Last active
April 4, 2023 13:02
-
-
Save rbrayb/453bca28b74d5d51214dbbdc3d4446cc to your computer and use it in GitHub Desktop.
B2C exercises
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 1 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| </TrustFrameworkPolicy> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 2 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="dummy"> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). | |
| This can only happen when authentication happened using a social IDP. If local account was created or authentication done | |
| using ESTS in step 2, then an user account must exist in the directory by this time. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect | |
| from the user. So, in that case, create the user in the directory if one does not already exist | |
| (verified using objectId which would be set from the last step if account was created in the directory. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed. --> | |
| <!-- This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>isActiveMFASession</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the --> | |
| <!-- previous step. If so, then the phone number is stored in the directory for future authentication --> | |
| <!-- requests. --> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>newPhoneNumberEntered</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <TrustFrameworkPolicy | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_signup_signin" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_signup_signin"> | |
| <!-- Exercise 3 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_ExerciseExtensions</PolicyId> | |
| </BasePolicy> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="SignUpOrSignInNoFacebookOrMFA" /> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect" /> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="displayName" /> | |
| <OutputClaim ClaimTypeReferenceId="givenName" /> | |
| <OutputClaim ClaimTypeReferenceId="surname" /> | |
| <OutputClaim ClaimTypeReferenceId="email" /> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
| <!-- <OutputClaim ClaimTypeReferenceId="identityProvider" /> --> | |
| <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub" /> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 3 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="dummy"> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> --> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> --> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). | |
| This can only happen when authentication happened using a social IDP. If local account was created or authentication done | |
| using ESTS in step 2, then an user account must exist in the directory by this time. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect | |
| from the user. So, in that case, create the user in the directory if one does not already exist | |
| (verified using objectId which would be set from the last step if account was created in the directory. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed. --> | |
| <!-- This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>isActiveMFASession</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the --> | |
| <!-- previous step. If so, then the phone number is stored in the directory for future authentication --> | |
| <!-- requests. --> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>newPhoneNumberEntered</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="SignUpOrSignInNoFacebookOrMFA"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 4 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="dummy"> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="extension_accountNumber"> | |
| <DisplayName>Your account number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>Your account number.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> | |
| <DisplayName>Email signup</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="EnforceEmailVerification">false</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="newPassword" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true"/> | |
| <!-- Optional claims, to be collected from the user --> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surName"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail"> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </PersistedClaims> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> --> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> --> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). | |
| This can only happen when authentication happened using a social IDP. If local account was created or authentication done | |
| using ESTS in step 2, then an user account must exist in the directory by this time. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect | |
| from the user. So, in that case, create the user in the directory if one does not already exist | |
| (verified using objectId which would be set from the last step if account was created in the directory. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed. --> | |
| <!-- This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>isActiveMFASession</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the --> | |
| <!-- previous step. If so, then the phone number is stored in the directory for future authentication --> | |
| <!-- requests. --> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>newPhoneNumberEntered</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="SignUpOrSignInNoFacebookOrMFA"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 5 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="dummy"> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="extension_accountNumber"> | |
| <DisplayName>Your account number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>Your account number.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="signInName"> | |
| <Restriction> | |
| <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address."/> | |
| </Restriction> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> | |
| <DisplayName>Email signup</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="EnforceEmailVerification">false</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="newPassword" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true"/> | |
| <!-- Optional claims, to be collected from the user --> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surName"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail"> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </PersistedClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-ExtraPage"> | |
| <DisplayName>Email address</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" Required="true"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> --> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> --> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). | |
| This can only happen when authentication happened using a social IDP. If local account was created or authentication done | |
| using ESTS in step 2, then an user account must exist in the directory by this time. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect | |
| from the user. So, in that case, create the user in the directory if one does not already exist | |
