iamkoch
commented
5 years ago I've added these for others who have hit the same issues as me.
Open iamkoch opened 5 years ago
iamkoch
commented
5 years ago I've added these for others who have hit the same issues as me.
filipemiguelaugusto
commented
5 years ago I've tried to make changes in sample files accordingly to your suggestions with no success. Is it possible to have further information about all the replacements that you must do? Someone was able to put this example of account linking up and running recently?
iamkoch
commented
5 years ago We have this working in a production system.
My concern is that no one from MS seems to have looked at or commented on this issue.
Which part is failing? Have you enabled development mode / logging to application insights to your policy? You can couple this with the wingtip journey player, which can be found on the net, to help figure out at what point your custom policy is failing
seantleonard
commented
5 years ago @filipemiguelaugusto looks like the docs reflect AlternativeSecurityId
https://docs.microsoft.com/en-us/azure/active-directory-b2c/social-transformations
However, this sample still needs to be updated.
filipemiguelaugusto
commented
5 years ago @iamkoch my problems starts way back. It seems like i can't get the right transformations in the files to upload them without errors. I'm far from being an expert in this kind of customizations!
I get errors like this one for instance: [...] The InputClaims mismatched in ClaimsTransformation with id "AppendUserIdentityToLink" with TransformationMethod "AddItemToUserIdentityCollection". The following InputClaims were declared in the Policy but were not expected by the TransformMethod: [AlternativeSecurityIdCollection]collection. The following InputClaims were expected by the TransformMethod but were not declared in the Policy: [UserIdentityCollection]collection.
I tried to follow the changes that you have purposed but i keep get this kind of errors.
iamkoch
commented
5 years ago Take the XML from my original post and include it in yours. It contains the replacement transformations used to manipulate alternative security id based claims
xinaxu
commented
5 years ago @filipemiguelaugusto From the error message, it looks like you might be mixing UserIdentity claims transformation with AlternativeSecurityId DataType. If you can post an example of your policy, I can help you identity the issue.
xinaxu
commented
5 years ago @iamkoch Sorry for late response. Both UserIdentities and AlternativeSecurityId solution should work. If UserIdentities do not, may I know where you find it outdated or not working so I may look into it? Thanks!
iamkoch
commented
5 years ago Hi @xinaxu
Below is the particular log from app insights. The line of interest is "Unable to cast object of type 'Microsoft.Cpim.Data.UserIdentity' to type 'System.String'.",
The documentation states that the transformations return JSON as a string, however, the user identity path seems to return an instance of a useridentity.
I have redacted tenant and user-specific data.
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "2049b625-2d9f-456d-a534-65e89f77aa9e",
"EventInstance": "Event:ClaimsExchange",
"TenantId": "",
"PolicyId": ""
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ClaimsExchangeMessageValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"RecorderRecord": {
"Values": [
{
"Key": "Validation",
"Value": {
"Values": [
{
"Key": "SubmittedBy",
"Value": "FacebookExchange"
},
{
"Key": "ProtocolProviderType",
"Value": "OAuth2ProtocolProvider"
}
]
}
}
]
},
"Statebag": {
"MACHSTATE": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "MACHSTATE",
"v": "Initial",
"p": true
},
"JC": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "JC",
"v": "en-US",
"p": true
},
"ORCH_CS": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "ORCH_CS",
"v": "2",
"p": true
},
"RA": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "OTID",
"v": "8fa83b33-38fa-4b1d-9ba0-5a1b744e0251",
"p": true
},
"IC": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(2f2f07f5-cce4-4092-b1af-946747ce0c0b)": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "MSG(2f2f07f5-cce4-4092-b1af-946747ce0c0b)",
