Comments (10)
The following line looks correct:
<PersistedClaim ClaimTypeReferenceId="username" PartnerClaimType="signInNames.userName" />
The following line looks wrong because the user object doesn't contain an email property:
<PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
You can replace the preceding line with the following one:
<PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" />
where the strongAuthenticationEmailAddress claim type is declared as follows:
<ClaimType Id="strongAuthenticationEmailAddress">
<DisplayName>Authentication Email Address</DisplayName>
<DataType>string</DataType>
</ClaimType>
See https://stackoverflow.com/questions/45699101/custom-b2c-policy-for-username-based-local-accounts/46282586#46282586 for a complete solution.
from active-directory-b2c-advanced-policies.
Hi @chrispadgettlivecom!
Thanks for your quick reply and sorry for my confusing issue title which I have corrected now.
Your saying I'd use strongAuthenticationEmailAddress — does that mean the user still needs to give a unique email address as this can be used to login? The problem is, that for our systems the email cannot be unique since it can be used for multiple accounts (hence the login with username instead of email address).
Thanks,
Moritz
from active-directory-b2c-advanced-policies.
And its me again. I have implemented the change you've suggested, but the error remains the same:
"Message": "An error occurred while writing User claims using identifier claim type \"signInNames.userName\" in tenant \"llssocaps.onmicrosoft.com\". Error returned was 400/Request_BadRequest: One or more properties contains invalid values.",
It seems like Azure is not able to handle the signInNames.userName
while saving the user into the directory. What is the field identifier for AD that stores the username?
from active-directory-b2c-advanced-policies.
Hi @mmaedler
signInNames.userName
is the correct claim.
Note that you can't persist an email address to the signInNames.userName
claim.
Can you please paste your latest changes includes examples of the claim values that you are persisting to the Azure AD B2C directory?
If you persist the email address to the strongAuthenticationEmailAddress
property, then the email address doesn't have to be unique, since it isn't acting as a sign-in name.
from active-directory-b2c-advanced-policies.
thanks again for your reply. Here you'll find the updated TrustFrameworkBase.xml
:
--> https://gist.github.com/mmaedler/c0d25989a400dbe884c4253d4ccc0b06
Maybe also a bit of a background of what I actually try to achieve: We want to add SSO to some of our apps and therefore need to migrate our user base into Azure AD B2C. For legacy reasons the users login could either be a username OR an email address. So I thought we simply use the username provider and migrate the users using whatever he/she had use as a login credential and simply put that into the username field in AD B2C. Obviously we also want to have new users register with whatever they feel is best for them — email or username.
So what you are saying that it is not possible to store an email address into signInNames.userName
?
Thanks again!
from active-directory-b2c-advanced-policies.
Hi @mmaedler
If you attempt to create a local account with a "userName" sign-in type that is set to an email address sign-in value, then the following error is returned by the Azure AD Graph API:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "One or more properties contains invalid values."
},
"date": "2018-07-29T04:25:16",
"requestId": "407e5528-e937-4bbd-9c79-fd4f2026445c",
"values": null
}
}
from active-directory-b2c-advanced-policies.
Ok — just to be 100% clear on this: you are saying AD cannot persist an email address to the username field? If so, why can I create an user with exactly that via the API?
Also the error you posted is not the one that I receive:
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "An error occurred while writing User claims using identifier claim type \"signInNames.userName\" in tenant \"mytenant.onmicrosoft.com\". Error returned was 400/Request_BadRequest: One or more properties contains invalid values.",
"Data": {
"TenantId": "mytenant.onmicrosoft.com",
"PolicyId": "B2C_1A_signup_signin"
},
"Exception": {
"Kind": "Handled",
"HResult": "80131509",
"Message": "The remote server returned an error: (400) Bad Request.",
"Data": {}
}
}
Any further ideas? Thanks a mil.
from active-directory-b2c-advanced-policies.
Ever get this working or find a public sample with UserName instead of Email? Have same concern - dont want email to be unique (store in othermails). Would be nice it was as simple as clicking this dropdown!
from active-directory-b2c-advanced-policies.
Ok — just to be 100% clear on this: you are saying AD cannot persist an email address to the username field? If so, why can I create an user with exactly that via the API?
Also the error you posted is not the one that I receive:
{ "Key": "Exception", "Value": { "Kind": "Handled", "HResult": "80131500", "Message": "An error occurred while writing User claims using identifier claim type \"signInNames.userName\" in tenant \"mytenant.onmicrosoft.com\". Error returned was 400/Request_BadRequest: One or more properties contains invalid values.", "Data": { "TenantId": "mytenant.onmicrosoft.com", "PolicyId": "B2C_1A_signup_signin" }, "Exception": { "Kind": "Handled", "HResult": "80131509", "Message": "The remote server returned an error: (400) Bad Request.", "Data": {} } }
Any further ideas? Thanks a mil.
hey - could you get this working?
from active-directory-b2c-advanced-policies.
For those pulling their hair out:
You need to add this meta tag to your SelfAssertedAttributeProvider profile where you're asking the user for username and other details.
<Item Key="LocalAccountType">Username</Item>
See the example:
from active-directory-b2c-advanced-policies.
Related Issues (20)
- Invalid client assertion
- user journey that does not create duplicate accounts HOT 5
- Account Linking example needs to be updated to use alternativeSecurityId HOT 16
- Custom policies getting mixed together HOT 2
- B2C SAML response with incorrect entityID HOT 2
- Validation errors do not communicate reason for failed validation HOT 1
- Clarification on claim transformation method HOT 1
- Is there any method to get MAC address of the user's system using custom policies? HOT 1
- Can I use two email addresses for MFA using custom policies? HOT 4
- Account-linking allows unlinking facebook which causes account-lockout.
- saml custom policy logout url
- How to create users with same email but with different in custom user attribute in Azure AD B2C? HOT 5
- How to check whether a user is exist in firebase before sending reset email? HOT 1
- Angular8/Vue custom component not loading in google sites in chrome browser
- Can we link both email and username for the local identities HOT 2
- Updated Source Code for WingTipGamesWebApplication HOT 1
- Azure AD B2C Password reset is not working HOT 1
- Connect existing user with external idp
- Append input Claim value to createstringclaim transformation InputParameter value
- Azure AD B2C witn LinkedIn UserFlow does not work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-b2c-advanced-policies.