Display custom error message to user on signup if email address entered 2 times differ

Question

Display custom error message to user on signup if email address entered 2 times differ

Sandor Juhasz 1

I've created a custom policy for Azure AD B2C to define a user sign up process. It works as expected.

Now I want to extend the policy to have a second text field to confirm an eMail address. So I'm simply using a claims transformation to assert that the user entered the correct email twice (of type AssertStringClaimsAreEqual). I used the following example/documentation:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations#assertstringclaimsareequal
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claims-transformation-technical-profile#use-a-validation-technical-profile
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/string-transformations.md#assertstringclaimsareequal

My problem: if I enter 2 mismatching email addresses, I always get the standard error message for mismatching password entries ("error_passwordEntryMismatch", I can overwrite that with a custom message but then the error message for mismatching passwords would be misleading).
I can't see the error message I defined using "UserMessageIfClaimsTransformationStringsAreNotEqual"in the Metadata section of the TechnicalProfile.

I tried a lot like explicitly defining "RaiseErrorIfClaimsTransformationStringsAreNotEqual" = true, moving technical profiles around, set "ContinueOnError" = false for the ValidationTechnicalProfile reference, put the custom error message to the localization section and so on.
The custom error message that the entered eMail addresses mismatch won't be displayed. I always end up with "The password entry fields do not match. Please enter the same password in both fields and try again."

Can somebody please help here?

Anonymous

2021-12-16T00:56:19.75+00:00

Hi, we are investigating your issue and will update you shortly.

Best,
James
Anonymous

2021-12-16T23:26:38.037+00:00

Hi @Sandor Juhasz , can you please post the relevant code so I can look at it?

Thanks,
James
Sandor Juhasz 6 Reputation points

2022-01-03T08:14:32.913+00:00

Hi @James Hamil ,

did you have some time to look at the code below?

Your help would be much appreciated!

Thanks,
Sándor

2 answers

Your answer

Anonymous

2021-12-16T00:56:19.75+00:00

Hi, we are investigating your issue and will update you shortly.

Best,
James
Anonymous

2021-12-16T23:26:38.037+00:00

Hi @Sandor Juhasz , can you please post the relevant code so I can look at it?

Thanks,
James
Sandor Juhasz 6 Reputation points

2022-01-03T08:14:32.913+00:00

Hi @James Hamil ,

did you have some time to look at the code below?

Your help would be much appreciated!

Thanks,
Sándor

Answer 1

Anonymous

Edit: Solution from @Sandor Juhasz -

The solution: do not name your matching email field "reenterEmail" as I did because it seems that there is some whacky StartsWith logic on the claim type name which seems to look for "reenterSomethingBlabla" and interprets that as "somebody is trying to validate a password against another field".

I renamed the second eMail field to "confirmEmail" and it displays the error message as it should be using the div id="claimVerificationServerError" in the rendered output.

Hi @Sandor Juhasz , sorry for the delay in response, I was off for the Holidays. Please review this thread as it can most likely fix your problem: https://stackoverflow.com/questions/62308594/in-azure-b2c-custom-policies-how-do-i-display-more-than-2-distinct-validation-m

In essence, you can only have 1 distinct validation for that claims transformation. For the password validation you have to depend on the Self Asserted technical profile for its built-in password validation. The sample Jas provided in his reply has everything for that built-in validation to work.

Please let me know if this works for you or if you get stuck.

If this answer helped you, please mark it as "Verified" so other users may reference it.

Thank you,
James

Sandor Juhasz 6 Reputation points

2022-01-04T12:58:49.88+00:00

Hey @James Hamil ,

no problem and happy new year btw ;)

I already use the built in password validation and I do not use a claims transformation for the password check. That's why I struggle because there is only one Claims transformation to check if the e-mail addresses match.
I will have a closer look on the thread you linked and see if I miss something here.

best regards,
Sándor
Sandor Juhasz 6 Reputation points

2022-01-05T09:32:23.07+00:00
Hello @James Hamil ,

I tried it again and it seems that I'm stuck.

To sum it up:

I don't use a custom password matching validator (as the op the thread you posted)

I use "newPassword" and "reenterPassword" claims for password matching

I use Predicates and PredicateValidation for the password policies (but I also removed this and used a regular expression as provided in your sample)

I only have 1 ClaimsTransformation with type "AssertStringClaimsAreEqual" (which is used to compare the two email fields on sign up)

The claims tranformation triggers correctly if the email fields differ, but they always show the "password do not match" error message that is built in (the rendered html always contains the div of class "passwordEntryMismatch" even if this is not the case)

It seems that I'm not able to overwrite the error message with my own despite the fact that I tried using LocalizationResources and also a plain error message text provided in the self asserted technical profile.

What else can I do? I really need to get this working :o

best regards,
Sándor
Sandor Juhasz 6 Reputation points

2022-01-05T10:03:12.477+00:00

@James Hamil

I fixed it!

But to be honest, it seems that there is a really awkward problem in the password matching validation on Azure AD B2C side.

The solution: do not name your matching email field "reenterEmail" as I did because it seems that there is some whacky StartsWith logic on the claim type name which seems to look for "reenterSomethingBlabla" and interprets that as "somebody is trying to validate a password against another field".

I renamed the second eMail field to "confirmEmail" and it displays the error message as it should be using the div id="claimVerificationServerError" in the rendered output.

But anyway, thanks for your efforts :)
Sándor
Anonymous

2022-01-05T23:26:22.647+00:00

Awesome! I'm glad you figured it out @Sandor Juhasz . Hmm that's interesting, thanks for pointing it out. Might be something we can look into. I copied your solution into the original answer, would you mind verifying it so others can reference it?

Thank you,
James
Sandor Juhasz 6 Reputation points

2022-01-06T07:45:16.323+00:00

Hey @James Hamil ,

I would like to mark it as verified but I'm not able to get into my @Sandor Juhasz account even if I use the correct eMail address. I really don't know why this happend and I got a new user account (@Sandor Juhasz ).

So if you are able to mark it as verified, please do!

Best regards,
Sandor

P.S.:
I got another question regarding this issue https://github.com/MicrosoftDocs/azure-docs/issues/51464: Why is it closed? Will it be fixed?
Because I ran exactly into that problem after I fixed the problem described in this thread.

Answer 2

Hey James,

Sure!

This is my ClaimsTransformation to compare both eMail fields:

    <ClaimsTransformations>
      <ClaimsTransformation Id="AssertEmailAndReenterEmailAddressAreEqual" TransformationMethod="AssertStringClaimsAreEqual">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="reenterEmail" TransformationClaimType="inputClaim1" />
          <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim2" />
        </InputClaims>
        <InputParameters>
          <InputParameter Id="stringComparison" DataType="string" Value="ordinalIgnoreCase" />
        </InputParameters>
      </ClaimsTransformation>
    </ClaimsTransformations>

This is the TechnicalProfile which uses the Claims Transformation:

      <TechnicalProfiles>
        <TechnicalProfile Id="ValidateEmailAddress">
          <DisplayName>Check email address twice</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="reenterEmail" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="email" />
          </OutputClaims>
          <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="AssertEmailAndReenterEmailAddressAreEqual" />
          </OutputClaimsTransformations>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>

This is the SelfAsserted User Sign Up Profile using the "ValidateEmailAddress" Profile as a ValidationTechnicalProfile:

 <DisplayName>Self Asserted</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="SelfAsserted-UserSignup">
          <DisplayName>User signup</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="ContentDefinitionReferenceId">api.selfasserted.signup</Item>
            <Item Key="setting.showCancelButton">false</Item>
            <Item Key="UserMessageIfClaimsTransformationStringsAreNotEqual">The email addresses you provided are not the same.</Item>
          </Metadata>
          <IncludeInSso>false</IncludeInSso>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="email" />
          </InputClaims>
          <DisplayClaims>
            <DisplayClaim ClaimTypeReferenceId="activationCode" Required="true" />
            <DisplayClaim ClaimTypeReferenceId="email" Required="true" />
            <DisplayClaim ClaimTypeReferenceId="reenterEmail" Required="true" />
            <DisplayClaim ClaimTypeReferenceId="newPassword" Required="true" />
            <DisplayClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
            <DisplayClaim ClaimTypeReferenceId="extension_TermsOfUseConsented" Required="true" />
            <DisplayClaim ClaimTypeReferenceId="extension_PrivacyPolicyConsented" Required="true" />
            <DisplayClaim ClaimTypeReferenceId="extension_NewsletterConsented" />
          </DisplayClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" Required="true" />
            <OutputClaim ClaimTypeReferenceId="email" Required="true" />
            <OutputClaim ClaimTypeReferenceId="reenterEmail" Required="true" />
            <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
            <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
            <OutputClaim ClaimTypeReferenceId="activationCode" Required="true" />
          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="ValidateEmailAddress" ContinueOnError="false" />
            <ValidationTechnicalProfile ReferenceId="RestApi-ValidateActivationCode" />
            <ValidationTechnicalProfile ReferenceId="RestApi-VerifyEmailAddress" />
            <ValidationTechnicalProfile ReferenceId="AAD-CreateNewUser" />
          </ValidationTechnicalProfiles>
        </TechnicalProfile>
      </TechnicalProfiles>

The comparison of the eMail works as expected, but I'm not able to get my custom error message displayed.

Share via

Display custom error message to user on signup if email address entered 2 times differ

2 answers

Your answer