Last active
June 22, 2022 20:33
-
-
Save rbrayb/536431c478f89d3c6d5ab39fbc26e8a7 to your computer and use it in GitHub Desktop.
Linking a federated login against an existing Azure AD B2C local account
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8" ?> | |
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="yourtenant.onmicrosoft.com" PolicyId="B2C_1A_AAD_Link_TrustFrameworkExtensions" PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_AAD_Link_TrustFrameworkExtensions" | |
DeploymentMode="Development" | |
UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights" | |
> | |
<BasePolicy> | |
<TenantId>yourtenant.onmicrosoft.com</TenantId> | |
<PolicyId>B2C_1A_TRUSTFRAMEWORKEXTENSIONSMFA</PolicyId> | |
</BasePolicy> | |
<BuildingBlocks> | |
<ClaimsSchema> | |
<ClaimType Id="extension_requiresMigrationBool"> | |
<DisplayName>AAD UPN</DisplayName> | |
<DataType>boolean</DataType> | |
</ClaimType> | |
<ClaimType Id="userIdentity"> | |
<DisplayName>userIdentity</DisplayName> | |
<DataType>userIdentity</DataType> | |
<AdminHelpText>userIdentity</AdminHelpText> | |
<UserHelpText>userIdentity</UserHelpText> | |
</ClaimType> | |
<ClaimType Id="userIdentities"> | |
<DisplayName>userIdentities</DisplayName> | |
<DataType>userIdentityCollection</DataType> | |
<AdminHelpText>userIdentities</AdminHelpText> | |
<UserHelpText>userIdentities</UserHelpText> | |
</ClaimType> | |
<ClaimType Id="issuerUserId"> | |
<DisplayName>issuerUserId</DisplayName> | |
<DataType>string</DataType> | |
<AdminHelpText>issuerUserId</AdminHelpText> | |
<UserHelpText>issuerUserId</UserHelpText> | |
</ClaimType> | |
<ClaimType Id="issuers"> | |
<DisplayName>issuers</DisplayName> | |
<DataType>stringCollection</DataType> | |
<UserHelpText>User identity providers. This information is received from alternativeSecurityIds</UserHelpText> | |
</ClaimType> | |
<ClaimType Id="objectIdToLink"> | |
<DisplayName>objectIdToLink</DisplayName> | |
<DataType>string</DataType> | |
<UserHelpText>Second account user objectId</UserHelpText> | |
<UserInputType>TextBox</UserInputType> | |
</ClaimType> | |
<ClaimType Id="errorMessage"> | |
<DisplayName/> | |
<DataType>string</DataType> | |
<UserHelpText>Add help text here</UserHelpText> | |
<UserInputType>Paragraph</UserInputType> | |
</ClaimType> | |
<ClaimType Id="issuerToLink"> | |
<DisplayName>issuerToLink</DisplayName> | |
<DataType>string</DataType> | |
<AdminHelpText>issuerToLink</AdminHelpText> | |
<UserHelpText>issuerToLink</UserHelpText> | |
</ClaimType> | |
</ClaimsSchema> | |
<ClaimsTransformations> | |
<ClaimsTransformation Id="CreateUserExistsErrorMessage" TransformationMethod="FormatStringClaim"> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="issuerToLink" TransformationClaimType="inputClaim"/> | |
</InputClaims> | |
<InputParameters> | |
<InputParameter Id="stringFormat" DataType="string" Value="Your {0} identity already exists in the directory. You need to delete this account, and then you will be able to link to another account"/> | |
</InputParameters> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="errorMessage" TransformationClaimType="outputClaim"/> | |
</OutputClaims> | |
</ClaimsTransformation> | |
<ClaimsTransformation Id="CreateUserBlockedErrorMessage" TransformationMethod="FormatStringClaim"> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="userPrincipalName" TransformationClaimType="inputClaim"/> | |
</InputClaims> | |
<InputParameters> | |
<InputParameter Id="stringFormat" DataType="string" Value="Your {0} identity is blocked. Please contact the help desk"/> | |
</InputParameters> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="errorMessage" TransformationClaimType="outputClaim"/> | |
</OutputClaims> | |
</ClaimsTransformation> | |
<!-- On sign-in (first time) with social account, create a userIdentity claim, using issuerUserId and issuer name --> | |
<ClaimsTransformation Id="CreateUserIdentity" TransformationMethod="CreateUserIdentity"> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="issuerUserId"/> | |
<InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="issuer"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="userIdentity" TransformationClaimType="userIdentity"/> | |
</OutputClaims> | |
</ClaimsTransformation> | |
<!-- Add a userIdentity to the userIdentities collection. .--> | |
<ClaimsTransformation Id="AppendUserIdentity" TransformationMethod="AddItemToUserIdentityCollection"> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="userIdentity" TransformationClaimType="item"/> | |
<InputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="collection"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="collection"/> | |
</OutputClaims> | |
</ClaimsTransformation> | |
<!-- Extracts the list of social identity providers associated with the user --> | |
<ClaimsTransformation Id="ExtractIssuers" TransformationMethod="GetIssuersFromUserIdentityCollectionTransformation"> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="userIdentityCollection"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="issuers" TransformationClaimType="issuersCollection"/> | |
