Last active
September 22, 2022 19:51
-
-
Save rbrayb/19e04a76bfe39e4a55cde492a79e8d72 to your computer and use it in GitHub Desktop.
Creating an approval journey with Azure AD B2C
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
<TrustFrameworkPolicy | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
PolicySchemaVersion="0.3.0.0" | |
TenantId="yourtenant.onmicrosoft.com" | |
PolicyId="B2C_1A_MagicLink" | |
PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_MagicLink" | |
DeploymentMode="Development" | |
UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"> | |
<BasePolicy> | |
<TenantId>yourtenant.onmicrosoft.com</TenantId> | |
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId> | |
</BasePolicy> | |
<BuildingBlocks> | |
<ClaimsSchema> | |
<ClaimType Id="strongAuthenticationEmailAddress"> | |
<DisplayName>Email Address</DisplayName> | |
<DataType>string</DataType> | |
<AdminHelpText>Email address that the user can use for strong authentication.</AdminHelpText> | |
<UserHelpText>Email address to use for strong authentication.</UserHelpText> | |
<UserInputType>TextBox</UserInputType> | |
</ClaimType> | |
<ClaimType Id="signInNamesInfo.emailAddress"> | |
<DisplayName>Email Address</DisplayName> | |
<DataType>string</DataType> | |
<AdminHelpText>Email address that the user can use to sign in.</AdminHelpText> | |
<UserHelpText>Email address to use for signing in.</UserHelpText> | |
<UserInputType>TextBox</UserInputType> | |
</ClaimType> | |
<ClaimType Id="emails"> | |
<DisplayName>Email Addresses</DisplayName> | |
<DataType>stringCollection</DataType> | |
<AdminHelpText>Email addresses of the user.</AdminHelpText> | |
<UserHelpText>Your email addresses.</UserHelpText> | |
</ClaimType> | |
<ClaimType Id="extension_Reason"> | |
<DisplayName>Approval reason</DisplayName> | |
<DataType>string</DataType> | |
</ClaimType> | |
</ClaimsSchema> | |
<ClaimsTransformations> | |
<ClaimsTransformation Id="CreateEmailsFromOtherMailsAndSignInNamesInfo" TransformationMethod="AddItemToStringCollection"> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="signInNamesInfo.emailAddress" TransformationClaimType="item"/> | |
<InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
</OutputClaims> | |
</ClaimsTransformation> | |
<ClaimsTransformation Id="AddStrongAuthenticationEmailToEmails" TransformationMethod="AddItemToStringCollection"> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" TransformationClaimType="item"/> | |
<InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
</OutputClaims> | |
</ClaimsTransformation> | |
</ClaimsTransformations> | |
</BuildingBlocks> | |
<ClaimsProviders> | |
<ClaimsProvider> | |
<DisplayName>Local Account Username</DisplayName> | |
<TechnicalProfiles> | |
<TechnicalProfile Id="AAD-ReadCommon"> | |
<Metadata> | |
<Item Key="Operation">Read</Item> | |
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
</Metadata> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
<OutputClaim ClaimTypeReferenceId="displayName"/> | |
<!-- <OutputClaim ClaimTypeReferenceId="mail"/> --> | |
<OutputClaim ClaimTypeReferenceId="otherMails"/> | |
<!-- <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" PartnerClaimType="signInNames.emailAddress"/> --> | |
</OutputClaims> | |
<OutputClaimsTransformations> | |
<OutputClaimsTransformation ReferenceId="CreateEmailsFromOtherMailsAndSignInNamesInfo"/> | |
<OutputClaimsTransformation ReferenceId="AddStrongAuthenticationEmailToEmails"/> | |
</OutputClaimsTransformations> | |
<IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="IdTokenHint_Asymmetric_ExtractClaims"> | |
<DisplayName>My ID Token Hint Asymmetric Technical Profile</DisplayName> | |
<Protocol Name="None"/> | |
<Metadata> | |
<!-- Replace with your endpoint location --> | |
<Item Key="METADATA">https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1A_MLB2C_SUSI | |
</Item> | |
<Item Key="IdTokenAudience">e00...a70</Item> | |
<Item Key="issuer">yourtenant.onmicrosoft.com</Item> | |
</Metadata> | |
<OutputClaims> | |
<!-- Note. If you change this, also change in RP!!! --> | |
<OutputClaim ClaimTypeReferenceId="displayName"/> | |
<OutputClaim ClaimTypeReferenceId="givenName"/> | |
<OutputClaim ClaimTypeReferenceId="surName"/> | |
<OutputClaim ClaimTypeReferenceId="email"/> | |
<OutputClaim ClaimTypeReferenceId="extension_Reason"/> | |
</OutputClaims> | |
</TechnicalProfile> | |
</TechnicalProfiles> | |
</ClaimsProvider> | |
</ClaimsProviders> | |
<UserJourneys> | |
<!-- If extension_mfatype exists, then the user has proofed up. If not, they are asked to go through the proofup journey --> | |
<UserJourney Id="MagicLink-Approve"> | |
<OrchestrationSteps> | |
<OrchestrationStep Order="1" Type="GetClaims" CpimIssuerTechnicalProfileReferenceId="IdTokenHint_Asymmetric_ExtractClaims"/> | |
<OrchestrationStep Order="2" Type="ClaimsExchange"> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="UserWriteUsingLogonEmail" TechnicalProfileReferenceId="AAD-UserWriteUsingLogonEmail"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- This is where you would call a REST API to use a magic link to reset the user password in B2C --> | |
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
</OrchestrationSteps> | |
<ClientDefinition ReferenceId="DefaultWeb"/> | |
</UserJourney> | |
</UserJourneys> | |
<RelyingParty> | |
<DefaultUserJourney ReferenceId="MagicLink-Approve"/> | |
<UserJourneyBehaviors> | |
<SingleSignOn Scope="Tenant"/> | |
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="410...5d0" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0"/> | |
<!-- <ScriptExecution>Allow</ScriptExecution> --> | |
</UserJourneyBehaviors> | |
<TechnicalProfile Id="PolicyProfile"> | |
<DisplayName>PolicyProfile</DisplayName> | |
<Protocol Name="OpenIdConnect"/> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="displayName"/> | |
<InputClaim ClaimTypeReferenceId="givenName"/> | |
<InputClaim ClaimTypeReferenceId="surName"/> | |
<InputClaim ClaimTypeReferenceId="email"/> | |
<InputClaim ClaimTypeReferenceId="extension_Reason"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="displayName"/> | |
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenname"/> | |
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname"/> | |
<OutputClaim ClaimTypeReferenceId="email"/> | |
<OutputClaim ClaimTypeReferenceId="extension_Reason"/> | |
<OutputClaim ClaimTypeReferenceId="objectId" DefaultValue="123456" PartnerClaimType="sub"/> | |
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="Local"/> | |
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/> | |
</OutputClaims> | |
<SubjectNamingInfo ClaimType="sub"/> | |
</TechnicalProfile> | |
</RelyingParty> | |
</TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://medium.com/the-new-control-plane/creating-an-approval-journey-with-azure-ad-b2c-b9e6d606e648