"v": "{\"\",\"RedirectUri\":\"",\"AdditionalParameters\":{\"brand\":\"\",\"x-client-SKU\":\"ID_NETSTANDARD1_4\",\"x-client-ver\":\"5.2.0.0\"},\"Nonce\":\"636923056056627661.ZDM4M2U2NTUtYmU0Zi00MmJkLTk3YjQtMmMxZDViYmZkNWY3MzZiOWVhZmMtZTdmMy00YWNkLTg5OTgtZTJiMDJhMmZmM2Vj\",\"State\":\"CfDJ8MzCP1neA_FHg-3dbgjGnU81QcHFYzWu56SSXzDSEyq_TF552UxqOKXSzTJDPtMWLezmOzuzQv_gN1zRvN1FgRSjfjiwTYet7G-jviv1ZP8NfUqPaZdGDseHtJYlCLpJ5T0nqLpFiHHYvjGxmWFnVwXeXfeW_iyXQmt19rr4h01kCP7lEwMIhgRksb0raZsjnakzpX68LSKkN06AVwtxO3S4hV0Ueu96BWCs5UU87o9de6sKd9WVs0tyJW5H2pxYEfFhn9fiG-5yvzUPswJWsJomZTwLdP_dEYXaF2XixKGQ_9srK0lADf-RuI8wJe4Gf3LFoO7IJvYT9pi8OUa0MfJCb6OB8w15fAnO5EgwrTi6t-WjO9Q_qdJ3xrEfAcmi2jaoq6AIHYTKdfNE5y9W8rpwplyxyURxwUK6aN3uaaRA4NVRJe7p_DuKnbeuQMjRvnbe3UhhfCUSKl2CWcKhvdQ5OJxZj4OLDJ1OLebYr5qTXsZl6CbIHmgvcUb-pd7EPHqAAgbL7nG9HM1845IBjjMlRmGuxxrg7jSxtyhv5ko5ieRTsGARlAant04ccccJo9n-rgpgrl-8vFddiQ2hnX3JjyEZYFPZelC8ekR7acH-pwA79PTkum4hVaYx1C0sPSkPcXKv04MqdfJe7MzzRtKGc6G3GglbJrrgc5cfXBxk3QkjyRLSQMFBQAOgNxhYV0GLclfQoP5L1u06_50Num2vMUYCVQKVbBnZzLjmhD-6\",\"ClientId\":\"c7f00b2a-7ef6-4e46-9637-a05b8a224b0e\",\"ResponseType\":\"id_token\",\"ResponseMode\":\"form_post\",\"ResponseRedirector\":{\"URI\":\"https://signin-oidc\",\"D\":false,\"WF\":true,\"R\":false},\"AppModelVersion\":1,\"ScopedProviders\":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "IMESSAGE",
"v": "2f2f07f5-cce4-4092-b1af-946747ce0c0b",
"p": true
},
"EID": {
"c": "2019-05-01T11:06:46.8698452Z",
"k": "EID",
"v": "urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0",
"p": true
},
"TAGE": {
"c": "2019-05-01T11:06:52.7460274Z",
"k": "TAGE",
"v": "FacebookExchange",
"p": true
},
"CMESSAGE": {
"c": "2019-05-01T11:06:52.730404Z",
"k": "CMESSAGE",
"v": "2f2f07f5-cce4-4092-b1af-946747ce0c0b",
"p": true
},
"Facebook-OAUTH": {
"ContentType": "Json",
"Created": "2019-05-01T11:06:53.089828Z",
"Key": "Facebook-OAUTH",
"Persistent": true,
"Value": "{};2;Facebook-OAUTH;False"
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX"
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.OutputClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "OutputClaimsTransformation",
"Value": {
"Values": [
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "id",
"PolicyClaimType": "issuerUserId"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "first_name",
"PolicyClaimType": "givenName"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "last_name",
"PolicyClaimType": "surname"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "name",
"PolicyClaimType": "displayName"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "idp",
"PolicyClaimType": "issuer"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "authenticationSource",
"PolicyClaimType": "authenticationSource"
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateRandomUPNUserName"
},
{
"Key": "InputParameter",
"Value": {
"Id": "randomGeneratorType",
"Value": "GUID"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "upnUserName",
"Value": "f396eb78-04c1-422a-a0dc-0318235788a1"
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateUserPrincipalName"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "upnUserName",
"Value": "f396eb78-04c1-422a-a0dc-0318235788a1"
}
},
{
"Key": "InputParameter",
"Value": {
"Id": "stringFormat",
"Value": "cpim_{0}@{RelyingPartyTenantId}"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userPrincipalName",
"Value": ""
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateUserIdentity"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "issuerUserId",
"Value": ""
}
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "issuer",
"Value": "facebook.com"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userIdentity",
"Value": "Microsoft.Cpim.Data.UserIdentity"
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateSubjectClaimFromUserIdentity"
},
{
"Key": "InputParameter",
"Value": {
"Id": "value",
"Value": "Not supported currently. Use oid claim."
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "sub",
"Value": "Not supported currently. Use oid claim."
