3,269 questions
StringCompare in ADB2C Custom policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 98%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
roshin.thomas
1
Reputation point
I am trying to compare the output of (AAD-UserReadUsingEmailAddress-Hint) to verify if the user is an Admin User (value ="Admin") and if so throw an error to only show a message to signIn with normal flow.
I have created a Claim Transformation (CT) for comparing the value and CT for the error message. In the UserJourney I am trying to throw an error if the role is Admin (after the user has been read from the email hint) .
But uploading the policy itself fails with "The type attribute is invalid. The value ClaimsEquals is invalid according to its datatype. Any pointers would be very helpful. Is the approach correct. (My policy is similar to - [https://github.com/azure-ad-b2c/samples/blob/master/policies/sign-in-with-magic-link/policy/SignInWithMagicLink.xml)
Thanks
CT (for checking)
<ClaimsTransformation Id="isAdminUser" TransformationMethod="CompareClaimToValue">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_role" TransformationClaimType="inputClaim1" />
</InputClaims>
<InputParameters>
<InputParameter Id="compareTo" DataType="string" Value="Admin" />
<InputParameter Id="operator" DataType="string" Value="equal" />
<InputParameter Id="ignoreCase" DataType="string" Value="true" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="result" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
CT (for error)
<ClaimsTransformation Id="AdminUserNotAllowed" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="Admin user access via Email or SignIn link is not allowed. Please access the application via normal SignIn" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="errorMessage" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
UserJourney
<OrchestrationStep Order="1" Type="GetClaims" CpimIssuerTechnicalProfileReferenceId="IdTokenHint_ExtractClaims" />
:
<!-- Read the user properties from the directory-->
<OrchestrationStep Order="4" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingEmailAddress" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress-Hint"/>
</ClaimsExchanges>
</OrchestrationStep>
<!-- Check if user is admin user-->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isAdminUser</Value>
<Value>False</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AdminUserNotAllowed" TechnicalProfileReferenceId="AdminUserNotAllowed" />
</ClaimsExchanges>
</OrchestrationStep>
:
<Issue an access token-->
<OrchestrationStep Order="8" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/>
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,080 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator2023-02-02T12:52:52.0033333+00:00 @roshin.thomas Apologies for the delay in responding to this post, let me know if you still are looking for assistance on the above-mentioned issue.
Sign in to comment
Sign in to answer