Last active
October 6, 2023 19:03
-
-
Save rbrayb/b5abddbbe9e3697be679548197696bd4 to your computer and use it in GitHub Desktop.
Using identities in Azure AD B2C
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8" ?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="yourtenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_Identifier_signin" | |
| PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_Identifier_signin" | |
| DeploymentMode="Development" | |
| UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"> | |
| <BasePolicy> | |
| <TenantId>yourtenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_TrustFrameworkExtensionsMFA</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="signInName"> | |
| <DisplayName>Sign in Name</DisplayName> | |
| <DataType>string</DataType> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>Identifier based Sign In</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="SignIn"> | |
| <DisplayName>Identifier signin</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="IpAddressClaimReferenceId">IpAddress</Item> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| <Item Key="language.button_continue">Continue</Item> | |
| <Item Key="setting.showCancelButton">false</Item> | |
| </Metadata> | |
| <CryptographicKeys> | |
| <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer"/> | |
| </CryptographicKeys> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName"/> | |
| </OutputClaims> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserReadUsingIdentifier"> | |
| <Metadata> | |
| <Item Key="Operation">Read</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
| </Metadata> | |
| <IncludeInSso>false</IncludeInSso> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames" Required="true"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication"/> | |
| <!-- Optional claims --> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| <OutputClaim ClaimTypeReferenceId="displayname"/> | |
| </OutputClaims> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="IdentifierSignInUp"> | |
| <OrchestrationSteps> | |
| <!-- Ask the user for the sign in name --> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignInLoyal" TechnicalProfileReferenceId="SignIn"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADRead" TechnicalProfileReferenceId="AAD-UserReadUsingIdentifier"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Return the JWT token --> | |
| <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| </UserJourneys> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="IdentifierSignInUp"/> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect"/> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" /> | |
| <!-- <OutputClaim ClaimTypeReferenceId="username" PartnerClaimType="signInNames.userName"/> --> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
| <OutputClaim ClaimTypeReferenceId="displayname"/> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub"/> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <ClaimsTransformation Id="CreateIssuer" TransformationMethod="CopyClaim"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="inputClaim"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="issuerToLink" TransformationClaimType="outputClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="CreateIssuerUserId" TransformationMethod="CopyClaim"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="issuerId" TransformationClaimType="inputClaim"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="issuerUserIdToLink" TransformationClaimType="outputClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="CreateUserIdentityToLink" TransformationMethod="CreateUserIdentity"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="issuerUserIdToLink" TransformationClaimType="issuerUserId"/> | |
| <InputClaim ClaimTypeReferenceId="issuerToLink" TransformationClaimType="issuer"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="userIdentityToLink" TransformationClaimType="userIdentity"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="AppendUserIdentityToLink" TransformationMethod="AddItemToUserIdentityCollection"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="userIdentityToLink" TransformationClaimType="item"/> | |
| <InputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="collection"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="collection"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <!-- Extracts the list of social identity providers associated with the user --> | |
| <ClaimsTransformation Id="ExtractIssuers" TransformationMethod="GetIssuersFromUserIdentityCollectionTransformation"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="userIdentityCollection"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="issuers" TransformationClaimType="issuersCollection"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <TechnicalProfile Id="Add-Federated-Link"> | |
| <DisplayName>Link Federated</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ClaimTypeOnWhichToEnable">issuers</Item> | |
| <Item Key="ClaimValueOnWhichToEnable">some issuer</Item> | |
| </Metadata> | |
| OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="issuerUserIdToLink"/> | |
| <OutputClaim ClaimTypeReferenceId="issuerToLink"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CreateIssuer"/> | |
| <OutputClaimsTransformation ReferenceId="CreateIssuerUserId"/> | |
| <OutputClaimsTransformation ReferenceId="CreateUserIdentityToLink"/> | |
| <OutputClaimsTransformation ReferenceId="AppendUserIdentityToLink"/> | |
| </OutputClaimsTransformations> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/> | |
