Share via

Default value for stringCollection in Azure AD B2C custom policy

Jorge MC 41 Reputation points
2022-03-21T10:37:56.157+00:00

We have defined an string collection claim type: 

      <ClaimType Id="my_custom_roles">
        <DisplayName>Custom roles</DisplayName>
        <DataType>stringCollection</DataType>
        <UserHelpText/>
      </ClaimType>

We would like to set a default a value for this claim type, using "DefaultValue" attribute: 

<OutputClaim ClaimTypeReferenceId="my_custom_roles" DefaultValue="???" />

But I did not find any information or example about how to do it.

Is it possible? Does "DefaultValue" attribute support string collection data type?

Thank you in advance for your help.

Microsoft Security Microsoft Entra Microsoft Entra External ID
Accepted answer
  1. AmanpreetSingh-MSFT 56,866 Reputation points Moderator
    2022-04-04T13:33:18.977+00:00

    Hi @Jorge MC • Thank you for your patience. I have provided the steps below to get the Default value for stringCollection in the Azure AD B2C custom policy

    1. Define the claims schema. 
      <ClaimType Id="extension_CustomRoles">  
    <DisplayName>Custom roles</DisplayName>  
    <DataType>string</DataType>  
</ClaimType>  

<ClaimType Id="extension_MyCustomRoles">  
    <DisplayName>My custom roles</DisplayName>  
    <DataType>stringCollection</DataType>  
</ClaimType>
    2. Add the claims transformation rule. 
      <ClaimsTransformation Id="customRoles_ClaimsTransformation" TransformationMethod="StringSplit">  
     <InputClaims>  
          <InputClaim ClaimTypeReferenceId="extension_CustomRoles" TransformationClaimType="inputClaim" />  
     </InputClaims>  
     <InputParameters>  
          <InputParameter DataType="string" Id="delimiter" Value="," />  
     </InputParameters>  
     <OutputClaims>  
          <OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" TransformationClaimType="outputClaim" />  
     </OutputClaims>  
</ClaimsTransformation>
    3. To the required Technical Profile, add the string claim as the output claim and the claims transformation rule to transform it to a stringCollection claim. 
      <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">  
     <DisplayName>Local Account Signin</DisplayName>  
     <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
     <Metadata>  
         ...  
     </Metadata>  
     <IncludeInSso>false</IncludeInSso>  
     <InputClaims>  
            <InputClaim ClaimTypeReferenceId="signInName" />  
     </InputClaims>  
     <OutputClaims>  
            ...  
            <OutputClaim ClaimTypeReferenceId="extension_CustomRoles" AlwaysUseDefaultValue="true" DefaultValue="SecAdmin,UserAdmin,AppAdmin" />  
     </OutputClaims>  
     <OutputClaimsTransformations>  
            <OutputClaimsTransformation ReferenceId="customRoles_ClaimsTransformation" />  
     </OutputClaimsTransformations>  
     <ValidationTechnicalProfiles>  
            <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />  
     </ValidationTechnicalProfiles>  
     <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />  
</TechnicalProfile>
    4. Finally add the claim as output claim to the RP (signup/signin) file. 
      <OutputClaim ClaimTypeReferenceId="extension_MyCustomRoles" PartnerClaimType="my_custom_roles" />
      Once the custom policy is updated with above information, you will get the string collection claim in the token as mentioned below:
      189782-image.png

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.