</OutputClaims> | |
</ClaimsTransformation> | |
</ClaimsTransformations> | |
</BuildingBlocks> | |
<ClaimsProviders> | |
<ClaimsProvider> | |
<Domain>YourTenant</Domain> | |
<DisplayName>Login using your tenant</DisplayName> | |
<TechnicalProfiles> | |
<TechnicalProfile Id="AADAzure-OpenIdConnect"> | |
<DisplayName>Azure Employee</DisplayName> | |
<Description>Login with your Azure account</Description> | |
<Protocol Name="OpenIdConnect"/> | |
<Metadata> | |
<Item Key="METADATA">https://login.microsoftonline.com/aad-tenant.onmicrosoft.com/v2.0/.well-known/openid-configuration</Item> | |
<Item Key="client_id">ad3...1c1</Item> | |
<Item Key="response_types">code</Item> | |
<Item Key="scope">openid profile</Item> | |
<Item Key="response_mode">form_post</Item> | |
<Item Key="HttpBinding">POST</Item> | |
<Item Key="UsePolicyInRedirectUri">false</Item> | |
</Metadata> | |
<CryptographicKeys> | |
<Key Id="client_secret" StorageReferenceId="B2C_1A_AzureFedSecret"/> | |
</CryptographicKeys> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/> | |
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/> | |
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/> | |
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name"/> | |
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/> | |
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/> | |
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn"/> | |
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/> | |
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/> | |
<OutputClaim ClaimTypeReferenceId="issuerToLink" DefaultValue="AzureID" AlwaysUseDefaultValue="true"/> | |
</OutputClaims> | |
<OutputClaimsTransformations> | |
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/> | |
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/> | |
<OutputClaimsTransformation ReferenceId="CreateUserIdentity"/> | |
<OutputClaimsTransformation ReferenceId="AppendUserIdentity"/> | |
</OutputClaimsTransformations> | |
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="AAD-FindB2CUserWithAADOid"> | |
<Metadata> | |
<Item Key="Operation">Read</Item> | |
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item> | |
</Metadata> | |
<IncludeInSso>false</IncludeInSso> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="signInNames.oidToLink" Required="true"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="objectId"/> | |
<OutputClaim ClaimTypeReferenceId="extension_requiresMigrationBool"/> | |
<!-- Account flagged for linking --> | |
</OutputClaims> | |
<IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="AAD-UserUpdateWithUserIdentities"> | |
<Metadata> | |
<Item Key="api-version">1.6</Item> | |
<Item Key="Operation">Write</Item> | |
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item> | |
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
</Metadata> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="objectId" Required="true"/> | |
</InputClaims> | |
<PersistedClaims> | |
<PersistedClaim ClaimTypeReferenceId="objectId"/> | |
<PersistedClaim ClaimTypeReferenceId="userIdentities"/> | |
<PersistedClaim ClaimTypeReferenceId="extension_requiresMigrationBool" DefaultValue="false" AlwaysUseDefaultValue="true"/> | |
</PersistedClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="objectId"/> | |
<OutputClaim ClaimTypeReferenceId="userIdentities"/> | |
</OutputClaims> | |
<OutputClaimsTransformations> | |
<OutputClaimsTransformation ReferenceId="ExtractIssuers"/> | |
</OutputClaimsTransformations> | |
<IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="AAD-UserReadUsingUserIdentityToLink-NoError"> | |
<Metadata> | |
<Item Key="api-version">1.6</Item> | |
<Item Key="Operation">Read</Item> | |
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item> | |
</Metadata> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="userIdentities" PartnerClaimType="userIdentities" Required="true"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="objectIdToLink" PartnerClaimType="objectId"/> | |
<OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
</OutputClaims> | |
<IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="AAD-UserReadUsingUserIdentity-NoError"> | |
<Metadata> | |
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item> | |
</Metadata> | |
<IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingUserIdentity"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="AAD-UserReadUsingUserIdentity"> | |
<Metadata> | |
<Item Key="api-version">1.6</Item> | |
<Item Key="Operation">Read</Item> | |
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
<Item Key="UserMessageIfClaimsPrincipalDoesNotExist">User does not exist. Please sign up before you can sign in.</Item> | |
</Metadata> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="userIdentities" PartnerClaimType="userIdentities" Required="true"/> | |
</InputClaims> | |
<OutputClaims> | |
<!-- Required claims --> | |
<OutputClaim ClaimTypeReferenceId="objectId"/> | |
<OutputClaim ClaimTypeReferenceId="userIdentities"/> | |
<!-- Optional claims --> | |
<OutputClaim ClaimTypeReferenceId="displayName"/> | |
