PersistedClaims>
  <PersistedClaim ClaimTypeReferenceId=" extension_EmployeeId " />
</PersistedClaims>
<OutputClaims>
  ClaimTypeReferenceId="extension_EmployeeId"  PartnerClaimType="extn.EmployeeId"  " Required="true" />
 </OutputClaims>
</TechnicalProfile>
  • Make TechnicalProfile Id =”AAD-UserReadUsingObjectId” to Read data after user authenticates with a local account.

If SAML is sending a claim "employeeId" than the mapping is

<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="employeeId" />

Or try Technical Profile to output with PartnerClaimType as extension_employeeNumber

Also see Azure AD B2C: Custom claims with custom policies - Microsoft Q&A

  • Make sure to enable extension attributes in the custom policy, provide Application ID and Application Object ID in the AAD-Common technical profile metadata

    Azure Active Directory

See: application properties

Please note that the Claim you set in SignUpOrSignin will be only returned after your sign-up at that time. The custom attribute won't be stored into Azure AD. Make sure to set the value of extension in Base policy file .

References:

  1. azure ad b2c - B2C SAML missing claims - Stack Overflow
  2. Reading Extension Claims in Azure AD B2C - Stack Overflow
kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • thanks for your answer, but I would like to know if the part where I define the claimtype for extension_employeeid is correct, the definition is at the top of the page, if is not correct for the syntax or some wrong name tell me please, thanks – Daniel Vega Ruiz Jun 29 '22 at 16:56