Azure-Samples / active-directory-b2c-advanced-policies

Sample for use with Azure AD B2C with Custom Policies.
http://aka.ms/aadb2ccustom
MIT License
217 stars 143 forks source link

Account Linking example needs to be updated to use alternativeSecurityId #50

Open iamkoch opened 5 years ago

iamkoch commented 5 years ago

It seems that the account linking example is now out of date. It refers to the userIdentities claim being of type userIdentityCollection, which it is now not. Instead, any reference to UserIdentity and UserIdentityCollection are now AlternativeSecurityId and AlternativeSecurityIdCollection. This change seems to be spread across a few different docs, i.e. how to link is in this repo, but how to use alternativeSecurityId with respect to linking and claim transformations is found elsewhere

If I have time to change these samples and test them, which is unlikely, then I will. Otherwise, for those who need to know what to do, I'll outline the steps below.

I have had to refactor the account linking example to use, in all policies that reference them. the following:

Also, the transformations that relate to modifying and creating userIdentity now need to refer to alternativeSecurityId, as follows:

      <ClaimsTransformation Id="CreateUserIdentity" TransformationMethod="CreateAlternativeSecurityId">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="key" />
          <InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" />
        </OutputClaims>
      </ClaimsTransformation>

      <ClaimsTransformation Id="CreateUserIdentityToLink" TransformationMethod="CreateAlternativeSecurityId">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="issuerUserIdToLink" TransformationClaimType="key" />
          <InputClaim ClaimTypeReferenceId="identityProviderToLink" TransformationClaimType="identityProvider" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="userIdentityToLink" TransformationClaimType="alternativeSecurityId" />
        </OutputClaims>
      </ClaimsTransformation>

      <ClaimsTransformation Id="AppendUserIdentity" TransformationMethod="AddItemToAlternativeSecurityIdCollection">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="item" />
          <InputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="collection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="collection" />
        </OutputClaims>
      </ClaimsTransformation>

      <ClaimsTransformation Id="AppendUserIdentityToLink" TransformationMethod="AddItemToAlternativeSecurityIdCollection">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="userIdentityToLink" TransformationClaimType="item" />
          <InputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="collection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="collection" />
        </OutputClaims>
      </ClaimsTransformation>

      <ClaimsTransformation Id="RemoveUserIdentityFromCollectionByIssuer" TransformationMethod="RemoveAlternativeSecurityIdByIdentityProvider">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="identityProviderToUnlink" TransformationClaimType="identityProvider" />
          <InputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="collection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="collection" />
        </OutputClaims>
      </ClaimsTransformation>

      <ClaimsTransformation Id="ExtractIdentityProviders" TransformationMethod="GetIdentityProvidersFromAlternativeSecurityIdCollectionTransformation">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="alternativeSecurityIdCollection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="identityProviders" TransformationClaimType="identityProvidersCollection" />
        </OutputClaims>
      </ClaimsTransformation>
iamkoch commented 5 years ago

I've added these for others who have hit the same issues as me.

filipemiguelaugusto commented 5 years ago

I've tried to make changes in sample files accordingly to your suggestions with no success. Is it possible to have further information about all the replacements that you must do? Someone was able to put this example of account linking up and running recently?

iamkoch commented 5 years ago

We have this working in a production system.

My concern is that no one from MS seems to have looked at or commented on this issue.

Which part is failing? Have you enabled development mode / logging to application insights to your policy? You can couple this with the wingtip journey player, which can be found on the net, to help figure out at what point your custom policy is failing

seantleonard commented 5 years ago

@filipemiguelaugusto looks like the docs reflect AlternativeSecurityId https://docs.microsoft.com/en-us/azure/active-directory-b2c/social-transformations

However, this sample still needs to be updated.

filipemiguelaugusto commented 5 years ago

@iamkoch my problems starts way back. It seems like i can't get the right transformations in the files to upload them without errors. I'm far from being an expert in this kind of customizations!

