Comments (5)
It is indeed possible.
At step3, when you get the email address from Facebook, you can make an account discovery in AAD using that email address as username. If it exists, you can merge Facebook account into that existing AAD account. If not, create new AAD account.
Several caveats to be aware when you decide to go with this path
- Not all users from Facebook provide their email address, when they grant permission to the app, they have an option to not provide email address
- From security stand of point, you will be relying on Facebook properly verifying the email address of the user. If Facebook allows unverified email address, it can be exploited to gain user access to those existing account.
For your second issue, I assume you are talking about there are already two accounts and you would like to merge them. In the policy, technically you can have a AAD technical profile to delete one account, merge their claims and update the other account. The caveat here is that the relying website need to handle the merge case for example, how to merge the reward points of two users.
We don't care if the user does not have a verified email or is not showing the email in the consent, what we want is a fluid and intuitive user journey for 99% of the cases. As I explained with the documented wingtipgamesb2c example, the current demo policies are not implemented as a good reference and whoever did this docs/examples could fix this with the suggested pre-condition. At least not creating a duplicate AAD entry when the verified email is a match (precondition).
@xinaxu, a great answer would be a link to a commit/fork with the changed parts we need to do in the xml files ;-)
thank you, at least you gave us a light at the end of the tunnel, now we just need to learn how to program profiles using xml.
from active-directory-b2c-advanced-policies.
It is indeed possible.
At step3, when you get the email address from Facebook, you can make an account discovery in AAD using that email address as username. If it exists, you can merge Facebook account into that existing AAD account. If not, create new AAD account.
Several caveats to be aware when you decide to go with this path
- Not all users from Facebook provide their email address, when they grant permission to the app, they have an option to not provide email address
- From security stand of point, you will be relying on Facebook properly verifying the email address of the user. If Facebook allows unverified email address, it can be exploited to gain user access to those existing account.
For your second issue, I assume you are talking about there are already two accounts and you would like to merge them. In the policy, technically you can have a AAD technical profile to delete one account, merge their claims and update the other account. The caveat here is that the relying website need to handle the merge case for example, how to merge the reward points of two users.
from active-directory-b2c-advanced-policies.
@xinaxu Is it possible to have an example how to accomplish the step in the policy to do the account discovery in AAD that you suggested?
from active-directory-b2c-advanced-policies.
It can be achieved using Validation Technical Profiles and Preconditions. https://docs.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile
You can have 3 validation technical profiles.
- Get User from AAD using email address, and do not throw error if the user does not exist
- Link Facebook account to that AAD user. This technical profile is only executed when the objectId exists using Precondition
- Create new AAD user. This technical profile is only executed when the objectId does not exist using Precondition
from active-directory-b2c-advanced-policies.
@canoas did you eventually manage to get this working? It was the first question from the business "Why are there duplicates created" on a new project I'm working on.
from active-directory-b2c-advanced-policies.
Related Issues (20)
- Invalid client assertion
- Account Linking example needs to be updated to use alternativeSecurityId HOT 16
- Custom policies getting mixed together HOT 2
- B2C SAML response with incorrect entityID HOT 2
- Validation errors do not communicate reason for failed validation HOT 1
- Clarification on claim transformation method HOT 1
- Is there any method to get MAC address of the user's system using custom policies? HOT 1
- Can I use two email addresses for MFA using custom policies? HOT 4
- Account-linking allows unlinking facebook which causes account-lockout.
- saml custom policy logout url
- How to create users with same email but with different in custom user attribute in Azure AD B2C? HOT 5
- How to check whether a user is exist in firebase before sending reset email? HOT 1
- Angular8/Vue custom component not loading in google sites in chrome browser
- Can we link both email and username for the local identities HOT 2
- Updated Source Code for WingTipGamesWebApplication HOT 1
- Azure AD B2C Password reset is not working HOT 1
- Connect existing user with external idp
- Append input Claim value to createstringclaim transformation InputParameter value
- Azure AD B2C witn LinkedIn UserFlow does not work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-b2c-advanced-policies.