| </TechnicalProfile> | |
| <!-- Update the userIdentities to add or remove user identity --> | |
| <TechnicalProfile Id="AAD-UserUpdateWithUserIdentities"> | |
| <Metadata> | |
| <Item Key="api-version">1.6</Item> | |
| <Item Key="Operation">Write</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="objectId" Required="true"/> | |
| </InputClaims> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="objectId"/> | |
| <PersistedClaim ClaimTypeReferenceId="userIdentities"/> | |
| </PersistedClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="userIdentities"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="ExtractIssuers"/> | |
| </OutputClaimsTransformations> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/> | |
| </TechnicalProfile> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8" ?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="yourtenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_Loyalty_signin" | |
| PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_Loyalty_signin" | |
| DeploymentMode="Development" | |
| UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"> | |
| <BasePolicy> | |
| <TenantId>yourtenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_TrustFrameworkExtensionsMFA</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="loyaltyName"> | |
| <DisplayName>Loyalty number</DisplayName> | |
| <DataType>string</DataType> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="signInNames.loyalty"> | |
| <DisplayName>Loyalty number</DisplayName> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| <ClaimType Id="username"> | |
| <DisplayName>User name</DisplayName> | |
| <DataType>string</DataType> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="signInNames.userName"> | |
| <DisplayName>User name</DisplayName> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>Username based Sign In</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="SignIn"> | |
| <DisplayName>Username signin</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="IpAddressClaimReferenceId">IpAddress</Item> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| <Item Key="language.button_continue">Continue</Item> | |
| <Item Key="setting.showCancelButton">false</Item> | |
| </Metadata> | |
| <CryptographicKeys> | |
| <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer"/> | |
| </CryptographicKeys> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="username"/> | |
| <InputClaim ClaimTypeReferenceId="loyaltyName"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="username"/> | |
| <OutputClaim ClaimTypeReferenceId="loyaltyName"/> | |
| </OutputClaims> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserReadUsingUsername"> | |
| <Metadata> | |
| <Item Key="Operation">Read</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item> | |
| </Metadata> | |
| <IncludeInSso>false</IncludeInSso> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="username" PartnerClaimType="signInNames.userName" Required="true"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <!-- Required claims --> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication"/> | |
| <!-- Optional claims --> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| <OutputClaim ClaimTypeReferenceId="displayname"/> | |
| </OutputClaims> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| <ClaimsProvider> | |
| <DisplayName>Loyalty</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId-Link"> | |
| <Metadata> | |
| <Item Key="Operation">Write</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
| </Metadata> | |
| <IncludeInSso>false</IncludeInSso> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="username" PartnerClaimType="signInNames.userName" Required="true"/> | |
| </InputClaims> | |
| <PersistedClaims> | |
| <!-- Required claims --> | |
| <PersistedClaim ClaimTypeReferenceId="objectId"/> | |
| <PersistedClaim ClaimTypeReferenceId="username" PartnerClaimType="signInNames.userName"/> | |
| <PersistedClaim ClaimTypeReferenceId="loyaltyName" PartnerClaimType="signInNames.loyalty"/> | |
| <!-- Optional claims --> | |
| <PersistedClaim ClaimTypeReferenceId="givenName"/> | |
| <PersistedClaim ClaimTypeReferenceId="surname"/> | |
| </PersistedClaims> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="loyaltySignInUp"> | |
| <OrchestrationSteps> | |
| <!-- Ask the user for the username and loyalty number --> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignInLoyal" TechnicalProfileReferenceId="SignIn"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADRead" TechnicalProfileReferenceId="AAD-UserReadUsingUserName"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Link the two identities --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADWriteUN" TechnicalProfileReferenceId="AAD-UserWriteProfileUsingObjectId-Link"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Return the JWT token --> | |
| <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| </UserJourneys> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="loyaltySignInUp"/> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect"/> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="loyaltyName" PartnerClaimType="signInNames.loyalty"/> | |
| <OutputClaim ClaimTypeReferenceId="username" PartnerClaimType="signInNames.userName"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
| <OutputClaim ClaimTypeReferenceId="displayname"/> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub"/> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://medium.com/the-new-control-plane/using-identities-and-linking-them-in-azure-ad-b2c-33b72fcbfd25