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "AppendUserIdentity"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "userIdentity",
"Value": "Microsoft.Cpim.Data.UserIdentity"
}
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "userIdentities",
"Value": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userIdentities",
"Value": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
}
]
}
}
]
}
}
]
},
"Statebag": {
"Complex-CLMS": {
"issuerUserId": "",
"givenName": "",
"surname": "",
"displayName": "",
"email": "",
"issuer": "facebook.com",
"authenticationSource": "socialIdpAuthentication",
"upnUserName": "",
"userPrincipalName": "",
"userIdentity": "Microsoft.Cpim.Data.UserIdentity",
"sub": "Not supported currently. Use oid claim.",
"userIdentities": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
}
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.SSO.SSOSessionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.OrchestrationManager"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"ORCH_CS": {
"c": "2019-05-01T11:06:53.1216701Z",
"k": "ORCH_CS",
"v": "3",
"p": true
}
}
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "AwaitingNextStep"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ShouldOrchestrationStepBeInvokedHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "EnabledForUserJourneysTrue",
"Value": {
"Values": [
{
"Key": "CurrentStep",
"Value": 3
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "AAD-UserReadUsingUserIdentity-NoError"
}
}
]
}
}
]
},
"Statebag": {
"MACHSTATE": {
"c": "2019-05-01T11:06:53.1216701Z",
"k": "MACHSTATE",
"v": "AwaitingNextStep",
"p": true
}
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolARedirectionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolAnApiHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.SSO.IsSSOSessionParticipantHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolAServiceCallHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "InitiatingClaimsExchange",
"Value": {
"ProtocolType": "backend protocol",
"TargetEntity": "FacebookExchange",
"TechnicalProfileId": "AAD-UserReadUsingUserIdentity-NoError",
"ProtocolProviderType": "AzureActiveDirectoryProvider"
}
}
]
},
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.GenerateRequestInputParamsHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.InputClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.PersistedClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.OutputClaimsTransformationHandler"
},
{
"Kind": "FatalException",
"Content": {
"Time": "11:06 AM",
"Exception": {
"Kind": "Handled",
"HResult": "80004002",
"Message": "Unable to cast object of type 'Microsoft.Cpim.Data.UserIdentity' to type 'System.String'.",
"Data": {
"TenantId": "",
"PolicyId": "",
"TechnicalProfileId": "AAD-UserReadUsingUserIdentity-NoError"
}
}
}
}
]@xinaxu plz find attached my policy file with some changes as suggested at this post. TRUSTFRAMEWORKBASE.xml.txt
xinaxu
commented
5 years ago @iamkoch Could you try adding below to the metadata of that technical profile. <Item Key="api-version">1.6</Item>
UserIdentity is only supported by 1.6 api version, which comes more consistent with what AAD graph has documented. If not using 1.6 api-version. Then AlternativeSecurityId should be used.
xinaxu
commented
5 years ago @filipemiguelaugusto Looks like you have commented out AddItemToUserIdentityCollection. Your policy is mixing AlternativeSecurityId and UserIdentity, for example CreateAlternativeSecurityId is expecting claim type of data type AlternativeSecurityId but your alternativeSecurityId is of type userIdentity.
I would suggest renaming all your claim types, transformations to alternativeSecurityId and make sure there is no UserIdentiteis appeared in the policy.
<ClaimType Id="alternativeSecurityId">
<DisplayName>userIdentity</DisplayName>
<DataType>userIdentity</DataType>
<AdminHelpText>userIdentity</AdminHelpText>
<UserHelpText>userIdentity</UserHelpText>
</ClaimType>
<ClaimsTransformation Id="CreateUserIdentity" TransformationMethod="CreateAlternativeSecurityId">
<InputClaims>
<InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="key" />
<InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" />
</OutputClaims>
</ClaimsTransformation>@xinaxu Adding that key worked for me. I added to both the AAD-Common and AAD-UserReadUsingObjectId technical profiles. For whatever reason, I had ApiVersion instead of api-version as the key. This should be updated in msft docs and I could find the places where that is the case
xinaxu
commented
5 years ago @seantleonard I see your confusion. We will update the samples.
filipemiguelaugusto
commented
5 years ago @xinaxu Adding that key worked for me also. I replaced it everywhere i had ApiVersion to api-version. Thanks for the help provided.
felipemcg
commented
1 year ago Hi, as of today should we use userIdentities or alternativeSecurityIds ?
It seems that the account linking example is now out of date. It refers to the
userIdentitiesclaim being of typeuserIdentityCollection, which it is now not. Instead, any reference toUserIdentityandUserIdentityCollectionare nowAlternativeSecurityIdandAlternativeSecurityIdCollection. This change seems to be spread across a few different docs, i.e. how to link is in this repo, but how to usealternativeSecurityIdwith respect to linking and claim transformations is found elsewhereIf I have time to change these samples and test them, which is unlikely, then I will. Otherwise, for those who need to know what to do, I'll outline the steps below.
I have had to refactor the account linking example to use, in all policies that reference them. the following:
identityProviderin place ofissueralternativeSecurityIdin place ofuserIdentityalternativeSecurityIdCollectionin place ofuserIdentityCollectionalternativeSecurityIdsin place ofuserIdentitiesAlso, the transformations that relate to modifying and creating
userIdentitynow need to refer toalternativeSecurityId, as follows: