Comments (16)
I've added these for others who have hit the same issues as me.
from active-directory-b2c-advanced-policies.
@filipemiguelaugusto Looks like you have commented out AddItemToUserIdentityCollection
. Your policy is mixing AlternativeSecurityId and UserIdentity, for example CreateAlternativeSecurityId
is expecting claim type of data type AlternativeSecurityId
but your alternativeSecurityId
is of type userIdentity
.
I would suggest renaming all your claim types, transformations to alternativeSecurityId and make sure there is no UserIdentiteis appeared in the policy.
<ClaimType Id="alternativeSecurityId">
<DisplayName>userIdentity</DisplayName>
<DataType>userIdentity</DataType>
<AdminHelpText>userIdentity</AdminHelpText>
<UserHelpText>userIdentity</UserHelpText>
</ClaimType>
<ClaimsTransformation Id="CreateUserIdentity" TransformationMethod="CreateAlternativeSecurityId">
<InputClaims>
<InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="key" />
<InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" />
</OutputClaims>
</ClaimsTransformation>
from active-directory-b2c-advanced-policies.
I've tried to make changes in sample files accordingly to your suggestions with no success. Is it possible to have further information about all the replacements that you must do?
Someone was able to put this example of account linking up and running recently?
from active-directory-b2c-advanced-policies.
We have this working in a production system.
My concern is that no one from MS seems to have looked at or commented on this issue.
Which part is failing? Have you enabled development mode / logging to application insights to your policy? You can couple this with the wingtip journey player, which can be found on the net, to help figure out at what point your custom policy is failing
from active-directory-b2c-advanced-policies.
@filipemiguelaugusto looks like the docs reflect AlternativeSecurityId
https://docs.microsoft.com/en-us/azure/active-directory-b2c/social-transformations
However, this sample still needs to be updated.
from active-directory-b2c-advanced-policies.
@iamkoch my problems starts way back. It seems like i can't get the right transformations in the files to upload them without errors. I'm far from being an expert in this kind of customizations!
I get errors like this one for instance:
[...] The InputClaims mismatched in ClaimsTransformation with id "AppendUserIdentityToLink" with TransformationMethod "AddItemToUserIdentityCollection".
The following InputClaims were declared in the Policy but were not expected by the TransformMethod: [AlternativeSecurityIdCollection]collection.
The following InputClaims were expected by the TransformMethod but were not declared in the Policy: [UserIdentityCollection]collection.
I tried to follow the changes that you have purposed but i keep get this kind of errors.
from active-directory-b2c-advanced-policies.
Take the XML from my original post and include it in yours. It contains the replacement transformations used to manipulate alternative security id based claims
from active-directory-b2c-advanced-policies.
@filipemiguelaugusto From the error message, it looks like you might be mixing UserIdentity claims transformation with AlternativeSecurityId DataType. If you can post an example of your policy, I can help you identity the issue.
from active-directory-b2c-advanced-policies.
@iamkoch Sorry for late response. Both UserIdentities and AlternativeSecurityId solution should work. If UserIdentities do not, may I know where you find it outdated or not working so I may look into it? Thanks!
from active-directory-b2c-advanced-policies.
Hi @xinaxu
Below is the particular log from app insights. The line of interest is "Unable to cast object of type 'Microsoft.Cpim.Data.UserIdentity' to type 'System.String'.",
The documentation states that the transformations return JSON as a string, however, the user identity path seems to return an instance of a useridentity.
I have redacted tenant and user-specific data.
