Claim with id 'alternativeSecurityId' was not found in the collection - sub journey custom policy

Kevin Stone 61 Reputation points
2020-11-24T18:35:22.217+00:00

I have an error in step 2 of a sub journey

<SubJourney Id="CreativeFieldSignupSignin" Type="Transfer">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="CreativeField" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="CreativeField" TechnicalProfileReferenceId="OIDC-CreativeField" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- Attempt to find the user account in the B2C directory. -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>

When I run the same orchestration steps in a user journey (not a sub journey), it runs without error. Is there some limitation on sub journeys where it can't access claims?

We are using the base AAD-UserReadUsingAlternativeSecurityId-NoError technical profile, which references the base AAD-UserReadUsingAlternativeSecurityId technical profile. I believe the line that is causing the error is

<InputClaim ClaimTypeReferenceId="AlternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />

I don't understand why our provider would return a null claim in a sub journey but not a normal user journey. The same technical profile "OIDC-CreativeField" was used in each.

Here is the OIDC-CreativeField profile:

<TechnicalProfile Id="OIDC-CreativeField">
          <DisplayName>Test AAD</DisplayName>
          <Description>Test AAD</Description>
          <Protocol Name="OpenIdConnect"/>
          <Metadata>
            <Item Key="METADATA">https://login.microsoftonline.com/[tenant].onmicrosoft.com/v2.0/.well-known/openid-configuration</Item>
            <Item Key="client_id">[client id]</Item>
            <Item Key="response_types">code</Item>
            <Item Key="scope">openid profile</Item>
            <Item Key="response_mode">form_post</Item>
            <Item Key="HttpBinding">POST</Item>
            <Item Key="UsePolicyInRedirectUri">false</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="client_secret" StorageReferenceId="[secret reference id]"/>
          </CryptographicKeys>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
            <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
            <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
            <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
            <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
            <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
          </OutputClaims>
          <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
            <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
            <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
            <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
          </OutputClaimsTransformations>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
        </TechnicalProfile>

We are using the base claim transformation CreateAlternativeSecurityId

      <ClaimsTransformation Id="CreateAlternativeSecurityId" TransformationMethod="CreateAlternativeSecurityId">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="key" />
          <InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" />
        </OutputClaims>
      </ClaimsTransformation>
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,632 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-12-02T01:03:41.087+00:00

    Hi @Kevin Stone , I'm back. Subjourneys have access to claims just like orchestration steps. The claim must have been issued by a technical profile called by a previous orchestration step. Alternatively you might try adding altsecid as an output claim in the Social Idp technical profile.

    Please let me know if you need more help. If the answer was helpful to you, please accept it it so that other members in the community can benefit from it.