question

nktrin avatar image
0 Votes"
nktrin asked amanpreetsingh-msft commented

ValidationTechnicalProfile is not executed - B2C Custom Policy

I am attempting to call a RESTful technical profile by using ValidationTechnicalProfile. I have checked application insights and I can see the OutputClaimsTransformations happening, but it skips over the ValidationTechnicalProfile and continues on with the next step. I have tried adding the RESTful technical profile as an Orchestration Step, and that works without any issues.

Can anyone see what I am doing wrong?

 SignInWithIdProvider.xml
    
 <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="__TenantId__" PolicyId="B2C_1A_SignInWithIdProvider" PublicPolicyUri="http://__TenantId__/B2C_1A_signin_idprovider">
 <BasePolicy>
     <TenantId>__TenantId__</TenantId>
     <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
 </BasePolicy>
 <RelyingParty>
     <DefaultUserJourney ReferenceId="SignInWithIdProvider"/>
     <UserJourneyBehaviors>
         <SingleSignOn Scope="Policy"/>
         <SessionExpiryType>Rolling</SessionExpiryType>
         <SessionExpiryInSeconds>1800</SessionExpiryInSeconds>
         <JourneyFraming Enabled="true" Sources="__JourneyFramingSource__"/>
         <ScriptExecution>Allow</ScriptExecution>
     </UserJourneyBehaviors>
     <TechnicalProfile Id="PolicyProfile">
         <DisplayName>PolicyProfile</DisplayName>
         <Protocol Name="OpenIdConnect"/>
         <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
             <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
             <OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
             <OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
             <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
         </OutputClaims>
         <SubjectNamingInfo ClaimType="sub"/>
     </TechnicalProfile>
 </RelyingParty>

Snippet from TrustFrameworkExtensions.xml

 <ClaimsProvider>
 <Domain>Signin</Domain>
 <DisplayName>Signin using provider</DisplayName>
 <TechnicalProfiles>
     <TechnicalProfile Id="OIDC-SignIn">
         <DisplayName>Sign-in</DisplayName>
         <Description>Login with provider</Description>
         <Protocol Name="OpenIdConnect"/>
         <Metadata>
             <Item Key="METADATA">__WellKnown__</Item>
             <Item Key="client_id">__SignInClientId__</Item>
             <Item Key="response_types">code</Item>
             <Item Key="scope">id profile</Item>
             <Item Key="response_mode">form_post</Item>
             <Item Key="HttpBinding">POST</Item>
             <Item Key="UsePolicyInRedirectUri">false</Item>
             <Item Key="SingleLogoutEnabled">false</Item>
         </Metadata>
         <CryptographicKeys>
             <Key Id="client_secret" StorageReferenceId="__SignInSecret__"/>
         </CryptographicKeys>
         <InputClaims>
             <InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="{Culture:RFC5646}"/>
         </InputClaims>
         <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
             <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
             <OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
             <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
             <OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
             <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
         </OutputClaims>
         <OutputClaimsTransformations>
             <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
             <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
             <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
             <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
         </OutputClaimsTransformations>
         <ValidationTechnicalProfiles>
             <ValidationTechnicalProfile ReferenceId="REST-PostNewSession" ContinueOnError="true"/>
         </ValidationTechnicalProfiles>
         <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
     </TechnicalProfile>
 </TechnicalProfiles>

 <ClaimsProvider>
 <DisplayName>REST APIs</DisplayName>
 <TechnicalProfiles>
     <TechnicalProfile Id="REST-PostNewSession">
         <DisplayName>Post new session</DisplayName>
         <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
         <Metadata>
             <Item Key="ServiceUrl">https://some.apim.url/post-method</Item>
             <Item Key="SendClaimsIn">Body</Item>
             <Item Key="AuthenticationType">Basic</Item>
         </Metadata>
         <CryptographicKeys>
             <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_UserName"/>
             <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Password"/>
         </CryptographicKeys>
         <InputClaims>
             <InputClaim ClaimTypeReferenceId="sessionId"/>
         </InputClaims>
         <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
     </TechnicalProfile>
 </TechnicalProfiles>

 <UserJourney Id="SignInWithIdProvider">
 <OrchestrationSteps>
     <OrchestrationStep Order="1" Type="ClaimsExchange">
         <Preconditions>
             <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
                 <Value>objectId</Value>
                 <Action>SkipThisOrchestrationStep</Action>
             </Precondition>
         </Preconditions>
         <ClaimsExchanges>
             <ClaimsExchange Id="idSignInExchange" TechnicalProfileReferenceId="OIDC-SignIn"/>
         </ClaimsExchanges>
     </OrchestrationStep>
     <OrchestrationStep Order="2" Type="ClaimsExchange">
         <Preconditions>
             <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
                 <Value>authenticationSource</Value>
                 <Value>localAccountAuthentication</Value>
                 <Action>SkipThisOrchestrationStep</Action>
             </Precondition>
         </Preconditions>
         <ClaimsExchanges>
             <ClaimsExchange Id="AlternativeSecurityId" TechnicalProfileReferenceId="AlternativeSecurityId-NoError"/>
         </ClaimsExchanges>
     </OrchestrationStep>
 </UserJourney>


azure-ad-b2c
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @nktrin • As documented here, "A validation technical profile is an ordinary technical profile from any protocol, such as Azure Active Directory or a REST API. The validation technical profile returns output claims, or returns 4xx HTTP status code." So, you can use REST technical profile as Validation technical profile.

Looks like the problem is happening due to inaccurate logic here.

The sessionId is added as :

  • Output claim to the OIDC-SignIn technical profile

  • Input claim to the REST-PostNewSession technical profile,

That means OIDC-SignIn technical profile needs to add sessionId to the claims bag first by supplying it as an output claim, after which REST-PostNewSession can use it as the input claim. But REST-PostNewSession is added as a Validation TP to OIDC-SignIn TP, which means REST-PostNewSession will be invoked before the completion of the OIDC-SignIn technical profile and won't find sessionId.

When you are invoking the RESTful technical profile via an Orchestration Step in the user journey, it is working because the RESTful TP must be invoked after completion of the OIDC-SignIn TP.

Please try adding the default value to the input claim within the RESTful TP or use a different Technical Profile to pass the sessionId claim as the output claim.

0 Votes 0 ·

Hi @nktrin • Just checking if you had a chance to look into it.

0 Votes 0 ·

0 Answers