Azure ADB2C Custom Policy back button and refresh behaviour

Clueless235 1 Reputation point

When a user tries to sign-up to a platform and they have already used a social login, I am trying to prevent them from using the same social login. This has been implemented using custom policies. The following orchestration steps are relevant:

<!-- For social authentication, attempt to find the user account in the directory. If it exists they can not use the same identity. The error is suppressed and the objectId is set which is needed in the next step -->  
        <OrchestrationStep Order="4" Type="ClaimsExchange">  
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />  
        <!-- If we have an Object ID here then the Social Account has already been used for signing up, so rather than log them in with the existing account, we need to end the journey and tell the user-->  
        <OrchestrationStep Order="5" Type="ClaimsExchange" >  
          <Precondition Type="ClaimsExist" ExecuteActionsIf="false">  
          <ClaimsExchange Id="SelfAssertedError" TechnicalProfileReferenceId="SelfAsserted-Error" />  

The first orchestration step performs an http request to a service to retrieve an object id if the user has already used a social account. If it does exist, then the object id claim is populated with the existing id. The next orchestration step simply displays a page prompting the user to close the tab and try signing up again with a different account. This works fine within the happy path, however when the user clicks the browser back button or the refresh button, the page is not displayed anymore and the user can proceed to logging in with that already used social account.

What would the options be to ensure that when either browser back button or refresh button is pressed, the custom policy to either resume from the last orchestration step or start the policy from the beginning. It seems like the current behaviour is to simply skip the self asserted error step.

The technical profiles linked to the the above orchestration steps:

<TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId-NoError">  
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>  
          <IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingAlternativeSecurityId" />  
<TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">  
            <Item Key="Operation">Read</Item>  
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>  
            <InputClaim ClaimTypeReferenceId="alternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />  
            <!-- Required claims -->  
            <OutputClaim ClaimTypeReferenceId="objectId" />  
            <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />  
            <!-- Optional claims -->  
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" />  
            <OutputClaim ClaimTypeReferenceId="displayName" />  
            <OutputClaim ClaimTypeReferenceId="otherMails" />  
            <OutputClaim ClaimTypeReferenceId="givenName" />  
            <OutputClaim ClaimTypeReferenceId="surname" />  
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />  
      <DisplayName>Self Asserted Error page</DisplayName>  
        <TechnicalProfile Id="SelfAsserted-Error">  
          <DisplayName>Error message</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=, Culture=neutral, PublicKeyToken=null"/>  
            <Item Key="ContentDefinitionReferenceId">api.selfasserted.existingSocial</Item>  
            <Item Key="setting.showContinueButton">false</Item>  
            <Item Key="setting.showCancelButton">false</Item>  
            <InputClaim ClaimTypeReferenceId="errorMessage" DefaultValue="There is already an account registered with this login. Please close this window and start the sign up journey again using a different email or social login."/>  
            <OutputClaim ClaimTypeReferenceId="errorMessage"/>  
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,706 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,771 Reputation points Microsoft Employee

    Hi @Clueless235 ,

    Thanks for reaching out and apologies for delay in response.

    You need to make sure that at least one claim on the page is set to required=true in the SignUp page, otherwise refreshing the page will just skip that page.


    1 person found this answer helpful.