Created
April 23, 2024 21:45
-
-
Save rbrayb/ea8097d741b6724c8f33c3022d50e65f to your computer and use it in GitHub Desktop.
Federating with Azure AD B2C without creating a shadow account
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_signup_signin_EntraIDFed" PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_signup_signin_EntraIDFed" | |
| DeploymentMode="Development" | |
| UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_TRUSTFRAMEWORKEXTENSIONSMFA</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="CopyObjectID" TransformationMethod="CopyClaim"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="inputClaim"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="outputClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <Domain>Contoso.com</Domain> | |
| <DisplayName>Contoso</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="Entra-ID-OpenIdConnect"> | |
| <DisplayName>Entra ID Employee</DisplayName> | |
| <Description>Login with your Entra ID account</Description> | |
| <Protocol Name="OpenIdConnect"/> | |
| <Metadata> | |
| <Item Key="METADATA">https://login.microsoftonline.com/tenant.onmicrosoft.com/v2.0/.well-known/openid-configuration</Item> | |
| <Item Key="client_id">ad...c1</Item> | |
| <Item Key="response_types">code</Item> | |
| <Item Key="scope">openid profile</Item> | |
| <Item Key="response_mode">form_post</Item> | |
| <Item Key="HttpBinding">POST</Item> | |
| <Item Key="UsePolicyInRedirectUri">false</Item> | |
| </Metadata> | |
| <CryptographicKeys> | |
| <Key Id="client_secret" StorageReferenceId="B2C_1A_FedSecret"/> | |
| </CryptographicKeys> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/> | |
| <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/> | |
| <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name"/> | |
| <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="upn"/> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/> | |
| <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/> | |
| <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/> | |
| <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/> | |
| <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/> | |
| </OutputClaimsTransformations> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="Create-ObjectID"> | |
| <DisplayName>Create objectID</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <InputClaimsTransformations> | |
| <InputClaimsTransformation ReferenceId="CopyObjectID"/> | |
| </InputClaimsTransformations> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| </OutputClaims> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignIn-Fed"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection TargetClaimsExchangeId="EntraIDExchange"/> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- Check if the user has selected to sign in using one of the social providers --> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="EntraIDExchange" TechnicalProfileReferenceId="Entra-ID-OpenIdConnect"/> | |
| <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- For social IDP authentication, attempt to find the user account in the directory. --> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- We are not writing the social user record so we need to create an objectId for the sub --> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>localAccountAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="CreateObjectId" TechnicalProfileReferenceId="Create-ObjectID"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent | |
| in the token. --> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> | |
| <Value>authenticationSource</Value> | |
| <Value>socialIdpAuthentication</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| </UserJourneys> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="SignUpOrSignIn-Fed"/> | |
| <UserJourneyBehaviors> | |
| <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="123456" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0"/> | |
| </UserJourneyBehaviors> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect"/> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName"/> | |
| <OutputClaim ClaimTypeReferenceId="surname"/> | |
| <OutputClaim ClaimTypeReferenceId="email"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
| <OutputClaim ClaimTypeReferenceId="identityProvider"/> | |
| <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub"/> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://medium.com/the-new-control-plane/federating-with-azure-ad-b2c-without-creating-a-shadow-account-95d965f9e67b