AD B2C TOTP Custom policy and Google IDP

Question

AD B2C TOTP Custom policy and Google IDP

Tiago Catarino 40

I am currently using this custom policy sample: https://github.com/azure-ad-b2c/samples/tree/master/policies/totp This sample seems to work perfectly when signing in with a local account. In the sample (in this custom policy sample it is only shown the example of how to set it up for a local account).**
**
this is my User Journey (this is workin with a local account login)

    <UserJourney Id="SignUpOrSignInTOTP" DefaultCpimIssuerTechnicalProfileReferenceId="JwtIssuer">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="MicrosoftAccountExchange" />
            <ClaimsProviderSelection TargetClaimsExchangeId="GoogleExchange" />
            <ClaimsProviderSelection TargetClaimsExchangeId="AppleExchange" />
            <ClaimsProviderSelection TargetClaimsExchangeId="TwitterExchange"/>  
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="MicrosoftAccountExchange" TechnicalProfileReferenceId="MSA-OIDC-SignIn" />
            <ClaimsExchange Id="GoogleExchange" TechnicalProfileReferenceId="Google-OAUTH-SignIn" />
            <ClaimsExchange Id="AppleExchange" TechnicalProfileReferenceId="Apple-OAUTH-SignIn" />
            <ClaimsExchange Id="TwitterExchange" TechnicalProfileReferenceId="Twitter-SignIn" />
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail-HasEmailFlagged" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- Subjourney : 
        Handle new social account sign in.

        If LocalAccountEmail does not exist, and is not LocalAccount auth, then this Social Id must be provisioned as normal
        If its a local account auth, then skip this entirely -->
        <OrchestrationStep Order="3" Type="InvokeSubJourney">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>LocalAccountEmail</Value>
              <Value>false</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <JourneyList>
            <Candidate SubJourneyReferenceId="ProvisionOrSignInNewSocialAccountTOTP" />
          </JourneyList>
        </OrchestrationStep>
        <!-- if social account auth, try find an account with the incoming email, and return the LocalAccountEmail-->
        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="FindLocalAccountWithSocialEmail" TechnicalProfileReferenceId="AAD-FindLocalAccountWithSocialEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- Call the TOTP enrollment ub journey. If user already enrolled the sub journey will not ask the user to enroll -->
        <OrchestrationStep Order="6" Type="InvokeSubJourney">
          <JourneyList>
            <Candidate SubJourneyReferenceId="TotpFactor-Input" />
          </JourneyList>
        </OrchestrationStep>
        <!-- Call the TOTP validation sub journey-->
        <OrchestrationStep Order="7" Type="InvokeSubJourney">
          <JourneyList>
            <Candidate SubJourneyReferenceId="TotpFactor-Verify" />
          </JourneyList>
        </OrchestrationStep>
        <OrchestrationStep Order="8" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
    </UserJourney>

**
Expected Behavior:**
When the user signs in with a provider like google or twitter, they are displayed a QR Code to enable TOTP.

Current Behavior:
After attempting to sign-in with Google the following error is shown instead of the QR code page:
User's image

Any help with this is welcomed :)

Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-02T11:15:05.0666667+00:00

Hello Tiago,

As per MS Document -TOTP display controls - Azure AD B2C | Microsoft Learn

There are some Missing Elements in your XML
To enable TOTP within your custom policy, use the following display controls:

totpQrCodeControl - Render the QR code and a deep link. When the user scans the QR code or opens the deep link, the authenticator app opens so the user can complete the enrollment process.
AuthenticatorAppIconControl - Render the Microsoft Authenticator app icon with a link to download the app to the user's mobile device.
AuthenticatorInfoControl - Render the TOTP introduction.