I get errors like this one for instance: [...] The InputClaims mismatched in ClaimsTransformation with id "AppendUserIdentityToLink" with TransformationMethod "AddItemToUserIdentityCollection". The following InputClaims were declared in the Policy but were not expected by the TransformMethod: [AlternativeSecurityIdCollection]collection. The following InputClaims were expected by the TransformMethod but were not declared in the Policy: [UserIdentityCollection]collection.

I tried to follow the changes that you have purposed but i keep get this kind of errors.

iamkoch commented 5 years ago

Take the XML from my original post and include it in yours. It contains the replacement transformations used to manipulate alternative security id based claims

xinaxu commented 5 years ago

@filipemiguelaugusto From the error message, it looks like you might be mixing UserIdentity claims transformation with AlternativeSecurityId DataType. If you can post an example of your policy, I can help you identity the issue.

xinaxu commented 5 years ago

@iamkoch Sorry for late response. Both UserIdentities and AlternativeSecurityId solution should work. If UserIdentities do not, may I know where you find it outdated or not working so I may look into it? Thanks!

iamkoch commented 5 years ago

Hi @xinaxu

Below is the particular log from app insights. The line of interest is "Unable to cast object of type 'Microsoft.Cpim.Data.UserIdentity' to type 'System.String'.",

The documentation states that the transformations return JSON as a string, however, the user identity path seems to return an instance of a useridentity.

I have redacted tenant and user-specific data.