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "2049b625-2d9f-456d-a534-65e89f77aa9e",
"EventInstance": "Event:ClaimsExchange",
"TenantId": "",
"PolicyId": ""
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ClaimsExchangeMessageValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"RecorderRecord": {
"Values": [
{
"Key": "Validation",
"Value": {
"Values": [
{
"Key": "SubmittedBy",
"Value": "FacebookExchange"
},
{
"Key": "ProtocolProviderType",
"Value": "OAuth2ProtocolProvider"
}
]
}
}
]
},
"Statebag": {
"MACHSTATE": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "MACHSTATE",
"v": "Initial",
"p": true
},
"JC": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "JC",
"v": "en-US",
"p": true
},
"ORCH_CS": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "ORCH_CS",
"v": "2",
"p": true
},
"RA": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "OTID",
"v": "8fa83b33-38fa-4b1d-9ba0-5a1b744e0251",
"p": true
},
"IC": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(2f2f07f5-cce4-4092-b1af-946747ce0c0b)": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "MSG(2f2f07f5-cce4-4092-b1af-946747ce0c0b)",
"v": "{\"\",\"RedirectUri\":\"",\"AdditionalParameters\":{\"brand\":\"\",\"x-client-SKU\":\"ID_NETSTANDARD1_4\",\"x-client-ver\":\"5.2.0.0\"},\"Nonce\":\"636923056056627661.ZDM4M2U2NTUtYmU0Zi00MmJkLTk3YjQtMmMxZDViYmZkNWY3MzZiOWVhZmMtZTdmMy00YWNkLTg5OTgtZTJiMDJhMmZmM2Vj\",\"State\":\"CfDJ8MzCP1neA_FHg-3dbgjGnU81QcHFYzWu56SSXzDSEyq_TF552UxqOKXSzTJDPtMWLezmOzuzQv_gN1zRvN1FgRSjfjiwTYet7G-jviv1ZP8NfUqPaZdGDseHtJYlCLpJ5T0nqLpFiHHYvjGxmWFnVwXeXfeW_iyXQmt19rr4h01kCP7lEwMIhgRksb0raZsjnakzpX68LSKkN06AVwtxO3S4hV0Ueu96BWCs5UU87o9de6sKd9WVs0tyJW5H2pxYEfFhn9fiG-5yvzUPswJWsJomZTwLdP_dEYXaF2XixKGQ_9srK0lADf-RuI8wJe4Gf3LFoO7IJvYT9pi8OUa0MfJCb6OB8w15fAnO5EgwrTi6t-WjO9Q_qdJ3xrEfAcmi2jaoq6AIHYTKdfNE5y9W8rpwplyxyURxwUK6aN3uaaRA4NVRJe7p_DuKnbeuQMjRvnbe3UhhfCUSKl2CWcKhvdQ5OJxZj4OLDJ1OLebYr5qTXsZl6CbIHmgvcUb-pd7EPHqAAgbL7nG9HM1845IBjjMlRmGuxxrg7jSxtyhv5ko5ieRTsGARlAant04ccccJo9n-rgpgrl-8vFddiQ2hnX3JjyEZYFPZelC8ekR7acH-pwA79PTkum4hVaYx1C0sPSkPcXKv04MqdfJe7MzzRtKGc6G3GglbJrrgc5cfXBxk3QkjyRLSQMFBQAOgNxhYV0GLclfQoP5L1u06_50Num2vMUYCVQKVbBnZzLjmhD-6\",\"ClientId\":\"c7f00b2a-7ef6-4e46-9637-a05b8a224b0e\",\"ResponseType\":\"id_token\",\"ResponseMode\":\"form_post\",\"ResponseRedirector\":{\"URI\":\"https://signin-oidc\",\"D\":false,\"WF\":true,\"R\":false},\"AppModelVersion\":1,\"ScopedProviders\":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "IMESSAGE",
"v": "2f2f07f5-cce4-4092-b1af-946747ce0c0b",
"p": true
},
"EID": {
"c": "2019-05-01T11:06:46.8698452Z",
"k": "EID",
"v": "urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0",
"p": true
},
"TAGE": {
"c": "2019-05-01T11:06:52.7460274Z",
"k": "TAGE",
"v": "FacebookExchange",
"p": true
},
"CMESSAGE": {
"c": "2019-05-01T11:06:52.730404Z",
"k": "CMESSAGE",
"v": "2f2f07f5-cce4-4092-b1af-946747ce0c0b",
"p": true
},
"Facebook-OAUTH": {
"ContentType": "Json",
"Created": "2019-05-01T11:06:53.089828Z",
"Key": "Facebook-OAUTH",
"Persistent": true,
"Value": "{};2;Facebook-OAUTH;False"
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX"
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.OutputClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "OutputClaimsTransformation",
"Value": {
"Values": [
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "id",
"PolicyClaimType": "issuerUserId"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "first_name",
"PolicyClaimType": "givenName"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "last_name",
"PolicyClaimType": "surname"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "name",
"PolicyClaimType": "displayName"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "idp",
"PolicyClaimType": "issuer"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "authenticationSource",
"PolicyClaimType": "authenticationSource"
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateRandomUPNUserName"
},
{
"Key": "InputParameter",
"Value": {
"Id": "randomGeneratorType",
"Value": "GUID"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "upnUserName",
"Value": "f396eb78-04c1-422a-a0dc-0318235788a1"
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateUserPrincipalName"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "upnUserName",
"Value": "f396eb78-04c1-422a-a0dc-0318235788a1"
}
},
{
"Key": "InputParameter",
"Value": {
"Id": "stringFormat",
"Value": "cpim_{0}@{RelyingPartyTenantId}"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userPrincipalName",
"Value": ""
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateUserIdentity"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "issuerUserId",
"Value": ""
}
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "issuer",
"Value": "facebook.com"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userIdentity",
"Value": "Microsoft.Cpim.Data.UserIdentity"
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateSubjectClaimFromUserIdentity"
},
{
"Key": "InputParameter",
"Value": {
"Id": "value",
"Value": "Not supported currently. Use oid claim."