<OutputClaim ClaimTypeReferenceId="otherMails"/> | |
<OutputClaim ClaimTypeReferenceId="givenName"/> | |
<OutputClaim ClaimTypeReferenceId="surname"/> | |
</OutputClaims> | |
<OutputClaimsTransformations> | |
<OutputClaimsTransformation ReferenceId="ExtractIssuers"/> | |
</OutputClaimsTransformations> | |
<IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="AAD-UserWriteUsingUserIdentity"> | |
<Metadata> | |
<Item Key="api-version">1.6</Item> | |
<Item Key="Operation">Write</Item> | |
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item> | |
<Item Key="UserMessageIfClaimsPrincipalAlreadyExists">You are already registered, please press the back button and sign in instead.</Item> | |
</Metadata> | |
<InputClaimsTransformations> | |
<InputClaimsTransformation ReferenceId="CreateOtherMailsFromEmail"/> | |
</InputClaimsTransformations> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="userIdentities" PartnerClaimType="userIdentities" Required="true"/> | |
</InputClaims> | |
<PersistedClaims> | |
<!-- Required claims --> | |
<PersistedClaim ClaimTypeReferenceId="userIdentities"/> | |
<PersistedClaim ClaimTypeReferenceId="userPrincipalName"/> | |
<PersistedClaim ClaimTypeReferenceId="mailNickName" DefaultValue="unknown"/> | |
<PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown"/> | |
<!-- Optional claims --> | |
<PersistedClaim ClaimTypeReferenceId="otherMails"/> | |
<PersistedClaim ClaimTypeReferenceId="givenName"/> | |
<PersistedClaim ClaimTypeReferenceId="surname"/> | |
</PersistedClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="objectId"/> | |
<OutputClaim ClaimTypeReferenceId="userIdentities"/> | |
<OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated"/> | |
<!-- The following other mails claim is needed for the case when a user is created, we get otherMails from directory. Self-asserted provider also has an | |
OutputClaims, and if this is absent, Self-Asserted provider will prompt the user for otherMails. --> | |
<OutputClaim ClaimTypeReferenceId="otherMails"/> | |
</OutputClaims> | |
<IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD"/> | |
</TechnicalProfile> | |
<TechnicalProfile Id="SelfAsserted-Error-DupeAccount"> | |
<DisplayName>Unsolicited error message</DisplayName> | |
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
<Metadata> | |
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
<!-- Remove the continue button--> | |
<Item Key="setting.showContinueButton">false</Item> | |
</Metadata> | |
<InputClaimsTransformations> | |
<InputClaimsTransformation ReferenceId="CreateUserExistsErrorMessage"/> | |
</InputClaimsTransformations> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="errorMessage"/> | |
<InputClaim ClaimTypeReferenceId="objectIdToLink"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="errorMessage"/> | |
<OutputClaim ClaimTypeReferenceId="objectIdToLink"/> | |
</OutputClaims> | |
</TechnicalProfile> | |
<TechnicalProfile Id="SelfAsserted-Error-Blocked"> | |
<DisplayName>Unsolicited error message</DisplayName> | |
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
<Metadata> | |
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
<!-- Remove the continue button--> | |
<Item Key="setting.showContinueButton">false</Item> | |
</Metadata> | |
<InputClaimsTransformations> | |
<InputClaimsTransformation ReferenceId="CreateUserBlockedErrorMessage"/> | |
</InputClaimsTransformations> | |
<InputClaims> | |
<InputClaim ClaimTypeReferenceId="errorMessage"/> | |
</InputClaims> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="errorMessage"/> | |
</OutputClaims> | |
</TechnicalProfile> | |
<TechnicalProfile Id="AAD-UserReadUsingObjectId"> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
</OutputClaims> | |
</TechnicalProfile> | |
</TechnicalProfiles> | |
</ClaimsProvider> | |
</ClaimsProviders> | |
<UserJourneys> | |
<UserJourney Id="SignUpOrSignInLinkedAAD"> | |
<OrchestrationSteps> | |
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
<ClaimsProviderSelections> | |
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
<ClaimsProviderSelection TargetClaimsExchangeId="AADExchange"/> | |
</ClaimsProviderSelections> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- Check if the user has selected to sign in using one of the social providers --> | |
<OrchestrationStep Order="2" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
<Value>objectId</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="AADExchange" TechnicalProfileReferenceId="AADAzure-OpenIdConnect"/> | |
<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- When authenticating via AAD, take the UPN from AAD and find the matching B2C user via the SignInNames.oidToLink attribute --> | |
<OrchestrationStep Order="3" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>authenticationSource</Value> | |
<Value>localAccountAuthentication</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="FindB2CUserWithAADOid" TechnicalProfileReferenceId="AAD-FindB2CUserWithAADOid"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- In the case a federated logon already occurred before implementing this linking logic, we must identity this existing federated stub account | |
