Comments (4)
omer-iqbal
commented on June 22, 2024
1
The signInNames property is reserved for local accounts. Any email addresses stored in this property can be used with a password to sign the user in, without having to go to the social IDP. Therefore, the email addresses of social IDP users are stored in another property (otherMails) that is currently exposed through AD Graph.
Depending on a user's setting, an app's permissions or the IDP, a user's email address may never be sent in the token by the IDP. These policies are designed to work with the user id provided by the social IDP as the primary identifier, and without email address being sent in the token. That is why email is not relied upon.
Another aspect is that some social IDPs permit unverified email addresses on accounts, which could be sent in the token. Therefore, even if available, the default policies do no rely on email addresses since a malicious user can create a social IDP account with another user's email without verification and use it to take over another account.
However, if business rules require, these policies can be modified to check whether an email is verified by IDP and then rely on it for the kind of scenarios you mention. But that could adversely impact the number of users that can successfully sign up and sign in.
from active-directory-b2c-advanced-policies.
onionhammer
commented on June 22, 2024
Record created with internal idp:
...snip...
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "1a526ff3-698c-471c-a220-0c336bfe066d",
"deletionTimestamp": null,
"accountEnabled": true,
"signInNames": [
{
"type": "emailAddress",
"value": "[email protected]"
}
],
"assignedLicenses": [],
"assignedPlans": [],Record created with external idp:
"objectId": "37fa11b0-4423-44cb-8273-2be58deee081",
"deletionTimestamp": null,
"accountEnabled": false,
"signInNames": [],
"assignedLicenses": [],
"assignedPlans": [],
"city": null,
"companyName": null,SignInNames is an empty array from the external idp.
from active-directory-b2c-advanced-policies.
gsacavdm
commented on June 22, 2024
@omer-iqbal can you help with this?
from active-directory-b2c-advanced-policies.
onionhammer
commented on June 22, 2024
However, if business rules require, these policies can be modified to check whether an email is verified by IDP and then rely on it for the kind of scenarios you mention. But that could adversely impact the number of users that can successfully sign up and sign in.
Thanks for the reply @omer-iqbal
Are there any examples/snippets on how we might accomplish this? We're not currently using any social logins, we're only using local accounts and an external (oracle) identity provider for employees.
from active-directory-b2c-advanced-policies.
Related Issues (20)
- Invalid client assertion
- user journey that does not create duplicate accounts HOT 5
- Account Linking example needs to be updated to use alternativeSecurityId HOT 16
- Custom policies getting mixed together HOT 2
- B2C SAML response with incorrect entityID HOT 2
- Validation errors do not communicate reason for failed validation HOT 1
- Clarification on claim transformation method HOT 1
- Is there any method to get MAC address of the user's system using custom policies? HOT 1
- Can I use two email addresses for MFA using custom policies? HOT 4
- Account-linking allows unlinking facebook which causes account-lockout.
- saml custom policy logout url
- How to create users with same email but with different in custom user attribute in Azure AD B2C? HOT 5
- How to check whether a user is exist in firebase before sending reset email? HOT 1
- Angular8/Vue custom component not loading in google sites in chrome browser
- Can we link both email and username for the local identities HOT 2
- Updated Source Code for WingTipGamesWebApplication HOT 1
- Azure AD B2C Password reset is not working HOT 1
- Connect existing user with external idp
- Append input Claim value to createstringclaim transformation InputParameter value
- Azure AD B2C witn LinkedIn UserFlow does not work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-b2c-advanced-policies.