| (verified using objectId which would be set from the last step if account was created in the directory. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed. --> | |
| <!-- This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>isActiveMFASession</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the --> | |
| <!-- previous step. If so, then the phone number is stored in the directory for future authentication --> | |
| <!-- requests. --> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>newPhoneNumberEntered</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="SignUpOrSignInNoFacebookOrMFA"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAssertedExtraPage" TechnicalProfileReferenceId="SelfAsserted-ExtraPage"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 6 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="dummy"> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="extension_accountNumber"> | |
| <DisplayName>Your account number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>Your account number.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="signInName"> | |
| <Restriction> | |
| <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address."/> | |
| </Restriction> | |
| </ClaimType> | |
| <ClaimType Id="emailAddress"> | |
| <DisplayName>Your email address</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>YYour email address</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="CopyEmailAddress" TransformationMethod="CopyClaim"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="emailAddress" TransformationClaimType="inputClaim"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" TransformationClaimType="outputClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> | |
| <DisplayName>Email signup</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="EnforceEmailVerification">false</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="newPassword" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true"/> | |
| <!-- Optional claims, to be collected from the user --> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surName"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail"> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </PersistedClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-ExtraPage"> | |
| <DisplayName>Email address</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="emailAddress" Required="true"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CopyEmailAddress"/> | |
| </OutputClaimsTransformations> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> --> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> --> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). | |
| This can only happen when authentication happened using a social IDP. If local account was created or authentication done | |
| using ESTS in step 2, then an user account must exist in the directory by this time. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect | |
| from the user. So, in that case, create the user in the directory if one does not already exist | |
| (verified using objectId which would be set from the last step if account was created in the directory. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed. --> | |
| <!-- This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>isActiveMFASession</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the --> | |
| <!-- previous step. If so, then the phone number is stored in the directory for future authentication --> | |
| <!-- requests. --> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>newPhoneNumberEntered</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="SignUpOrSignInNoFacebookOrMFA"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAssertedExtraPage" TechnicalProfileReferenceId="SelfAsserted-ExtraPage"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 7 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="dummy"> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="extension_accountNumber"> | |
| <DisplayName>Your account number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>Your account number.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="signInName"> | |
| <Restriction> | |
| <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address."/> | |
| </Restriction> | |
| </ClaimType> | |
| <ClaimType Id="emailAddress"> | |
| <DisplayName>Your email address</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>YYour email address</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="CopyEmailAddress" TransformationMethod="CopyClaim"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="emailAddress" TransformationClaimType="inputClaim"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" TransformationClaimType="outputClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| <ContentDefinitions> | |
| <ContentDefinition Id="api.localaccountsignup"> | |
| <!-- Change default password error message --> | |
| <LocalizedResourcesReferences MergeBehavior="Prepend"> | |
| <LocalizedResourcesReference Language="en" LocalizedResourcesReferenceId="api.localaccountsignup.nz"/> | |
| </LocalizedResourcesReferences> | |
| </ContentDefinition> | |
| </ContentDefinitions> | |
| <Localization Enabled="true"> | |
| <SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll"> | |
| <SupportedLanguage>en</SupportedLanguage> | |
| </SupportedLanguages> | |
| <LocalizedResources Id="api.localaccountsignup.nz"> | |
| <LocalizedStrings> | |
| <LocalizedString ElementType="UxElement" StringId="error_passwordEntryMismatch">The passwords do not match. Be aware that the minimum password length is 12 characters</LocalizedString> | |
| </LocalizedStrings> | |
| </LocalizedResources> | |
| </Localization> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> | |
| <DisplayName>Email signup</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="EnforceEmailVerification">false</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="newPassword" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true"/> | |
| <!-- Optional claims, to be collected from the user --> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surName"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail"> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </PersistedClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-ExtraPage"> | |
| <DisplayName>Email address</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="emailAddress" Required="true"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CopyEmailAddress"/> | |
| </OutputClaimsTransformations> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> --> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> --> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). | |
| This can only happen when authentication happened using a social IDP. If local account was created or authentication done | |
| using ESTS in step 2, then an user account must exist in the directory by this time. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect | |
| from the user. So, in that case, create the user in the directory if one does not already exist | |
| (verified using objectId which would be set from the last step if account was created in the directory. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed. --> | |
| <!-- This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>isActiveMFASession</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the --> | |
