Share via

Azure AD B2C SAML Email Claim

Luke McAlpine 6 Reputation points
2022-12-12T23:27:27.453+00:00

I have successfully setup Azure B2C using the local account start packs using B2C as the IDP, we've integrated with a partner and can access their application. How do we go about Passing the local IDP accounts 'email' attribute to the partner as a claim. They're getting first, last name and display name without issue but not receiving the email claim.

Similar issue to this: Azure B2C SAML Custom Policy Assert Email

I've inserted this into the BaseFramework

And this Technical Profile

and then this in the SAML flow:

But it's still not working

As above modified as per documentation

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
    2023-01-05T08:24:13.8+00:00

    Hello @Luke McAlpine ,

    Kindly try adding the email claim as an output claim from the AAD-UserReadUsingObjectId technical profile, so that it is read when the user object for the signed-in user is read.

    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
    </OutputClaims>

    <TechnicalProfile Id="AAD-UserReadUsingObjectId">
    <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
    </Metadata>
    <IncludeInSso>false</IncludeInSso>
    <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
    </InputClaims>
    <OutputClaims>
    <!-- Optional claims -->
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="otherMails" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    </OutputClaims>
    <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

    OR could try to create the "otherMails" claim from the "email" claim using the "CreateOtherMailsFromEmail" claims transformation and then persist the "otherMails" claim in the "AAD-UserWriteUsingLogonEmail" technical profile: . For step by step solution kindly refer: https://stackoverflow.com/questions/47145452/return-emails-on-custom-policies

    <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
    ...
    <IncludeInSso>false</IncludeInSso>
    <InputClaimsTransformations>
    <InputClaimsTransformation ReferenceId="CreateOtherMailsFromEmail" />
    </InputClaimsTransformations>
    <InputClaims>
    ...
    </InputClaims>
    <PersistedClaims>
    ...
    <PersistedClaim ClaimTypeReferenceId="otherMails" />
    </PersistedClaims>
    <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="otherMails" />
    </OutputClaims>
    ...
    </TechnicalProfile>

    Please do let me know if you have any further queries.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.