Attempt to find the second user account in the directory. --> | |
<OrchestrationStep Order="4" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>authenticationSource</Value> | |
<Value>localAccountAuthentication</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="FindDupeAccount" TechnicalProfileReferenceId="AAD-UserReadUsingUserIdentityToLink-NoError"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- If that stub account exists, show an error with the objectId of the offending account. | |
But if this is the already linked account (subsequent logon - which has the extension attribute), then it's not an error condition--> | |
<OrchestrationStep Order="5" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>authenticationSource</Value> | |
<Value>localAccountAuthentication</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
<Precondition Type="ClaimsExist" ExecuteActionsIf="false"> | |
<Value>objectIdToLink</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>extension_requiresMigrationBool</Value> | |
<Value>False</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="SelfAssertedErrorForDupeAccount" TechnicalProfileReferenceId="SelfAsserted-Error-DupeAccount"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- If the AAD user from above exists and requires migrating (first logon) - write the userIdentities to the account | |
And flip the migration attribute to false--> | |
<OrchestrationStep Order="6" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>authenticationSource</Value> | |
<Value>localAccountAuthentication</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>extension_requiresMigrationBool</Value> | |
<Value>False</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="AADMergeAccount" TechnicalProfileReferenceId="AAD-UserUpdateWithUserIdentities"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!--For AAD authentication, attempt to find the user account in the directory via the AlternativeSecId --> | |
<OrchestrationStep Order="7" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>authenticationSource</Value> | |
<Value>localAccountAuthentication</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="AADUserReadUsingUserIdentityId" TechnicalProfileReferenceId="AAD-UserReadUsingUserIdentity-NoError"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- This step reads any user attributes that we may not have received when authenticating using LocalAccount so they can be sent | |
in the token. Applies to Local Account Auth. --> | |
<OrchestrationStep Order="8" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>authenticationSource</Value> | |
<Value>socialIdpAuthentication</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- If account disabled, show an error message --> | |
<OrchestrationStep Order="9" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
<Value>accountEnabled</Value> | |
<Value>True</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="Error-Blocked" TechnicalProfileReferenceId="SelfAsserted-Error-Blocked"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<!-- For AAD Auth since we have a user pre created. So, in that case, this step should never run since we always have an | |
ObjectId for AAD accounts at this stage, or for Local Accounts we already have objectId too by now. --> | |
<OrchestrationStep Order="10" Type="ClaimsExchange"> | |
<Preconditions> | |
<Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
<Value>objectId</Value> | |
<Action>SkipThisOrchestrationStep</Action> | |
</Precondition> | |
</Preconditions> | |
<ClaimsExchanges> | |
<ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingUserIdentity"/> | |
</ClaimsExchanges> | |
</OrchestrationStep> | |
<OrchestrationStep Order="11" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
</OrchestrationSteps> | |
<ClientDefinition ReferenceId="DefaultWeb"/> | |
</UserJourney> | |
</UserJourneys> | |
<RelyingParty> | |
<DefaultUserJourney ReferenceId="SignUpOrSignInLinkedAAD"/> | |
<UserJourneyBehaviors> | |
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="195...25b" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0"/> | |
</UserJourneyBehaviors> | |
<TechnicalProfile Id="PolicyProfile"> | |
<DisplayName>PolicyProfile</DisplayName> | |
<Protocol Name="OpenIdConnect"/> | |
<OutputClaims> | |
<OutputClaim ClaimTypeReferenceId="displayName"/> | |
<OutputClaim ClaimTypeReferenceId="givenName"/> | |
<OutputClaim ClaimTypeReferenceId="surname"/> | |
<OutputClaim ClaimTypeReferenceId="email"/> | |
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
<OutputClaim ClaimTypeReferenceId="identityProvider"/> | |
<OutputClaim ClaimTypeReferenceId="extension_requiresMigrationBool"/> | |
<OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
</OutputClaims> | |
<SubjectNamingInfo ClaimType="sub"/> | |
</TechnicalProfile> | |
</RelyingParty> | |
</TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://medium.com/the-new-control-plane/linking-a-federated-login-against-an-existing-azure-ad-b2c-local-account-ea2db2fc2252