0

I'm trying to use custom technical profile for Local Account in SignUpOrSignIn user journey. I have Created the following technical profile in my customtrustframeworkextensions.xml (base:trustframeworkextensions.xml):

<ClaimsProvider>
          <DisplayName>Local Account</DisplayName>
          <TechnicalProfiles>
            <TechnicalProfile Id="CustomLocalAccountSignUpWithLogonEmail">
              <DisplayName>Email signup</DisplayName>
              <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
              <Metadata>
                <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
                <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
              </Metadata>
              <CryptographicKeys>
                <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
              </CryptographicKeys>
              <InputClaims>
                <InputClaim ClaimTypeReferenceId="email" />
              </InputClaims>
              <OutputClaims>
                <OutputClaim ClaimTypeReferenceId="objectId" />
                <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
                <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
                <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
                <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
                <OutputClaim ClaimTypeReferenceId="authenticationSource" />
                <OutputClaim ClaimTypeReferenceId="newUser" />
                <OutputClaim ClaimTypeReferenceId="extension_XXX" />
                <!-- Optional claims, to be collected from the user -->
                <OutputClaim ClaimTypeReferenceId="displayName" />
                <OutputClaim ClaimTypeReferenceId="givenName" />
                <OutputClaim ClaimTypeReferenceId="surName" />
              </OutputClaims>
              <ValidationTechnicalProfiles>
                <ValidationTechnicalProfile ReferenceId="REST-ValidateProfile" />
              </ValidationTechnicalProfiles>
              <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
            </TechnicalProfile>
          </TechnicalProfiles>
        </ClaimsProvider>
        <ClaimsProvider>

REST-ValidateProfile looks like the following:

        <ClaimsProvider>
        <DisplayName>REST APIs</DisplayName>
        <TechnicalProfiles>
            <TechnicalProfile Id="REST-ValidateProfile">
                <DisplayName>Check yyy and zzz Rest API</DisplayName>
                <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
                <Metadata>
                    <!-- Set the ServiceUrl with your own REST API endpoint -->
                    <Item Key="ServiceUrl">https://asd</Item>
                    <Item Key="SendClaimsIn">Body</Item>
                    <!-- Set AuthenticationType to Basic or ClientCertificate in production environments -->
                    <Item Key="AuthenticationType">ApiKeyHeader</Item>
                    <!-- REMOVE the following line in production environments -->
                    <Item Key="AllowInsecureAuthInProduction">false</Item>
                </Metadata>
                <CryptographicKeys>
                    <Key Id="Api-key" StorageReferenceId="B2C_1A_key" />
                </CryptographicKeys>
                <InputClaims>
                    <!-- Claims sent to your REST API -->
                    <InputClaim ClaimTypeReferenceId="email" />
                    <InputClaim ClaimTypeReferenceId="extension_xxx" PartnerClaimType="xxx" />                                                                                                        
                </InputClaims>
                <OutputClaims>
                    <!-- Claims parsed from your REST API -->
                    <OutputClaim ClaimTypeReferenceId="extension_yyy" PartnerClaimType="yyy" />
                    <OutputClaim ClaimTypeReferenceId="extension_zzz" PartnerClaimType="zzz" />
                </OutputClaims>
                <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
            </TechnicalProfile>
    </ClaimsProvider>

I have modified the OrchestrationStep to use custom technical profile in user journey:

        <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="CustomLocalAccountSignUpWithLogonEmail" />
      </ClaimsExchanges>
    </OrchestrationStep>

When I run my Custom policy and select SignUp the browser shows error: "The page cannot be displayed because an internal server error has occurred."

There are some more spesific details in Application insights:

        Exception Message:Output claim type "objectId" specified in the technical profile with id "CustomLocalAccountSignUpWithLogonEmail" in policy "B2C_1A_DEV_signup_signin" of tenant does not specify a UserInputType or a DefaultValue, and is not retrieved from a ValidationTechnicalProfile either., Exception Type:InvalidDefinitionException

Everything works ok when I use name "LocalAccountSignUpWithLogonEmail" for edited technical profile and the ClaimsExChange Looks like this:

<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="CustomLocalAccountSignUpWithLogonEmail" />

But when I change name of the modified technical profile, policy doesn't work anymore. It seems to me that claims exchange doesn't work or something. I don't get why because I can't find any other places that refers to LocalAccountSignUpWithLogonEmail.

I want to use custom technical profile because want want to remove some outputclaims whitout touching the base policies.

atr4st
  • 25
  • 3
  • The error is telling you that objectId claim is an output claim in the technical profile but it is not produced by a validation TP and it also does not have a user input. In order to output a claim, it has to come from somewhere. The normal signup TP would call Graph API to create the user and the objectId claim would come from its result. Looks to me that you aren't actually creating a user though? – juunas Oct 17 '22 at 17:26
  • Or if your REST API is creating a user in Graph, you can output the objectId from there and fix this issue :) – juunas Oct 17 '22 at 17:27

1 Answers1

0

The technicalProfile "CustomLocalAccountSignUpWithLogonEmail" has an output claim of the objectID which is common when you write something. The most common patterns is:

Technical profile

-> Validation Technical 1 profile

-> Validation Technical 2 profile

Being, validation technical profile 1 maybe calls your REST to validate the profile, then you call validation technical profile 2 to perform a write operation into the directory. When you write into the directory, it outputs an objectID which will output it into your technical profile and that error will go away.

Chad Hasbrook
  • 206
  • 1
  • 6