Share via

B2C edit profile API connector get updated email

Clemens Ertle 0 Reputation points
2023-06-27T16:42:25.5766667+00:00

Hi, we have Azure AD B2C configured over CustomPolicy (the XML thing).

When a User changes their email, we want AD to call a service, so we can update the email in our system as well.
I got it to send a request to my service after the email changed, but I only receive the objectId and signInName (which is the old email). here is the configuration: the new claimsprovider

    <ClaimsProvider>
      <DisplayName>REST APIs</DisplayName>
      <TechnicalProfiles>
          <TechnicalProfile Id="REST-Update">
          <DisplayName>Update User</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ServiceUrl">https://my-service/api/update-profile</Item>
            <Item Key="AuthenticationType">None</Item>
            <Item Key="SendClaimsIn">Body</Item>
            <Item Key="AllowInsecureAuthInProduction">True</Item>
          </Metadata>
          <InputClaims>
            <!-- just tried everything I could find, but only objectId and signInName are set -->
            <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
            <InputClaim ClaimTypeReferenceId="email" />
            <InputClaim ClaimTypeReferenceId="signInName" />
            <InputClaim ClaimTypeReferenceId="displayName" />
            <InputClaim ClaimTypeReferenceId="givenName" />
            <InputClaim ClaimTypeReferenceId="surname" />
            <InputClaim ClaimTypeReferenceId="alternativeSecurityId" />
            <InputClaim ClaimTypeReferenceId="userPrincipalName" />
            <InputClaim ClaimTypeReferenceId="newUser" />
            <InputClaim ClaimTypeReferenceId="otherMails" />
          </InputClaims>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
        </TechnicalProfiles>
    </ClaimsProvider>

usage of the new claimsprovider (see end)

    <UserJourney Id="ProfileEdit">
      <OrchestrationSteps>

        <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />
          </ClaimsProviderSelections>
        </OrchestrationStep>

        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email-for-ProfileEdit"/>
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="B2CUserProfileUpdateExchange" TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate" />
          </ClaimsExchanges>
        </OrchestrationStep>

        
        <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
       <!-- HERE -->
        <OrchestrationStep Order="6" Type="ClaimsExchange">
            <ClaimsExchanges>
                <ClaimsExchange Id="UpdateUser" TechnicalProfileReferenceId="REST-Update"/>
              </ClaimsExchanges>
        </OrchestrationStep>

so, I get the objectId, and the email that was used to sign in, but thats the old email, I need the new one that was changed.

How can I achieve this?

Microsoft Security Microsoft Entra Microsoft Entra External ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2023-06-28T20:06:08.0633333+00:00

    Hi @Clemens Ertle , you need to add an OutputClaim in the SelfAsserted-LocalAccountSignin-Email-for-ProfileEdit technical profile that captures the new email value. Then, include this claim as an InputClaim in your REST-Update technical profile.

    First, add the following OutputClaim to the SelfAsserted-LocalAccountSignin-Email-for-ProfileEdit technical profile:

    <OutputClaims>
  ...
  <OutputClaim ClaimTypeReferenceId="newEmail" />
</OutputClaims>

    Next, add the newEmail claim as an InputClaim in your REST-Update technical profile:

    <InputClaims>
  ...
  <InputClaim ClaimTypeReferenceId="newEmail" />
</InputClaims>

    This will include the new email value in the request sent to your service. Make sure to define the newEmail claim in the ClaimsSchema section of your policy file if it's not already defined.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.