[
  {
    "Kind": "Headers",
    "Content": {
      "UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
      "CorrelationId": "2049b625-2d9f-456d-a534-65e89f77aa9e",
      "EventInstance": "Event:ClaimsExchange",
      "TenantId": "",
      "PolicyId": ""
    }
  },
  {
    "Kind": "Transition",
    "Content": {
      "EventName": "ClaimsExchange",
      "StateName": "Initial"
    }
  },
  {
    "Kind": "Predicate",
    "Content": "Web.TPEngine.StateMachineHandlers.ClaimsExchangeMessageValidationHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": false,
      "RecorderRecord": {
        "Values": [
          {
            "Key": "Validation",
            "Value": {
              "Values": [
                {
                  "Key": "SubmittedBy",
                  "Value": "FacebookExchange"
                },
                {
                  "Key": "ProtocolProviderType",
                  "Value": "OAuth2ProtocolProvider"
                }
              ]
            }
          }
        ]
      },
      "Statebag": {
        "MACHSTATE": {
          "c": "2019-05-01T11:06:51.8496202Z",
          "k": "MACHSTATE",
          "v": "Initial",
          "p": true
        },
        "JC": {
          "c": "2019-05-01T11:06:46.756283Z",
          "k": "JC",
          "v": "en-US",
          "p": true
        },
        "ORCH_CS": {
          "c": "2019-05-01T11:06:51.8496202Z",
          "k": "ORCH_CS",
          "v": "2",
          "p": true
        },
        "RA": {
          "c": "2019-05-01T11:06:51.8496202Z",
          "k": "RA",
          "v": "0",
          "p": true
        },
        "RPP": {
          "c": "2019-05-01T11:06:46.756283Z",
          "k": "RPP",
          "v": "OAUTH2",
          "p": true
        },
        "RPIPP": {
          "c": "2019-05-01T11:06:46.756283Z",
          "k": "RPIPP",
          "v": "OAuth2ProtocolProvider",
          "p": true
        },
        "OTID": {
          "c": "2019-05-01T11:06:46.756283Z",
          "k": "OTID",
          "v": "8fa83b33-38fa-4b1d-9ba0-5a1b744e0251",
          "p": true
        },
        "IC": {
          "c": "2019-05-01T11:06:46.8500747Z",
          "k": "IC",
          "v": "True",
          "p": true
        },
        "MSG(2f2f07f5-cce4-4092-b1af-946747ce0c0b)": {
          "c": "2019-05-01T11:06:46.8500747Z",
          "k": "MSG(2f2f07f5-cce4-4092-b1af-946747ce0c0b)",
          "v": "{\"\",\"RedirectUri\":\"",\"AdditionalParameters\":{\"brand\":\"\",\"x-client-SKU\":\"ID_NETSTANDARD1_4\",\"x-client-ver\":\"5.2.0.0\"},\"Nonce\":\"636923056056627661.ZDM4M2U2NTUtYmU0Zi00MmJkLTk3YjQtMmMxZDViYmZkNWY3MzZiOWVhZmMtZTdmMy00YWNkLTg5OTgtZTJiMDJhMmZmM2Vj\",\"State\":\"CfDJ8MzCP1neA_FHg-3dbgjGnU81QcHFYzWu56SSXzDSEyq_TF552UxqOKXSzTJDPtMWLezmOzuzQv_gN1zRvN1FgRSjfjiwTYet7G-jviv1ZP8NfUqPaZdGDseHtJYlCLpJ5T0nqLpFiHHYvjGxmWFnVwXeXfeW_iyXQmt19rr4h01kCP7lEwMIhgRksb0raZsjnakzpX68LSKkN06AVwtxO3S4hV0Ueu96BWCs5UU87o9de6sKd9WVs0tyJW5H2pxYEfFhn9fiG-5yvzUPswJWsJomZTwLdP_dEYXaF2XixKGQ_9srK0lADf-RuI8wJe4Gf3LFoO7IJvYT9pi8OUa0MfJCb6OB8w15fAnO5EgwrTi6t-WjO9Q_qdJ3xrEfAcmi2jaoq6AIHYTKdfNE5y9W8rpwplyxyURxwUK6aN3uaaRA4NVRJe7p_DuKnbeuQMjRvnbe3UhhfCUSKl2CWcKhvdQ5OJxZj4OLDJ1OLebYr5qTXsZl6CbIHmgvcUb-pd7EPHqAAgbL7nG9HM1845IBjjMlRmGuxxrg7jSxtyhv5ko5ieRTsGARlAant04ccccJo9n-rgpgrl-8vFddiQ2hnX3JjyEZYFPZelC8ekR7acH-pwA79PTkum4hVaYx1C0sPSkPcXKv04MqdfJe7MzzRtKGc6G3GglbJrrgc5cfXBxk3QkjyRLSQMFBQAOgNxhYV0GLclfQoP5L1u06_50Num2vMUYCVQKVbBnZzLjmhD-6\",\"ClientId\":\"c7f00b2a-7ef6-4e46-9637-a05b8a224b0e\",\"ResponseType\":\"id_token\",\"ResponseMode\":\"form_post\",\"ResponseRedirector\":{\"URI\":\"https://signin-oidc\",\"D\":false,\"WF\":true,\"R\":false},\"AppModelVersion\":1,\"ScopedProviders\":[]}",
          "p": true,
          "t": "OAuth2"
        },
        "IMESSAGE": {
          "c": "2019-05-01T11:06:46.8500747Z",
          "k": "IMESSAGE",
          "v": "2f2f07f5-cce4-4092-b1af-946747ce0c0b",
          "p": true
        },
        "EID": {
          "c": "2019-05-01T11:06:46.8698452Z",
          "k": "EID",
          "v": "urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0",
          "p": true
        },
        "TAGE": {
          "c": "2019-05-01T11:06:52.7460274Z",
          "k": "TAGE",
          "v": "FacebookExchange",
          "p": true
        },
        "CMESSAGE": {
          "c": "2019-05-01T11:06:52.730404Z",
          "k": "CMESSAGE",
          "v": "2f2f07f5-cce4-4092-b1af-946747ce0c0b",
          "p": true
        },
        "Facebook-OAUTH": {
          "ContentType": "Json",
          "Created": "2019-05-01T11:06:53.089828Z",
          "Key": "Facebook-OAUTH",
          "Persistent": true,
          "Value": "{};2;Facebook-OAUTH;False"
        },
        "ComplexItems": "_MachineEventQ, REPRM, TCTX"
      },
      "PredicateResult": "True"
    }
  },
  {
    "Kind": "Predicate",
    "Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true,
      "PredicateResult": "True"
    }
  },
  {
    "Kind": "Action",
    "Content": "Web.TPEngine.StateMachineHandlers.OutputClaimsTransformationHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true,
      "RecorderRecord": {
        "Values": [
          {
            "Key": "OutputClaimsTransformation",
            "Value": {
              "Values": [
                {
                  "Key": "MappingFromPartnerClaimType",
                  "Value": {
                    "PartnerClaimType": "id",
                    "PolicyClaimType": "issuerUserId"
                  }
                },
                {
