E-mail Output Claim with Local Account Username Signin

[ltouro]

I'm trying to ouput the E-mail claim when the user login with his Username but can't make it work.

I don't know which claim I should use. Tried these below separatelly with no success.

Any tips? Thanks!!

<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />

part of TrustFrameworkBase.xml

  <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Username">
          <DisplayName>Local Account Signin</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
              <Item Key="SignUpTarget">SignUpWithLogonUsernameExchange</Item>
              <Item Key="setting.operatingMode">Username</Item>
              <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
          </Metadata>
          <IncludeInSso>false</IncludeInSso>
          <InputClaims>
              <InputClaim ClaimTypeReferenceId="signInName" />
          </InputClaims>
          <OutputClaims>
              <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
              <OutputClaim ClaimTypeReferenceId="password" Required="true" />
              <OutputClaim ClaimTypeReferenceId="objectId" />
              <OutputClaim ClaimTypeReferenceId="authenticationSource" />
              <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" />
          </OutputClaims>

part of SignUpOrSignin.xml

<RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <UserJourneyBehaviors>
      <SingleSignOn Scope="Tenant" KeepAliveInDays="14" />
      <SessionExpiryType>Absolute</SessionExpiryType>
      <SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="otherMails" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>

[ltouro]

Also noted that is not possible to retrieve the E-mail address used during the SignUp through the A.D. Graph API. Is there any workaround for this?

The value is showed on the AD B2C dashboard of Azure Portal:

[chrispadgettlivecom]

Hi @ltouro

The SelfAsserted-LocalAccountSignin-Username technical profile can't output the email claim because the login-NonInteractive validation technical profile doesn't issue it.

Alternatively, you can add the email claim as an output claim from the AAD-UserReadUsingObjectId technical profile, so that it is read when the user object for the signed-in user is read.

[ltouro]

@chrispadgettlivecom thanks for the feedback chris! Will try it

[ltouro]

@chrispadgettlivecom I was able to ouput the email using InputClaimsTransformations as you described at this SO post.

By saving the E-mail on the otherEmails persisted claim, I'm able to retrieve it using the A.D. Graph API, which is very useful for my need.

Thank you very much for the multiple helps! 👍