rbrayb/B2C-SAML - Medium.xml

## B2C-SAML - Medium.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
  TenantId="yourtenant.onmicrosoft.com"
  PolicyId="B2C_1A_SAML2_signup_signin"
  PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_SAML2_signup_signin">

  <BasePolicy>
    <TenantId>yourtenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensionsSAMLTest</PolicyId>
  </BasePolicy>

 <ClaimsProviders>
    <ClaimsProvider>
      <DisplayName>Token Issuer</DisplayName>
      <TechnicalProfiles>
        <!-- Sample: SAML Token Issuer technical profile -->
        <TechnicalProfile Id="Saml2AssertionIssuer">
          <DisplayName>Token Issuer</DisplayName>
          <Protocol Name="None" />
          <OutputTokenFormat>SAML2</OutputTokenFormat>
          <Metadata>
            <!-- Action required: make sure value is the same one as configured in the relaying party application-->
            <Item Key="IssuerUri">https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/B2C_1A_SAML2_signup_signin</Item>
          </Metadata>
          <CryptographicKeys>
            <!--Action required: Create your own certificate and set the name -->
            <Key Id="MetadataSigning" StorageReferenceId="B2C_1A_SamlRpCert" />
            <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlRpCert" />
            <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlRpCert" />
          </CryptographicKeys>
          <InputClaims/>
          <OutputClaims/>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml" />
        </TechnicalProfile>

        <!-- Session management technical profile for SAML based tokens -->
        <TechnicalProfile Id="SM-Saml">
          <DisplayName>Session Management Provider</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

  </ClaimsProviders>

  <UserJourneys>
      <UserJourney Id="SignUpOrSigninSAML">
      <OrchestrationSteps>

        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" />
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- Check if the user has selected to sign in using one of the social providers -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" />
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).
          This can only happen when authentication happened using a social IDP. If local account was created or authentication done
          using ESTS in step 2, then an user account must exist in the directory by this time. -->
        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent
          in the token. -->
        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>socialIdpAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect
             from the user. So, in that case, create the user in the directory if one does not already exist
             (verified using objectId which would be set from the last step if account was created in the directory. -->
        <OrchestrationStep Order="6" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- Smaple: SAML issuer technical profile -->
        <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />

      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>

  </UserJourneys>


  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSigninSAML" />

    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2"/>
      <Metadata>
        <!--Action required: Set the value PartnerEntity to URL of SP metadata or
          embed the metadata directly, using <![CDATA[]]>-->
        <Item Key="PartnerEntity">https://samltestapp2.azurewebsites.net/Metadata</Item>
      </Metadata>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
      </OutputClaims>
      <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

## TrustFrameworkExtensionsSAMLTest - Medium.xml
<?xml version="1.0" encoding="utf-8" ?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="yourtenant.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkExtensionsSAMLTest"
  PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensionsSAMLTest">

  <BasePolicy>
    <TenantId>yourtenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkBaseSAMLTest</PolicyId>
  </BasePolicy>
 <BuildingBlocks>

  </BuildingBlocks>

  <ClaimsProviders>

    <ClaimsProvider>
      <DisplayName>Facebook</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="Facebook-OAUTH">
          <Metadata>
            <Item Key="client_id">123456</Item>
            <Item Key="scope">email public_profile</Item>
            <Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>


    <ClaimsProvider>
      <DisplayName>Local Account SignIn</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="login-NonInteractive">
          <Metadata>
            <Item Key="client_id">ProxyIdentityExperienceFrameworkAppId</Item>
            <Item Key="IdTokenAudience">IdentityExperienceFrameworkAppId</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFrameworkAppId" />
            <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFrameworkAppId" />
          </InputClaims>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

  </ClaimsProviders>

    <!--UserJourneys>

	</UserJourneys-->

</TrustFrameworkPolicy>
	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
	<TrustFrameworkPolicy
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
	TenantId="yourtenant.onmicrosoft.com"
	PolicyId="B2C_1A_SAML2_signup_signin"
	PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_SAML2_signup_signin">

	<BasePolicy>
	<TenantId>yourtenant.onmicrosoft.com</TenantId>
	<PolicyId>B2C_1A_TrustFrameworkExtensionsSAMLTest</PolicyId>
	</BasePolicy>

	<ClaimsProviders>
	<ClaimsProvider>
	<DisplayName>Token Issuer</DisplayName>
	<TechnicalProfiles>
	<!-- Sample: SAML Token Issuer technical profile -->
	<TechnicalProfile Id="Saml2AssertionIssuer">
	<DisplayName>Token Issuer</DisplayName>
	<Protocol Name="None" />
	<OutputTokenFormat>SAML2</OutputTokenFormat>
	<Metadata>
	<!-- Action required: make sure value is the same one as configured in the relaying party application-->
	<Item Key="IssuerUri">https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/B2C_1A_SAML2_signup_signin</Item>
	</Metadata>
	<CryptographicKeys>
	<!--Action required: Create your own certificate and set the name -->
	<Key Id="MetadataSigning" StorageReferenceId="B2C_1A_SamlRpCert" />
	<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlRpCert" />
	<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlRpCert" />
	</CryptographicKeys>
	<InputClaims/>
	<OutputClaims/>
	<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml" />
	</TechnicalProfile>

	<!-- Session management technical profile for SAML based tokens -->
	<TechnicalProfile Id="SM-Saml">
	<DisplayName>Session Management Provider</DisplayName>
	<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
	</TechnicalProfile>
	</TechnicalProfiles>
	</ClaimsProvider>

	</ClaimsProviders>

	<UserJourneys>
	<UserJourney Id="SignUpOrSigninSAML">
	<OrchestrationSteps>

	<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
	<ClaimsProviderSelections>
	<ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" />
	<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
	</ClaimsProviderSelections>
	<ClaimsExchanges>
	<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
	</ClaimsExchanges>
	</OrchestrationStep>

	<!-- Check if the user has selected to sign in using one of the social providers -->
	<OrchestrationStep Order="2" Type="ClaimsExchange">
	<Preconditions>
	<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
	<Value>objectId</Value>
	<Action>SkipThisOrchestrationStep</Action>
	</Precondition>
	</Preconditions>
	<ClaimsExchanges>
	<ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" />
	<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
	</ClaimsExchanges>
	</OrchestrationStep>

	<!-- For social IDP authentication, attempt to find the user account in the directory. -->
	<OrchestrationStep Order="3" Type="ClaimsExchange">
	<Preconditions>
	<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
	<Value>authenticationSource</Value>
	<Value>localAccountAuthentication</Value>
	<Action>SkipThisOrchestrationStep</Action>
	</Precondition>
	</Preconditions>
	<ClaimsExchanges>
	<ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
	</ClaimsExchanges>
	</OrchestrationStep>

	<!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).
	This can only happen when authentication happened using a social IDP. If local account was created or authentication done
	using ESTS in step 2, then an user account must exist in the directory by this time. -->
	<OrchestrationStep Order="4" Type="ClaimsExchange">
	<Preconditions>
	<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
	<Value>objectId</Value>
	<Action>SkipThisOrchestrationStep</Action>
	</Precondition>
	</Preconditions>
	<ClaimsExchanges>
	<ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
	</ClaimsExchanges>
	</OrchestrationStep>

	<!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent
	in the token. -->
	<OrchestrationStep Order="5" Type="ClaimsExchange">
	<Preconditions>
	<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
	<Value>authenticationSource</Value>
	<Value>socialIdpAuthentication</Value>
	<Action>SkipThisOrchestrationStep</Action>
	</Precondition>
	</Preconditions>
	<ClaimsExchanges>
	<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
	</ClaimsExchanges>
	</OrchestrationStep>
	<!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect
	from the user. So, in that case, create the user in the directory if one does not already exist
	(verified using objectId which would be set from the last step if account was created in the directory. -->
	<OrchestrationStep Order="6" Type="ClaimsExchange">
	<Preconditions>
	<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
	<Value>objectId</Value>
	<Action>SkipThisOrchestrationStep</Action>
	</Precondition>
	</Preconditions>
	<ClaimsExchanges>
	<ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
	</ClaimsExchanges>
	</OrchestrationStep>

	<!-- Smaple: SAML issuer technical profile -->
	<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />

	</OrchestrationSteps>
	<ClientDefinition ReferenceId="DefaultWeb" />
	</UserJourney>

	</UserJourneys>


	<RelyingParty>
	<DefaultUserJourney ReferenceId="SignUpOrSigninSAML" />

	<TechnicalProfile Id="PolicyProfile">
	<DisplayName>PolicyProfile</DisplayName>
	<Protocol Name="SAML2"/>
	<Metadata>
	<!--Action required: Set the value PartnerEntity to URL of SP metadata or
	embed the metadata directly, using <![CDATA[]]>-->
	<Item Key="PartnerEntity">https://samltestapp2.azurewebsites.net/Metadata</Item>
	</Metadata>
	<OutputClaims>
	<OutputClaim ClaimTypeReferenceId="displayName" />
	<OutputClaim ClaimTypeReferenceId="givenName" />
	<OutputClaim ClaimTypeReferenceId="surname" />
	<OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
	<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
	<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
	</OutputClaims>
	<SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
	</TechnicalProfile>
	</RelyingParty>
	</TrustFrameworkPolicy>
	<?xml version="1.0" encoding="utf-8" ?>
	<TrustFrameworkPolicy
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
	PolicySchemaVersion="0.3.0.0"
	TenantId="yourtenant.onmicrosoft.com"
	PolicyId="B2C_1A_TrustFrameworkExtensionsSAMLTest"
	PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensionsSAMLTest">

	<BasePolicy>
	<TenantId>yourtenant.onmicrosoft.com</TenantId>
	<PolicyId>B2C_1A_TrustFrameworkBaseSAMLTest</PolicyId>
	</BasePolicy>
	<BuildingBlocks>

	</BuildingBlocks>

	<ClaimsProviders>

	<ClaimsProvider>
	<DisplayName>Facebook</DisplayName>
	<TechnicalProfiles>
	<TechnicalProfile Id="Facebook-OAUTH">
	<Metadata>
	<Item Key="client_id">123456</Item>
	<Item Key="scope">email public_profile</Item>
	<Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>
	</Metadata>
	</TechnicalProfile>
	</TechnicalProfiles>
	</ClaimsProvider>


	<ClaimsProvider>
	<DisplayName>Local Account SignIn</DisplayName>
	<TechnicalProfiles>
	<TechnicalProfile Id="login-NonInteractive">
	<Metadata>
	<Item Key="client_id">ProxyIdentityExperienceFrameworkAppId</Item>
	<Item Key="IdTokenAudience">IdentityExperienceFrameworkAppId</Item>
	</Metadata>
	<InputClaims>
	<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFrameworkAppId" />
	<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFrameworkAppId" />
	</InputClaims>
	</TechnicalProfile>
	</TechnicalProfiles>
	</ClaimsProvider>

	</ClaimsProviders>

	<!--UserJourneys>

	</UserJourneys-->

	</TrustFrameworkPolicy>