                  "Key": "MappingFromPartnerClaimType",
                  "Value": {
                    "PartnerClaimType": "first_name",
                    "PolicyClaimType": "givenName"
                  }
                },
                {
                  "Key": "MappingFromPartnerClaimType",
                  "Value": {
                    "PartnerClaimType": "last_name",
                    "PolicyClaimType": "surname"
                  }
                },
                {
                  "Key": "MappingFromPartnerClaimType",
                  "Value": {
                    "PartnerClaimType": "name",
                    "PolicyClaimType": "displayName"
                  }
                },
                {
                  "Key": "MappingDefaultValueForClaim",
                  "Value": {
                    "PartnerClaimType": "idp",
                    "PolicyClaimType": "issuer"
                  }
                },
                {
                  "Key": "MappingDefaultValueForClaim",
                  "Value": {
                    "PartnerClaimType": "authenticationSource",
                    "PolicyClaimType": "authenticationSource"
                  }
                },
                {
                  "Key": "ClaimsTransformation",
                  "Value": {
                    "Values": [
                      {
                        "Key": "Id",
                        "Value": "CreateRandomUPNUserName"
                      },
                      {
                        "Key": "InputParameter",
                        "Value": {
                          "Id": "randomGeneratorType",
                          "Value": "GUID"
                        }
                      },
                      {
                        "Key": "Result",
                        "Value": {
                          "PolicyClaimType": "upnUserName",
                          "Value": "f396eb78-04c1-422a-a0dc-0318235788a1"
                        }
                      }
                    ]
                  }
                },
                {
                  "Key": "ClaimsTransformation",
                  "Value": {
                    "Values": [
                      {
                        "Key": "Id",
                        "Value": "CreateUserPrincipalName"
                      },
                      {
                        "Key": "InputClaim",
                        "Value": {
                          "PolicyClaimType": "upnUserName",
                          "Value": "f396eb78-04c1-422a-a0dc-0318235788a1"
                        }
                      },
                      {
                        "Key": "InputParameter",
                        "Value": {
                          "Id": "stringFormat",
                          "Value": "cpim_{0}@{RelyingPartyTenantId}"
                        }
                      },
                      {
                        "Key": "Result",
                        "Value": {
                          "PolicyClaimType": "userPrincipalName",
                          "Value": ""
                        }
                      }
                    ]
                  }
                },
                {
                  "Key": "ClaimsTransformation",
                  "Value": {
                    "Values": [
                      {
                        "Key": "Id",
                        "Value": "CreateUserIdentity"
                      },
                      {
                        "Key": "InputClaim",
                        "Value": {
                          "PolicyClaimType": "issuerUserId",
                          "Value": ""
                        }
                      },
                      {
                        "Key": "InputClaim",
                        "Value": {
                          "PolicyClaimType": "issuer",
                          "Value": "facebook.com"
                        }
                      },
                      {
                        "Key": "Result",
                        "Value": {
                          "PolicyClaimType": "userIdentity",
                          "Value": "Microsoft.Cpim.Data.UserIdentity"
                        }
                      }
                    ]
                  }
                },
                {
                  "Key": "ClaimsTransformation",
                  "Value": {
                    "Values": [
                      {
                        "Key": "Id",
                        "Value": "CreateSubjectClaimFromUserIdentity"
                      },
                      {
                        "Key": "InputParameter",
                        "Value": {
                          "Id": "value",
                          "Value": "Not supported currently. Use oid claim."
                        }
                      },
                      {
                        "Key": "Result",
                        "Value": {
                          "PolicyClaimType": "sub",
                          "Value": "Not supported currently. Use oid claim."
                        }
                      }
                    ]
                  }
                },
                {
                  "Key": "ClaimsTransformation",
                  "Value": {
                    "Values": [
                      {
                        "Key": "Id",
                        "Value": "AppendUserIdentity"
                      },
                      {
