Azure B2C Custom Policy getting 500 Internal Server Error when trying to return alternativeSecurityIds in OutputClaims

Yehuda Gutstein 6 Reputation points

I have a User Journey that is taking a user's email address and trying to check if the user is a federated user (as a means to obfuscate the list of all Identity Providers and directly sign a user in with the desired provider). We are calling AAD-UserReadUsingEmailAddress from a custom ValidationTechnicalProfile, and returning alternativeSecurityIds in the OutputClaims. However, when clicking "Continue", there is a 500 Internal Server Error occurring to which Application Insights and B2C Audit Logs are providing no additional information. As soon as alternativeSecurityIds, the ValidationTechnicalProfile will properly execute.

Additionally, clicking the continue button causes a 500 Internal Server Error, the ValidationTechnicalProfile still seems to execute and return some of the claims, although not the alternative SecurityIds. Those are however included in a JWT token that is returned. Screenshots of the claims from App Insights (using the B2C plugin for VS Code) and the JWT, as well as the 500 error are included.

Is there something missing (setup, authorization) that is required in order to properly retrieve the alternativeSeccurityIds?

Below are code snippets:

    <ClaimType Id="alternativeSecurityIds">  
    <ClaimType Id="identityProviders">  
<TechnicalProfile Id="SelfAsserted-SsoEmailLookup">  
    <DisplayName>Lookup email address for SSO user</DisplayName>  
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=, Culture=neutral, PublicKeyToken=null" />  
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>  
    <Item Key="ContentDefinitionReferenceId">api.ssosignin</Item>  
    <InputClaim ClaimTypeReferenceId="email" />  
    <DisplayClaim ClaimTypeReferenceId="email" Required="true" />  
    <!-- Required claims -->  
    <OutputClaim ClaimTypeReferenceId="objectId" />  
    <!-- Optional claims -->  
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />  
    <OutputClaim ClaimTypeReferenceId="displayName" />  
    <OutputClaim ClaimTypeReferenceId="alternativeSecurityIds" />  
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress-SsoUser" ContinueOnError="false" />  
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />  
<TechnicalProfile Id="AAD-UserReadUsingEmailAddress-SsoUser">  
    <Item Key="Operation">Read</Item>  
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>  
    <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An SSO account with that email was not found.</Item>  
        <!-- Required claims -->  
        <OutputClaim ClaimTypeReferenceId="alternativeSecurityIds" />                  
    <IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />  



Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,701 questions
{count} vote