user journey that does not create duplicate accounts

[canoas]

Is it possible to simply merge an account when the same email is already verified in an existing account? How to reproduce:

1. signup/signin at https://wingtipgamesb2c.azurewebsites.net with local account (email1)
2. logoff
3. signup/signin with facebook (email1) - ISSUE: A new object is created here, IMHO it should offer to merge (link automatically)
4. logoff
5. signin with local (email1)
6. ID Menu: "link social", use same facebook (Email1) and we get this error:

Account link error We can't link your WingTip Toys account to your social account because your social account already exists.

ISSUE 2: Merge is not possible without first deleting an account

Is any of these issues possible to customize by using this policy framework? thank you

[xinaxu]

It is indeed possible. At step3, when you get the email address from Facebook, you can make an account discovery in AAD using that email address as username. If it exists, you can merge Facebook account into that existing AAD account. If not, create new AAD account. Several caveats to be aware when you decide to go with this path

1. Not all users from Facebook provide their email address, when they grant permission to the app, they have an option to not provide email address
2. From security stand of point, you will be relying on Facebook properly verifying the email address of the user. If Facebook allows unverified email address, it can be exploited to gain user access to those existing account.

For your second issue, I assume you are talking about there are already two accounts and you would like to merge them. In the policy, technically you can have a AAD technical profile to delete one account, merge their claims and update the other account. The caveat here is that the relying website need to handle the merge case for example, how to merge the reward points of two users.

[filipemiguelaugusto]

@xinaxu Is it possible to have an example how to accomplish the step in the policy to do the account discovery in AAD that you suggested?

[xinaxu]

It can be achieved using Validation Technical Profiles and Preconditions. https://docs.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile You can have 3 validation technical profiles.

1. Get User from AAD using email address, and do not throw error if the user does not exist
2. Link Facebook account to that AAD user. This technical profile is only executed when the objectId exists using Precondition
3. Create new AAD user. This technical profile is only executed when the objectId does not exist using Precondition

[canoas]

It is indeed possible. At step3, when you get the email address from Facebook, you can make an account discovery in AAD using that email address as username. If it exists, you can merge Facebook account into that existing AAD account. If not, create new AAD account. Several caveats to be aware when you decide to go with this path

1. Not all users from Facebook provide their email address, when they grant permission to the app, they have an option to not provide email address
2. From security stand of point, you will be relying on Facebook properly verifying the email address of the user. If Facebook allows unverified email address, it can be exploited to gain user access to those existing account.

For your second issue, I assume you are talking about there are already two accounts and you would like to merge them. In the policy, technically you can have a AAD technical profile to delete one account, merge their claims and update the other account. The caveat here is that the relying website need to handle the merge case for example, how to merge the reward points of two users.

We don't care if the user does not have a verified email or is not showing the email in the consent, what we want is a fluid and intuitive user journey for 99% of the cases. As I explained with the documented wingtipgamesb2c example, the current demo policies are not implemented as a good reference and whoever did this docs/examples could fix this with the suggested pre-condition. At least not creating a duplicate AAD entry when the verified email is a match (precondition). @xinaxu, a great answer would be a link to a commit/fork with the changed parts we need to do in the xml files ;-) thank you, at least you gave us a light at the end of the tunnel, now we just need to learn how to program profiles using xml.

[MichielCornilleESC]

@canoas did you eventually manage to get this working? It was the first question from the business "Why are there duplicates created" on a new project I'm working on.