How to load the claims in a second custom policy in AD B2C?

Question

How to load the claims in a second custom policy in AD B2C?

Pooranan Balasubramnian 0

We have a built a member portal which onboards our customers using Azure B2C we have a custom policy which uses OIDC and generates the token. Once the user is in the portal we have outgoing links to external applications which all work with SAML and this whole set up uses SSO. So users once authenticated they can access these apps. Each of these apps - user journeys - have their own SAML policies since they need to get different values for each app so they use a REST API call. Now to call the API we need to read the claims set in the first policy without again interacting with the user so we can pass this to the REST call. What is the best option for this. Right now we have the first policy replicated and the REST Call happens automatically as there is a valid token but this seems redundant but i am not able to read the claims like email in any other way.

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-05-16T05:46:35.3666667+00:00

@Pooranan Balasubramnian

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Thanks,

Akshay Kaushik

1 answer

Your answer

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-05-16T05:46:35.3666667+00:00

@Pooranan Balasubramnian

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Thanks,

Akshay Kaushik

Answer 1

Akshay-MSFT 17,956 Microsoft Employee Moderator

@Pooranan Balasubramnian

You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:

In this case it seems to be Immediately after sign-in to Azure AD B2C app. You need to Add an orchestration step in the existing signup-signin policy user journey.

User journeys specify explicit paths through which a policy allows a relying party application to obtain the desired claims for a user. A user journey is represented as an orchestration sequence that must be followed through for a successful transaction. You can add or subtract orchestration steps. In this case, you will add a new orchestration step that is used to augment the information provided to the application after the user sign-up or sign-in via the REST API call.

Open the base file of your policy. For example, SocialAndLocalAccounts/TrustFrameworkBase.xml.
Search for the <UserJourneys> element. Copy the entire element, and then delete it.
Open the extensions file of your policy. For example, SocialAndLocalAccounts/TrustFrameworkExtensions.xml.
Paste the <UserJourneys> into the extensions file, after the close of the <ClaimsProviders> element.
Locate the <UserJourney Id="SignUpOrSignIn">, and add the following orchestration step before the last one.

<OrchestrationStep Order="7" Type="ClaimsExchange">
  <ClaimsExchanges>
    <ClaimsExchange Id="RESTGetProfile" TechnicalProfileReferenceId="REST-GetProfile" />
  </ClaimsExchanges>
</OrchestrationStep>

Refactor the last orchestration step by changing the Order to 8. Your final two orchestration steps should look like the following:

<OrchestrationStep Order="7" Type="ClaimsExchange">
  <ClaimsExchanges>
    <ClaimsExchange Id="RESTGetProfile" TechnicalProfileReferenceId="REST-GetProfile" />
  </ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="8" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

Once done kindly follow Include a claim in the token. Please do let me know if you have any further queries by posting in the comments section. Thanks Akshay Kaushik Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Pooranan Balasubramnian 0 Reputation points

2023-05-19T08:30:54.09+00:00

I dont't want to just call a REST API but like i said my portal has already the claims in the token. Now when the second policy executes how do i parse the token and load the claims in the claims bag so that my policy can access those tokens to use them to do other things like calling a REST API. The user has just authenticated with the login so when he clicks on the second SAML policy i don't want him to again interact but non-interactively i want to get the claims loaded during the second policy execution.
Pooranan Balasubramnian 0 Reputation points

2023-05-21T17:53:43.89+00:00

Hi,

My question was about how to initialize the claims in the claims bag when a user after authenticating starts a new journey which invokes another policy. In that flow we need access to the user's object id or email. How do we get this without interacting with the user.

Akshay-MSFT 17,956 Microsoft Employee Moderator

@Pooranan Balasubramnian ,

To initialize the claims in the claims bag in Azure AD B2C, you can use the ClaimsExchange element in your policy. Here are the steps to do so:

Define a ClaimsExchange element in your policy. For example:

<ClaimsExchanges>
  <ClaimsExchange Id="InitializeClaims" TechnicalProfileReferenceId="InitializeClaims" />
</ClaimsExchanges>

Define the InitializeClaims technical profile in your policy. For example:

<TechnicalProfiles>
  <TechnicalProfile Id="InitializeClaims">
    <DisplayName>Initialize Claims</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="givenName" DefaultValue="" />
      <OutputClaim ClaimTypeReferenceId="surname" DefaultValue="" />
      <OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
    </OutputClaims>
  </TechnicalProfile>
</TechnicalProfiles>

In the OutputClaims element of the InitializeClaims technical profile, define the claims that you want to initialize in the claims bag. For example, in the above example, the givenName, surname, and email claims are initialized with empty string values.

In your user journey, reference the ClaimsExchange element that you defined in step 1. For example:

<UserJourney>
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>givenName</Value>
          <Value>surname</Value>
          <Value>email</Value>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="InitializeClaimsExchange" TechnicalProfileReferenceId="InitializeClaims" />
      </ClaimsExchanges>
    </OrchestrationStep>
    ...
  </OrchestrationSteps>
</UserJourney>

Save the changes to your policy file and try again. This will initialize the claims in the claims bag with the default values that you specified in the InitializeClaims technical profile.

Note: You can also initialize the claims in the claims bag with values from an external system or a REST API by using a ClaimsProvider technical profile instead of a None protocol technical profile.

Thanks,

Akshay Kaushik

Share via

How to load the claims in a second custom policy in AD B2C?

1 answer

Your answer