Hi @Florian Wachs • I was working on a different issue with a similar ask, so I thought of sharing the solution with you as well. :)
- Define the claims schema.
<ClaimType Id="extension_CustomRoles"> <DisplayName>Custom roles</DisplayName> <DataType>string</DataType> </ClaimType> <ClaimType Id="extension_MyCustomRoles"> <DisplayName>My custom roles</DisplayName> <DataType>stringCollection</DataType> </ClaimType>
- Add the claims transformation rule.
<ClaimsTransformation Id="customRoles_ClaimsTransformation" TransformationMethod="StringSplit"> <InputClaims> <InputClaim ClaimTypeReferenceId="extension_CustomRoles" TransformationClaimType="inputClaim" /> </InputClaims> <InputParameters> <InputParameter DataType="string" Id="delimiter" Value="," /> </InputParameters> <OutputClaims> <OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" TransformationClaimType="outputClaim" /> </OutputClaims> </ClaimsTransformation>
- To the required Technical Profile, add the
stringclaim as the output claim and the claims transformation rule to transform it to a
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email"> <DisplayName>Local Account Signin</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=22.214.171.124, Culture=neutral, PublicKeyToken=null" /> <Metadata> ... </Metadata> <IncludeInSso>false</IncludeInSso> <InputClaims> <InputClaim ClaimTypeReferenceId="signInName" /> </InputClaims> <OutputClaims> ... <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" AlwaysUseDefaultValue="true" DefaultValue="SecAdmin,UserAdmin,AppAdmin" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="customRoles_ClaimsTransformation" /> </OutputClaimsTransformations> <ValidationTechnicalProfiles> <ValidationTechnicalProfile ReferenceId="login-NonInteractive" /> </ValidationTechnicalProfiles> <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" /> </TechnicalProfile>
- Finally add the claim as output claim to the RP (signup/signin) file.
Once the custom policy is updated with above information, you will get the string collection claim in the token as mentioned below:
<OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" PartnerClaimType="my_custom_roles" />
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
@Florian Wachs · Have you tried adding the ClaimsTransformation to any other Technical Profile? Try to Define a claims transformation technical profile and call that in the user journey. You can also Collect Azure Active Directory B2C logs with Application Insights and check if the claim is in the claims bag.
Thank you very much, will try that and report here when it´s done.
So I tried it with a custom technical profile but the result is the same, the claim did not show up. I now invested 2h to get this working with those xml-definitions but I now have to stop my investigation. My solution was to extend mit REST-Claims provider with the mentioned claim and it works. Still I was curious if I can use the flows to create a "dummy" stringCollection claim for tests. I´m sure it's my fault but I have to move on and can not investigate this further. I enabled Applications Insights to log the UserJourney but, to be honest, it's hard for me to find something useful in there. In one message was a mention of my customerIds claim but only to say "customerIds:undefined". I don't know what to do with that information. I double checked that I added the technical profile with mentioned ClaimsTransformation but without any success. It seems to get executed but the claim is still not part of the token (I double checked if I added the claim the list of output claims.
So still, thanks a lot for your help!
Sign in to comment