                        "Key": "InputClaim",
                        "Value": {
                          "PolicyClaimType": "userIdentity",
                          "Value": "Microsoft.Cpim.Data.UserIdentity"
                        }
                      },
                      {
                        "Key": "InputClaim",
                        "Value": {
                          "PolicyClaimType": "userIdentities",
                          "Value": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
                        }
                      },
                      {
                        "Key": "Result",
                        "Value": {
                          "PolicyClaimType": "userIdentities",
                          "Value": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
                        }
                      }
                    ]
                  }
                }
              ]
            }
          }
        ]
      },
      "Statebag": {
        "Complex-CLMS": {
          "issuerUserId": "",
          "givenName": "",
          "surname": "",
          "displayName": "",
          "email": "",
          "issuer": "facebook.com",
          "authenticationSource": "socialIdpAuthentication",
          "upnUserName": "",
          "userPrincipalName": "",
          "userIdentity": "Microsoft.Cpim.Data.UserIdentity",
          "sub": "Not supported currently. Use oid claim.",
          "userIdentities": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
        }
      }
    }
  },
  {
    "Kind": "Action",
    "Content": "Web.TPEngine.SSO.SSOSessionHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true
    }
  },
  {
    "Kind": "Action",
    "Content": "Web.TPEngine.OrchestrationManager"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true,
      "Statebag": {
        "ORCH_CS": {
          "c": "2019-05-01T11:06:53.1216701Z",
          "k": "ORCH_CS",
          "v": "3",
          "p": true
        }
      }
    }
  },
  {
    "Kind": "Transition",
    "Content": {
      "EventName": "ClaimsExchange",
      "StateName": "AwaitingNextStep"
    }
  },
  {
    "Kind": "Predicate",
    "Content": "Web.TPEngine.StateMachineHandlers.ShouldOrchestrationStepBeInvokedHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true,
      "RecorderRecord": {
        "Values": [
          {
            "Key": "EnabledForUserJourneysTrue",
            "Value": {
              "Values": [
                {
                  "Key": "CurrentStep",
                  "Value": 3
                },
                {
                  "Key": "TechnicalProfileEnabled",
                  "Value": {
                    "EnabledRule": "Always",
                    "EnabledResult": true,
                    "TechnicalProfile": "AAD-UserReadUsingUserIdentity-NoError"
                  }
                }
              ]
            }
          }
        ]
      },
      "Statebag": {
        "MACHSTATE": {
          "c": "2019-05-01T11:06:53.1216701Z",
          "k": "MACHSTATE",
          "v": "AwaitingNextStep",
          "p": true
        }
      },
      "PredicateResult": "True"
    }
  },
  {
    "Kind": "Predicate",
    "Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolARedirectionHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true,
      "PredicateResult": "False"
    }
  },
  {
    "Kind": "Predicate",
    "Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolAnApiHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true,
      "PredicateResult": "False"
    }
  },
  {
    "Kind": "Predicate",
    "Content": "Web.TPEngine.SSO.IsSSOSessionParticipantHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true,
      "PredicateResult": "False"
    }
  },
  {
    "Kind": "Predicate",
    "Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolAServiceCallHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true,
      "RecorderRecord": {
        "Values": [
          {
            "Key": "InitiatingClaimsExchange",
            "Value": {
              "ProtocolType": "backend protocol",
              "TargetEntity": "FacebookExchange",
              "TechnicalProfileId": "AAD-UserReadUsingUserIdentity-NoError",
              "ProtocolProviderType": "AzureActiveDirectoryProvider"
            }
          }
        ]
      },
      "PredicateResult": "True"
    }
  },
  {
    "Kind": "Action",
    "Content": "Web.TPEngine.StateMachineHandlers.GenerateRequestInputParamsHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": false
    }
  },
  {
    "Kind": "Action",
    "Content": "Web.TPEngine.StateMachineHandlers.InputClaimsTransformationHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true
    }
  },
  {
    "Kind": "Action",
    "Content": "Web.TPEngine.StateMachineHandlers.PersistedClaimsTransformationHandler"
  },
  {
    "Kind": "HandlerResult",
    "Content": {
      "Result": true
    }
  },
  {
    "Kind": "Action",
    "Content": "Web.TPEngine.StateMachineHandlers.OutputClaimsTransformationHandler"
  },
  {
    "Kind": "FatalException",
    "Content": {
      "Time": "11:06 AM",
      "Exception": {
        "Kind": "Handled",
        "HResult": "80004002",
        "Message": "Unable to cast object of type 'Microsoft.Cpim.Data.UserIdentity' to type 'System.String'.",
        "Data": {
          "TenantId": "",
          "PolicyId": "",
          "TechnicalProfileId": "AAD-UserReadUsingUserIdentity-NoError"
        }
      }
    }
  }
]
filipemiguelaugusto commented 5 years ago

