3,281 questions
You can use Claims Transformations such as AssertStringClaimsAreEqual or AssertBooleanClaimIsEqualToValue to raise a custom error and stop the user journey or just Preconditions so that desired steps are skipped or not.
Stop user journey and display message in Azure AD B2C
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 66%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
code-surgeon
151
Reputation points
I have a custom policy that sets up authentication from other Azure AD tenants. After the user successfully logs in with AAD, I enrich the claims with a REST api call. I wanted to follow that with a check on some of the attributes returned from the REST API. And depending on the result of that check, either halt further progress and just display a message or go on with the user journey to completion. So far, I have tried adding an orchestration step that uses a self asserted technical profile that uses another profile as a technical profile that in turn uses claims transformation to determine the result of the check I do. Something like what is shown here: https://github.com/azure-ad-b2c/samples/blob/master/policies/disable-social-account-from-logon/TrustFrameworkExtensions.xml. However, even if that check fails, journey runs to completion and token is issued to the relying party. What I was expecting was, journey will be halted and a message will be displayed. Unfortunately not. Any insight please?
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
2 answers
Sort by: Most helpful
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator2020-08-20T15:29:50.387+00:00 -
code-surgeon 151 Reputation points
2020-08-20T21:38:30.847+00:00 Reposting in case you don't see my other reply since it is marked "Deleted".
That is what I'm trying to do, as you can see in the screenshot of pieces of my policy documents below:
I then use SA-BlockLoginDisplayMessage in an orchestration step.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 65%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETW%3C/text%3E%3C/svg%3E)
Thomas Weyermann 1 Reputation point2022-09-16T13:18:25.637+00:00 The example looks nice, but has an error into it.
The ValidationTechnicalProfile "VTP-AssertLoginCanProceed" need to have the Protocol Proprietary instead of none, with the ClaimsTransformationProtocolProvider Handler.
Sign in to comment -
-
code-surgeon 151 Reputation points
2020-08-21T10:38:14.19+00:00 Figured out what I was missing.
The self asserted TP needed to have at least one text element (UserInputType). I added one of type paragraph. And it is working as expected now.-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
2020-08-21T16:41:26.753+00:00 Cool. Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.
Sign in to comment -