Display Controls Definition: Your XML lacks the <DisplayControls> section, which is essential for rendering the TOTP UI elements such as QR code, authenticator app icon, and TOTP information.
Self-Asserted Technical Profile for TOTP Enrollment: There's no TechnicalProfile like EnableOTPAuthentication defined, which is necessary for handling the TOTP enrollment process.
Claims Transformation for TOTP Setup: The required claims transformations (CreateSecret, CreateIssuer, CreateUriLabel, CreateUriString) are not present. These are crucial for generating the TOTP secret and URI.
Verification Technical Profiles: Your XML doesn't include the BeginVerifyOTP and VerifyOTP technical profiles, which are needed to validate the TOTP codes during the verification process.
Tiago Catarino 40 Reputation points

2025-05-02T14:27:49.3466667+00:00

All mentioned above exists in my current configuration, if you check the sample custom policy, mine is the same (the only differences are the claimProviders and userJourney).
The TOTP works with local account but not with IDPs, for example Google.

Maybe I can elaborate my scenario.
I have a Custom policy for signing-in in my application. If a user signs in with a local account the token seems to be recognized by the TOTP custom policy and no login prompt is shown and the user can go to the QR code page, as expected. But if the user signs-in with a google account, sign-in page is prompted when accessing the TOTP custom policy. If the user tries to login to have accessto the TOTP the following error is displayed: https://pastebin.com/v1QPJEXk

this is my current userJourney that is simpler than the above (based on other custom policies I have done): https://pastebin.com/fNi70aNm
Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-02T18:16:35.05+00:00

Thank you for elaborating the scenario, I would like to check this up offline with you to understand the scenario better. Please share your contact details over private message and your availability for a call.

1 answer

Your answer

Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-02T11:15:05.0666667+00:00

Hello Tiago,

As per MS Document -TOTP display controls - Azure AD B2C | Microsoft Learn

There are some Missing Elements in your XML
To enable TOTP within your custom policy, use the following display controls:

totpQrCodeControl - Render the QR code and a deep link. When the user scans the QR code or opens the deep link, the authenticator app opens so the user can complete the enrollment process.
AuthenticatorAppIconControl - Render the Microsoft Authenticator app icon with a link to download the app to the user's mobile device.
AuthenticatorInfoControl - Render the TOTP introduction.

Display Controls Definition: Your XML lacks the <DisplayControls> section, which is essential for rendering the TOTP UI elements such as QR code, authenticator app icon, and TOTP information.
Self-Asserted Technical Profile for TOTP Enrollment: There's no TechnicalProfile like EnableOTPAuthentication defined, which is necessary for handling the TOTP enrollment process.
Claims Transformation for TOTP Setup: The required claims transformations (CreateSecret, CreateIssuer, CreateUriLabel, CreateUriString) are not present. These are crucial for generating the TOTP secret and URI.
Verification Technical Profiles: Your XML doesn't include the BeginVerifyOTP and VerifyOTP technical profiles, which are needed to validate the TOTP codes during the verification process.
Tiago Catarino 40 Reputation points

2025-05-02T14:27:49.3466667+00:00

All mentioned above exists in my current configuration, if you check the sample custom policy, mine is the same (the only differences are the claimProviders and userJourney).
The TOTP works with local account but not with IDPs, for example Google.

Maybe I can elaborate my scenario.
I have a Custom policy for signing-in in my application. If a user signs in with a local account the token seems to be recognized by the TOTP custom policy and no login prompt is shown and the user can go to the QR code page, as expected. But if the user signs-in with a google account, sign-in page is prompted when accessing the TOTP custom policy. If the user tries to login to have accessto the TOTP the following error is displayed: https://pastebin.com/v1QPJEXk

this is my current userJourney that is simpler than the above (based on other custom policies I have done): https://pastebin.com/fNi70aNm
Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-02T18:16:35.05+00:00

Thank you for elaborating the scenario, I would like to check this up offline with you to understand the scenario better. Please share your contact details over private message and your availability for a call.

Answer 1

The solution to the issue was adding this orchestration step:

        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId" />
          </ClaimsExchanges>
        </OrchestrationStep>

Share via

AD B2C TOTP Custom policy and Google IDP

1 answer

Your answer