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "sub",
"Value": "Not supported currently. Use oid claim."
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "AppendUserIdentity"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "userIdentity",
"Value": "Microsoft.Cpim.Data.UserIdentity"
}
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "userIdentities",
"Value": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userIdentities",
"Value": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
}
]
}
}
]
}
}
]
},
"Statebag": {
"Complex-CLMS": {
"issuerUserId": "",
"givenName": "",
"surname": "",
"displayName": "",
"email": "",
"issuer": "facebook.com",
"authenticationSource": "socialIdpAuthentication",
"upnUserName": "",
"userPrincipalName": "",
"userIdentity": "Microsoft.Cpim.Data.UserIdentity",
"sub": "Not supported currently. Use oid claim.",
"userIdentities": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
}
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.SSO.SSOSessionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.OrchestrationManager"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"ORCH_CS": {
"c": "2019-05-01T11:06:53.1216701Z",
"k": "ORCH_CS",
"v": "3",
"p": true
}
}
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "AwaitingNextStep"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ShouldOrchestrationStepBeInvokedHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "EnabledForUserJourneysTrue",
"Value": {
"Values": [
{
"Key": "CurrentStep",
"Value": 3
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "AAD-UserReadUsingUserIdentity-NoError"
}
}
]
}
}
]
},
"Statebag": {
"MACHSTATE": {
"c": "2019-05-01T11:06:53.1216701Z",
"k": "MACHSTATE",
"v": "AwaitingNextStep",
"p": true
}
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolARedirectionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolAnApiHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.SSO.IsSSOSessionParticipantHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolAServiceCallHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "InitiatingClaimsExchange",
"Value": {
"ProtocolType": "backend protocol",
"TargetEntity": "FacebookExchange",
"TechnicalProfileId": "AAD-UserReadUsingUserIdentity-NoError",
"ProtocolProviderType": "AzureActiveDirectoryProvider"
}
}
]
},
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.GenerateRequestInputParamsHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.InputClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.PersistedClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.OutputClaimsTransformationHandler"
},
{
"Kind": "FatalException",
"Content": {
"Time": "11:06 AM",
"Exception": {
"Kind": "Handled",
"HResult": "80004002",
"Message": "Unable to cast object of type 'Microsoft.Cpim.Data.UserIdentity' to type 'System.String'.",
"Data": {
"TenantId": "",
"PolicyId": "",
"TechnicalProfileId": "AAD-UserReadUsingUserIdentity-NoError"
}
}
}
}
]
from active-directory-b2c-advanced-policies.
@xinaxu plz find attached my policy file with some changes as suggested at this post.
TRUSTFRAMEWORKBASE.xml.txt
from active-directory-b2c-advanced-policies.
@iamkoch Could you try adding below to the metadata of that technical profile. <Item Key="api-version">1.6</Item>
UserIdentity is only supported by 1.6 api version, which comes more consistent with what AAD graph has documented. If not using 1.6 api-version. Then AlternativeSecurityId should be used.
from active-directory-b2c-advanced-policies.
@xinaxu Adding that key worked for me. I added to both the AAD-Common and AAD-UserReadUsingObjectId technical profiles. For whatever reason, I had ApiVersion instead of api-version as the key. This should be updated in msft docs and I could find the places where that is the case
from active-directory-b2c-advanced-policies.
@seantleonard I see your confusion. We will update the samples.
from active-directory-b2c-advanced-policies.
@xinaxu Adding that key worked for me also. I replaced it everywhere i had ApiVersion to api-version. Thanks for the help provided.
from active-directory-b2c-advanced-policies.
Hi, as of today should we use userIdentities or alternativeSecurityIds ?
from active-directory-b2c-advanced-policies.
Related Issues (20)
- Invalid client assertion
- user journey that does not create duplicate accounts HOT 5
- Custom policies getting mixed together HOT 2
- B2C SAML response with incorrect entityID HOT 2
- Validation errors do not communicate reason for failed validation HOT 1
- Clarification on claim transformation method HOT 1
- Is there any method to get MAC address of the user's system using custom policies? HOT 1
- Can I use two email addresses for MFA using custom policies? HOT 4
- Account-linking allows unlinking facebook which causes account-lockout.
- saml custom policy logout url
- How to create users with same email but with different in custom user attribute in Azure AD B2C? HOT 5
- How to check whether a user is exist in firebase before sending reset email? HOT 1
- Angular8/Vue custom component not loading in google sites in chrome browser
- Can we link both email and username for the local identities HOT 2
- Updated Source Code for WingTipGamesWebApplication HOT 1
- Azure AD B2C Password reset is not working HOT 1
- Connect existing user with external idp
- Append input Claim value to createstringclaim transformation InputParameter value
- Azure AD B2C witn LinkedIn UserFlow does not work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-b2c-advanced-policies.