Trying to make custom policy work with username instead of email about active-directory-b2c-advanced-policies HOT 10 OPEN

The following line looks correct:

<PersistedClaim ClaimTypeReferenceId="username" PartnerClaimType="signInNames.userName" />

The following line looks wrong because the user object doesn't contain an email property:

<PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />

You can replace the preceding line with the following one:

<PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" />

where the strongAuthenticationEmailAddress claim type is declared as follows:

<ClaimType Id="strongAuthenticationEmailAddress">
  <DisplayName>Authentication Email Address</DisplayName>
  <DataType>string</DataType>
</ClaimType>

See https://stackoverflow.com/questions/45699101/custom-b2c-policy-for-username-based-local-accounts/46282586#46282586 for a complete solution.

from active-directory-b2c-advanced-policies.

Hi @chrispadgettlivecom!
Thanks for your quick reply and sorry for my confusing issue title which I have corrected now.
Your saying I'd use strongAuthenticationEmailAddress — does that mean the user still needs to give a unique email address as this can be used to login? The problem is, that for our systems the email cannot be unique since it can be used for multiple accounts (hence the login with username instead of email address).

Thanks,

Moritz

from active-directory-b2c-advanced-policies.

And its me again. I have implemented the change you've suggested, but the error remains the same:

 "Message": "An error occurred while writing User claims using identifier claim type \"signInNames.userName\" in tenant \"llssocaps.onmicrosoft.com\". Error returned was 400/Request_BadRequest: One or more properties contains invalid values.",

It seems like Azure is not able to handle the signInNames.userName while saving the user into the directory. What is the field identifier for AD that stores the username?

from active-directory-b2c-advanced-policies.

Hi @mmaedler

signInNames.userName is the correct claim.

Note that you can't persist an email address to the signInNames.userName claim.

Can you please paste your latest changes includes examples of the claim values that you are persisting to the Azure AD B2C directory?

If you persist the email address to the strongAuthenticationEmailAddress property, then the email address doesn't have to be unique, since it isn't acting as a sign-in name.

from active-directory-b2c-advanced-policies.

Hi @chrispadgettlivecom,

thanks again for your reply. Here you'll find the updated TrustFrameworkBase.xml:
--> https://gist.github.com/mmaedler/c0d25989a400dbe884c4253d4ccc0b06

Maybe also a bit of a background of what I actually try to achieve: We want to add SSO to some of our apps and therefore need to migrate our user base into Azure AD B2C. For legacy reasons the users login could either be a username OR an email address. So I thought we simply use the username provider and migrate the users using whatever he/she had use as a login credential and simply put that into the username field in AD B2C. Obviously we also want to have new users register with whatever they feel is best for them — email or username.
So what you are saying that it is not possible to store an email address into signInNames.userName?

Thanks again!

from active-directory-b2c-advanced-policies.

Hi @mmaedler

If you attempt to create a local account with a "userName" sign-in type that is set to an email address sign-in value, then the following error is returned by the Azure AD Graph API:

{
    "odata.error": {
        "code": "Request_BadRequest",
        "message": {
            "lang": "en",
            "value": "One or more properties contains invalid values."
        },
        "date": "2018-07-29T04:25:16",
        "requestId": "407e5528-e937-4bbd-9c79-fd4f2026445c",
        "values": null
    }
}

from active-directory-b2c-advanced-policies.

Ok — just to be 100% clear on this: you are saying AD cannot persist an email address to the username field? If so, why can I create an user with exactly that via the API?

Also the error you posted is not the one that I receive:

{
                        "Key": "Exception",
                        "Value": {
                          "Kind": "Handled",
                          "HResult": "80131500",
                          "Message": "An error occurred while writing User claims using identifier claim type \"signInNames.userName\" in tenant \"mytenant.onmicrosoft.com\". Error returned was 400/Request_BadRequest: One or more properties contains invalid values.",
                          "Data": {
                            "TenantId": "mytenant.onmicrosoft.com",
                            "PolicyId": "B2C_1A_signup_signin"
                          },
                          "Exception": {
                            "Kind": "Handled",
                            "HResult": "80131509",
                            "Message": "The remote server returned an error: (400) Bad Request.",
                            "Data": {}
                          }
                        }

Any further ideas? Thanks a mil.

from active-directory-b2c-advanced-policies.

Ever get this working or find a public sample with UserName instead of Email? Have same concern - dont want email to be unique (store in othermails). Would be nice it was as simple as clicking this dropdown!

from active-directory-b2c-advanced-policies.

Ok — just to be 100% clear on this: you are saying AD cannot persist an email address to the username field? If so, why can I create an user with exactly that via the API?

Also the error you posted is not the one that I receive:

{
                        "Key": "Exception",
                        "Value": {
                          "Kind": "Handled",
                          "HResult": "80131500",
                          "Message": "An error occurred while writing User claims using identifier claim type \"signInNames.userName\" in tenant \"mytenant.onmicrosoft.com\". Error returned was 400/Request_BadRequest: One or more properties contains invalid values.",
                          "Data": {
                            "TenantId": "mytenant.onmicrosoft.com",
                            "PolicyId": "B2C_1A_signup_signin"
                          },
                          "Exception": {
                            "Kind": "Handled",
                            "HResult": "80131509",
                            "Message": "The remote server returned an error: (400) Bad Request.",
                            "Data": {}
                          }
                        }

Any further ideas? Thanks a mil.

hey - could you get this working?

from active-directory-b2c-advanced-policies.

For those pulling their hair out:

You need to add this meta tag to your SelfAssertedAttributeProvider profile where you're asking the user for username and other details.

<Item Key="LocalAccountType">Username</Item>

See the example:

https://github.com/azure-ad-b2c/samples/blob/d502e3e173ff643061088d9259851c3bb6dc6ba8/policies/username-signup-or-signin/policy/TrustFrameworkExtensions_Username.xml#L146

from active-directory-b2c-advanced-policies.