@xinaxu plz find attached my policy file with some changes as suggested at this post. TRUSTFRAMEWORKBASE.xml.txt

xinaxu commented 5 years ago

@iamkoch Could you try adding below to the metadata of that technical profile. <Item Key="api-version">1.6</Item> UserIdentity is only supported by 1.6 api version, which comes more consistent with what AAD graph has documented. If not using 1.6 api-version. Then AlternativeSecurityId should be used.

xinaxu commented 5 years ago

@filipemiguelaugusto Looks like you have commented out AddItemToUserIdentityCollection. Your policy is mixing AlternativeSecurityId and UserIdentity, for example CreateAlternativeSecurityId is expecting claim type of data type AlternativeSecurityId but your alternativeSecurityId is of type userIdentity. I would suggest renaming all your claim types, transformations to alternativeSecurityId and make sure there is no UserIdentiteis appeared in the policy.

      <ClaimType Id="alternativeSecurityId">
        <DisplayName>userIdentity</DisplayName>
        <DataType>userIdentity</DataType>
        <AdminHelpText>userIdentity</AdminHelpText>
        <UserHelpText>userIdentity</UserHelpText>
      </ClaimType>

      <ClaimsTransformation Id="CreateUserIdentity" TransformationMethod="CreateAlternativeSecurityId">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="key" />
          <InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" />
        </OutputClaims>
      </ClaimsTransformation>
seantleonard commented 5 years ago

@xinaxu Adding that key worked for me. I added to both the AAD-Common and AAD-UserReadUsingObjectId technical profiles. For whatever reason, I had ApiVersion instead of api-version as the key. This should be updated in msft docs and I could find the places where that is the case

xinaxu commented 5 years ago

@seantleonard I see your confusion. We will update the samples.

filipemiguelaugusto commented 5 years ago

@xinaxu Adding that key worked for me also. I replaced it everywhere i had ApiVersion to api-version. Thanks for the help provided.

felipemcg commented 1 year ago

Hi, as of today should we use userIdentities or alternativeSecurityIds ?