| <!-- previous step. If so, then the phone number is stored in the directory for future authentication --> | |
| <!-- requests. --> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>newPhoneNumberEntered</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="SignUpOrSignInNoFacebookOrMFA"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAssertedExtraPage" TechnicalProfileReferenceId="SelfAsserted-ExtraPage"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 8 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="dummy"> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="extension_accountNumber"> | |
| <DisplayName>Your account number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>Your account number.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="signInName"> | |
| <Restriction> | |
| <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address."/> | |
| </Restriction> | |
| </ClaimType> | |
| <ClaimType Id="emailAddress"> | |
| <DisplayName>Your email address</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>YYour email address</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="errorMessage"> | |
| <DisplayName>There was an error</DisplayName> | |
| <DataType>string</DataType> | |
| <UserInputType>Paragraph</UserInputType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="CopyEmailAddress" TransformationMethod="CopyClaim"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="emailAddress" TransformationClaimType="inputClaim"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" TransformationClaimType="outputClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="CreateRegErrorMessage" TransformationMethod="CreateStringClaim"> | |
| <InputParameters> | |
| <InputParameter Id="value" DataType="string" Value="Please contact support - code 123568"/> | |
| </InputParameters> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="errorMessage" TransformationClaimType="createdClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| <ContentDefinitions> | |
| <ContentDefinition Id="api.localaccountsignup"> | |
| <!-- Change default password error message --> | |
| <LocalizedResourcesReferences MergeBehavior="Prepend"> | |
| <LocalizedResourcesReference Language="en" LocalizedResourcesReferenceId="api.localaccountsignup.nz"/> | |
| </LocalizedResourcesReferences> | |
| </ContentDefinition> | |
| </ContentDefinitions> | |
| <Localization Enabled="true"> | |
| <SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll"> | |
| <SupportedLanguage>en</SupportedLanguage> | |
| </SupportedLanguages> | |
| <LocalizedResources Id="api.localaccountsignup.nz"> | |
| <LocalizedStrings> | |
| <LocalizedString ElementType="UxElement" StringId="error_passwordEntryMismatch">The passwords do not match. Be aware that the minimum password length is 12 characters</LocalizedString> | |
| </LocalizedStrings> | |
| </LocalizedResources> | |
| </Localization> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> | |
| <DisplayName>Email signup</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="EnforceEmailVerification">false</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="newPassword" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true"/> | |
| <!-- Optional claims, to be collected from the user --> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surName"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail"> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </PersistedClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-ExtraPage"> | |
| <DisplayName>Email address</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="emailAddress" Required="true"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CopyEmailAddress"/> | |
| </OutputClaimsTransformations> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-Error"> | |
| <DisplayName>Error message</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| <Item Key="setting.showContinueButton">false</Item> | |
| <Item Key="setting.showCancelButton">false</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="errorMessage"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="errorMessage"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-RegError"> | |
| <InputClaimsTransformations> | |
| <InputClaimsTransformation ReferenceId="CreateRegErrorMessage"/> | |
| </InputClaimsTransformations> | |
| <IncludeTechnicalProfile ReferenceId="SelfAsserted-Error"/> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> --> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> --> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). | |
| This can only happen when authentication happened using a social IDP. If local account was created or authentication done | |
| using ESTS in step 2, then an user account must exist in the directory by this time. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect | |
| from the user. So, in that case, create the user in the directory if one does not already exist | |
| (verified using objectId which would be set from the last step if account was created in the directory. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed. --> | |
| <!-- This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>isActiveMFASession</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the --> | |
| <!-- previous step. If so, then the phone number is stored in the directory for future authentication --> | |
| <!-- requests. --> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>newPhoneNumberEntered</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="SignUpOrSignInNoFacebookOrMFA"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAssertedExtraPage" TechnicalProfileReferenceId="SelfAsserted-ExtraPage"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAssertedRegError" TechnicalProfileReferenceId="SelfAsserted-RegError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- User journey stops here --> | |
| <OrchestrationStep Order="3" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_ExerciseExtensions" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_ExerciseExtensions"> | |
| <!-- Exercise 9 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="dummy"> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="extension_accountNumber"> | |
| <DisplayName>Your account number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>Your account number.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="num1"> | |
| <DisplayName>First number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>First number</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="num2"> | |
| <DisplayName>Second number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>Second number</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="comparison"> | |
| <DisplayName>Comparison operator</DisplayName> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="compResult"> | |
| <DisplayName>Comparison result</DisplayName> | |
| <DataType>boolean</DataType> | |
| </ClaimType> | |
| <ClaimType Id="signInName"> | |
| <Restriction> | |
| <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address."/> | |
| </Restriction> | |
| </ClaimType> | |
| <ClaimType Id="emailAddress"> | |
| <DisplayName>Your email address</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText>YYour email address</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="errorMessage"> | |
| <DisplayName>There was an error</DisplayName> | |
| <DataType>string</DataType> | |
| <UserInputType>Paragraph</UserInputType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="CopyEmailAddress" TransformationMethod="CopyClaim"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="emailAddress" TransformationClaimType="inputClaim"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" TransformationClaimType="outputClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="CreateRegErrorMessage" TransformationMethod="CreateStringClaim"> | |
| <InputParameters> | |
| <InputParameter Id="value" DataType="string" Value="Please contact support - code 123568"/> | |
| </InputParameters> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="errorMessage" TransformationClaimType="createdClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| <ContentDefinitions> | |
| <ContentDefinition Id="api.localaccountsignup"> | |
| <!-- Change default password error message --> | |
| <LocalizedResourcesReferences MergeBehavior="Prepend"> | |
| <LocalizedResourcesReference Language="en" LocalizedResourcesReferenceId="api.localaccountsignup.nz"/> | |
| </LocalizedResourcesReferences> | |
| </ContentDefinition> | |
| </ContentDefinitions> | |
| <Localization Enabled="true"> | |
| <SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll"> | |
| <SupportedLanguage>en</SupportedLanguage> | |
| </SupportedLanguages> | |
| <LocalizedResources Id="api.localaccountsignup.nz"> | |
| <LocalizedStrings> | |
| <LocalizedString ElementType="UxElement" StringId="error_passwordEntryMismatch">The passwords do not match. Be aware that the minimum password length is 12 characters</LocalizedString> | |
| </LocalizedStrings> | |
| </LocalizedResources> | |
| </Localization> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>For exercises</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> | |
| <DisplayName>Email signup</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="EnforceEmailVerification">false</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="newPassword" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true"/> | |
| <!-- Optional claims, to be collected from the user --> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surName"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail"> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| </PersistedClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-ExtraPage"> | |
| <DisplayName>Email address</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="emailAddress" Required="true"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CopyEmailAddress"/> | |
| </OutputClaimsTransformations> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-Error"> | |
| <DisplayName>Error message</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| <Item Key="setting.showContinueButton">false</Item> | |
| <Item Key="setting.showCancelButton">false</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="errorMessage"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="errorMessage"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-RegError"> | |
| <InputClaimsTransformations> | |
| <InputClaimsTransformation ReferenceId="CreateRegErrorMessage"/> | |
| </InputClaimsTransformations> | |
| <IncludeTechnicalProfile ReferenceId="SelfAsserted-Error"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="CallFunction"> | |
| <DisplayName>Call Azure function</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ServiceUrl">https://azurefunction.azurewebsites.net/api/IntComparison</Item> | |
| <Item Key="AuthenticationType">None</Item> | |
| <Item Key="SendClaimsIn">QueryString</Item> | |
| <Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="num1"/> | |
| <InputClaim ClaimTypeReferenceId="num2"/> | |
| <InputClaim ClaimTypeReferenceId="comparison" DefaultValue="gt" AlwaysUseDefaultValue="true" /> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="compResult"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-ReadNumbers"> | |
| <DisplayName>Read numbers</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="num1" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="num2" Required="true"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> --> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> --> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). | |
| This can only happen when authentication happened using a social IDP. If local account was created or authentication done | |
| using ESTS in step 2, then an user account must exist in the directory by this time. --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect | |
| from the user. So, in that case, create the user in the directory if one does not already exist | |
| (verified using objectId which would be set from the last step if account was created in the directory. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed. --> | |
| <!-- This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>isActiveMFASession</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the --> | |
| <!-- previous step. If so, then the phone number is stored in the directory for future authentication --> | |
| <!-- requests. --> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>dummy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
| <Value>newPhoneNumberEntered</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="SignUpOrSignInNoFacebookOrMFA"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAssertedExtraPage" TechnicalProfileReferenceId="SelfAsserted-ReadNumbers"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="CallFunction" TechnicalProfileReferenceId="CallFunction"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>compResult</Value> | |
| <Value>True</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SelfAssertedRegError" TechnicalProfileReferenceId="SelfAsserted-RegError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- User journey stops here --> | |
| <OrchestrationStep Order="4" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <TrustFrameworkPolicy | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_MediumB2C_signup_signin" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_MediumB2C_signup_signin" | |
| DeploymentMode="Development" | |
| UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights" | |
| > | |
| <!-- Exercise 4 --> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_MediumB2C_ExerciseExtensions</PolicyId> | |
| </BasePolicy> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="SignUpOrSignInNoFacebookOrMFA"/> | |
| <UserJourneyBehaviors> | |
| <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="xxx" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0"/> | |
| </UserJourneyBehaviors> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect"/> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surname"/> | |
| <OutputClaim ClaimTypeReferenceId="email"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_accountNumber"/> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
| <!-- <OutputClaim ClaimTypeReferenceId="identityProvider" /> --> | |
| <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub"/> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://rbrayb.medium.com/list/upskilling-on-azure-b2c-custom-policies-30f1eb8cfd82