I have the basic user impersonation policy defined here https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation working fine. An admin with the can_impersonate attribute set to true can login as that user and then the impersonated users email is then returned in impersonatedUser claim. Thinking I could extend this functionality I added a few new fields based on impersonatedUser field:
impersonatedUserContactId (this should be the impersonated users displayName)
But I cannot for the life of me figure out how to pass the value of the displayName to impersonatedUserContactId in a similar way that the email is:
Here are the gist of my custom policies
Claims Types
<ClaimType Id="impersonatedUser">
<DisplayName>Impersonated account</DisplayName>
<DataType>string</DataType>
<UserHelpText/>
</ClaimType>
<ClaimType Id="impersonatedUserContactId">
<DisplayName>Impersonated account Contact Id</DisplayName>
<DataType>string</DataType>
<UserHelpText/>
</ClaimType>
Technical Profile AAD-ImpersonatedUserRead
<TechnicalProfile Id="AAD-ImpersonatedUserRead">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
<Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<!--Sample: Look up in the signInNames to see if the value in targetEmail contains - look it up-->
<InputClaim ClaimTypeReferenceId="targetEmail" PartnerClaimType="signInNames.emailAddress" Required="true"/>
</InputClaims>
<OutputClaims>
<!-- Sample: Returns the value in targetEmail and check in signInNames collection, then
returns value in SignInName and pipe into impersonatedUser-->
<OutputClaim ClaimTypeReferenceId="impersonatedUser" PartnerClaimType="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="impersonatedUserContactId" PartnerClaimType="displayName"/>
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common"/>
</TechnicalProfile>
Technical Profile SelfAsserted-TargetEmailExchange
<TechnicalProfile Id="SelfAsserted-TargetEmailExchange">
<DisplayName>Target Email Page</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
<!--Sample: indicating that claim resolving should be performed. So, we can read the value of {OAUTH-KV:targetEmail} claim resolver -->
<Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
</Metadata>
<InputClaims>
<!--Sample: read the targetEmail query string parameter e.g. &targetemail=bob@contoso.com -->
<InputClaim ClaimTypeReferenceId="targetEmail" DefaultValue="{OAUTH-KV:targetEmail}" AlwaysUseDefaultValue="true"/>
</InputClaims>
<OutputClaims>
<!-- Required claims -->
<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true"/>
<OutputClaim ClaimTypeReferenceId="impersonatedUser" Required="true"/>
<OutputClaim ClaimTypeReferenceId="impersonatedUserContactId" Required="true" />
<OutputClaim ClaimTypeReferenceId="targetEmail" Required="true"/>
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-ImpersonatedUserRead"/>
</ValidationTechnicalProfiles>
</TechnicalProfile>
Both impersonatedUser and impersonatedUserContactId are also in the relying party config.
But basically impersonatedUserContactId is never set and/or this is always null for some reason. Does anyone know if it is possible to populate additional attributes via the impersonation policy other than the user's email? Any help would be greatly appreciated.
Expecting to populate other values based on impersonatedUser claim
