using b2c custom policies, Im trying to assign a default role to users on signup and get that role when they are signin

Miguel 270 Reputation points
2023-04-29T23:36:04.3866667+00:00

so, when a new user is registered, and sign in, they get the role in their token but my expectation is tha the old users that havent been assinged any roles, dont get assigned any role when they log in, but my problem is that either all users include the user role in their token when they signin, or I can just assing a role on signon and cant retrieve it on signin, here is what I have done. In summary, Id like to assign a default role on signon and retieve that dynamically on signin, as my plan is to add another ways to register on the UI, so they can choose different roles,thx

in extension file

  
    <UserJourney Id="SignUpOrSignIn_Custom">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
           <ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" />
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
           
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- Check if the user has selected to sign in using one of the social providers -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
          <ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
            <!-- <ClaimsExchange Id="SignUpWithLogonEmailExchange_EmailVerification" TechnicalProfileReferenceId="EmailVerification" /> -->
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="EmailVerification" />
            
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>isForgotPassword</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SignUpWithLogonEmailExchange_WithReadOnlyEmail" TechnicalProfileReferenceId="LocalAccountSignUpWithReadOnlyEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>

           <OrchestrationStep Order="4" Type="InvokeSubJourney">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
              <Value>isForgotPassword</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <JourneyList>
            <Candidate SubJourneyReferenceId="PasswordReset" />
          </JourneyList>
        </OrchestrationStep>

    
        <!-- This step forces email verification on sign in only. -->
        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>newUser</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
              <!-- added this to skip this for isForgotPassword too -->
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
            <Value>isForgotPassword</Value>
            <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="EmailVerifyOnSignIn" TechnicalProfileReferenceId="EmailVerifyOnSignIn" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="6" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
    </UserJourney>
 



I addded this to my SelfAsserted-LocalAccountSignin-Email and LocalAccountSignUpWithReadOnlyEmail technical profiles

   
       

in RP


Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,722 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,006 Reputation points Microsoft Employee
    2023-05-02T11:44:39.86+00:00

    Hi @Miguel ,

    Thanks for reaching out.

    Define the claim as

    <ClaimType Id="extension_CustomRoles">  
        <DisplayName>Custom roles</DisplayName>  
        <DataType>string</DataType>  
    </ClaimType>  
    
    

    Update below Technical Profile:

    1. Under LocalAccountSignUpWithReadOnlyEmail (for local account sign-up flow), add
    <OutputClaims>  
        <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" AlwaysUseDefaultValue="true" DefaultValue="user"/>  
      </OutputClaims>
    
    

    In your trustframeworkextensions file, add below claims providers

    <ClaimsProvider>  
      <DisplayName>Azure Active Directory</DisplayName>  
      <TechnicalProfiles>  
        <!-- Write data during a local account sign-up flow. -->  
        <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">  
          <PersistedClaims>  
            <PersistedClaim ClaimTypeReferenceId="extension_CustomRoles"/>  
          </PersistedClaims>  
        </TechnicalProfile>  
        <!-- Write data during a federated account first-time sign-in flow. -->  
        <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">  
          <PersistedClaims>  
            <PersistedClaim ClaimTypeReferenceId="extension_CustomRoles"/>  
          </PersistedClaims>  
        </TechnicalProfile>  
        <!-- Write data during edit profile flow. -->  
        <TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">  
          <PersistedClaims>  
            <PersistedClaim ClaimTypeReferenceId="extension_CustomRoles"/>  
          </PersistedClaims>  
        </TechnicalProfile>  
        <!-- Read data after user resets the password. -->  
        <TechnicalProfile Id="AAD-UserReadUsingEmailAddress">  
          <OutputClaims>    
            <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" />  
              </OutputClaims>  
            </TechnicalProfile>  
            <!-- Read data after user authenticates with a local account. -->  
            <TechnicalProfile Id="AAD-UserReadUsingObjectId">  
              <OutputClaims>    
                <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" />  
              </OutputClaims>  
            </TechnicalProfile>  
            <!-- Read data after user authenticates with a federated account. -->  
            <TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">  
              <OutputClaims>    
                <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" />  
              </OutputClaims>  
            </TechnicalProfile>  
          </TechnicalProfiles>  
        </ClaimsProvider>
    
    

    In your signup_signin (RP) file, add below output claim:

    <OutputClaims>  
       <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" PartnerClaimType="my_custom_roles" />  
     </OutputClaims>
    
    

    You need to persist the extension attribute as mentioned above.

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.