0

I implemented self-service password reset and password expiration after 90 days, I was asking how I could include a message to notify the user when they are making the change.

password reset

Currently when a password change is proposed (especially when the password expires) the user is not notified of the reason and I would like to insert text above the password fields.

I share relying party file: https://easyupload.io/a4tclj

This is my extension file:

'''

<BasePolicy>
    <TenantId>b2c.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>
  </BasePolicy>
  <!--   <BuildingBlocks>
    <ClaimsSchema>
    </ClaimsSchema>
  </BuildingBlocks> -->
  <ClaimsProviders>
    <ClaimsProvider>
      <DisplayName>Facebook</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="Facebook-OAUTH">
          <Metadata>
            <Item Key="client_id">facebook_clientid</Item>
            <Item Key="scope">email public_profile</Item>
            <Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    <ClaimsProvider>
      <DisplayName>Token Issuer</DisplayName>
      <TechnicalProfiles>
        <!-- SAML Token Issuer technical profile -->
        <TechnicalProfile Id="Saml2AssertionIssuer">
          <DisplayName>Token Issuer</DisplayName>
          <Protocol Name="SAML2" />
          <OutputTokenFormat>SAML2</OutputTokenFormat>
          <CryptographicKeys>
            <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SAML" />
            <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAML" />
          </CryptographicKeys>
          <InputClaims />
          <OutputClaims />
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
        </TechnicalProfile>
        <!-- Session management technical profile for SAML-based tokens -->
        <TechnicalProfile Id="SM-Saml-issuer">
          <DisplayName>Session Management Provider</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    <ClaimsProvider>
      <DisplayName>Local Account SignIn</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="login-NonInteractive">
          <Metadata>
            <!-- ProxyIdentityExperienceFrameworkAppId -->
            <Item Key="client_id">1257aca9-6111-abcs-adca-d740612012fa</Item>
            <!-- IdentityExperienceFrameworkAppId -->
            <Item Key="IdTokenAudience">10f6e761-c111-dadd-acv0-affb3875cdaf</Item>
          </Metadata>
          <InputClaims>
            <!-- ProxyIdentityExperienceFrameworkAppId -->
            <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="1257aca9-6111-abcs-adca-d740612012fa" />
            <!-- IdentityExperienceFrameworkAppId -->
            <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="10f6e761-c111-dadd-acv0-affb3875cdaf" />
          </InputClaims>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    <ClaimsProvider>
      <DisplayName>Local Account</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    <ClaimsProvider>
      <DisplayName>Azure Active Directory</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="AAD-Common">
          <Metadata>
            <!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111-->
            <Item Key="ClientId">83axdc56-1aaa-4bbb-a666-4589cbb7a212</Item>
            <!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222-->
            <Item Key="ApplicationObjectId">8d93c18a-d111-4fff-8aaa-43ebedadd5b1</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>
  <!--UserJourneys>
  </UserJourneys-->

'''

denisdm91
  • 1
  • 1

1 Answers1

0

You could use something like this to display a message during force password change. The following sample is take from azure-ad-b2c samples in github. policies/force-password-reset

ClaimType

<ClaimType Id="userMsg">
    <DisplayName></DisplayName>
    <DataType>string</DataType>
    <AdminHelpText>A claim responsible for holding user messages</AdminHelpText>
    <UserInputType>Paragraph</UserInputType>
</ClaimType>

Technical profile

<TechnicalProfile Id="SelfAsserted-ForcePasswordReset-ExpiredPassword">
    <DisplayName>Password Expired</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
        <Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Please enter a different password</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="userMsg" DefaultValue="Your password has expired, please change to a new password." />
    </InputClaims>
    <DisplayClaims>
        <DisplayClaim ClaimTypeReferenceId="userMsg" />
        <DisplayClaim ClaimTypeReferenceId="password" Required="true" />
        <DisplayClaim ClaimTypeReferenceId="newPassword" Required="true" />
        <DisplayClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
    </DisplayClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
    </OutputClaims>
    <ValidationTechnicalProfiles>
        <!-- 1) validate the old password. 2) Assert whether the new password is different than the old one.
                 3) get the user object ID 4) persist the new password to the directory, and reset the force reset password next logon. -->
        <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
        <ValidationTechnicalProfile ReferenceId="ThrowErrorWhenPassowrdIsSame" />
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingSignInName" />
        <ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId-ResetNextLogin" />
    </ValidationTechnicalProfiles>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
sabique
  • 223
  • 1
  • 7
  • hi @sabique thanks for your comment. I have the following relying party file: https://easyupload.io/a4tclj How can I integrate the claim? Because I have many integrations on this file. – denisdm91 Nov 22 '22 at 14:31
  • Hi @denisdm91 , Your RP seems to use `LocalAccountWritePasswordUsingObjectId` technical profile for password change. You could make a copy of the technical profile with a different name, add the input claim userMsg, and use display claims as shown in the above example to display the claim to the user. Ensure that this new technical profile is only called when you are forcing the user to change the password and not during forgot-password reset flow. – sabique Nov 23 '22 at 11:21
  • hi @sabique How can I make it so that it is only called up during password change and not for forgot password reset? my file is created this way because I integrated several parts that I was seeing in the microsoft samples. – denisdm91 Nov 23 '22 at 11:29