Open iamkoch opened 5 years ago
I've added these for others who have hit the same issues as me.
I've tried to make changes in sample files accordingly to your suggestions with no success. Is it possible to have further information about all the replacements that you must do? Someone was able to put this example of account linking up and running recently?
We have this working in a production system.
My concern is that no one from MS seems to have looked at or commented on this issue.
Which part is failing? Have you enabled development mode / logging to application insights to your policy? You can couple this with the wingtip journey player, which can be found on the net, to help figure out at what point your custom policy is failing
@filipemiguelaugusto looks like the docs reflect AlternativeSecurityId
https://docs.microsoft.com/en-us/azure/active-directory-b2c/social-transformations
However, this sample still needs to be updated.
@iamkoch my problems starts way back. It seems like i can't get the right transformations in the files to upload them without errors. I'm far from being an expert in this kind of customizations!
I get errors like this one for instance: [...] The InputClaims mismatched in ClaimsTransformation with id "AppendUserIdentityToLink" with TransformationMethod "AddItemToUserIdentityCollection". The following InputClaims were declared in the Policy but were not expected by the TransformMethod: [AlternativeSecurityIdCollection]collection. The following InputClaims were expected by the TransformMethod but were not declared in the Policy: [UserIdentityCollection]collection.
I tried to follow the changes that you have purposed but i keep get this kind of errors.
Take the XML from my original post and include it in yours. It contains the replacement transformations used to manipulate alternative security id based claims
@filipemiguelaugusto From the error message, it looks like you might be mixing UserIdentity claims transformation with AlternativeSecurityId DataType. If you can post an example of your policy, I can help you identity the issue.
@iamkoch Sorry for late response. Both UserIdentities and AlternativeSecurityId solution should work. If UserIdentities do not, may I know where you find it outdated or not working so I may look into it? Thanks!
Hi @xinaxu
Below is the particular log from app insights. The line of interest is "Unable to cast object of type 'Microsoft.Cpim.Data.UserIdentity' to type 'System.String'.",
The documentation states that the transformations return JSON as a string, however, the user identity path seems to return an instance of a useridentity.
I have redacted tenant and user-specific data.
[
{
"Kind": "Headers",
"Content": {
"UserJourneyRecorderEndpoint": "urn:journeyrecorder:applicationinsights",
"CorrelationId": "2049b625-2d9f-456d-a534-65e89f77aa9e",
"EventInstance": "Event:ClaimsExchange",
"TenantId": "",
"PolicyId": ""
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "Initial"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ClaimsExchangeMessageValidationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false,
"RecorderRecord": {
"Values": [
{
"Key": "Validation",
"Value": {
"Values": [
{
"Key": "SubmittedBy",
"Value": "FacebookExchange"
},
{
"Key": "ProtocolProviderType",
"Value": "OAuth2ProtocolProvider"
}
]
}
}
]
},
"Statebag": {
"MACHSTATE": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "MACHSTATE",
"v": "Initial",
"p": true
},
"JC": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "JC",
"v": "en-US",
"p": true
},
"ORCH_CS": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "ORCH_CS",
"v": "2",
"p": true
},
"RA": {
"c": "2019-05-01T11:06:51.8496202Z",
"k": "RA",
"v": "0",
"p": true
},
"RPP": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "RPP",
"v": "OAUTH2",
"p": true
},
"RPIPP": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "RPIPP",
"v": "OAuth2ProtocolProvider",
"p": true
},
"OTID": {
"c": "2019-05-01T11:06:46.756283Z",
"k": "OTID",
"v": "8fa83b33-38fa-4b1d-9ba0-5a1b744e0251",
"p": true
},
"IC": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "IC",
"v": "True",
"p": true
},
"MSG(2f2f07f5-cce4-4092-b1af-946747ce0c0b)": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "MSG(2f2f07f5-cce4-4092-b1af-946747ce0c0b)",
"v": "{\"\",\"RedirectUri\":\"",\"AdditionalParameters\":{\"brand\":\"\",\"x-client-SKU\":\"ID_NETSTANDARD1_4\",\"x-client-ver\":\"5.2.0.0\"},\"Nonce\":\"636923056056627661.ZDM4M2U2NTUtYmU0Zi00MmJkLTk3YjQtMmMxZDViYmZkNWY3MzZiOWVhZmMtZTdmMy00YWNkLTg5OTgtZTJiMDJhMmZmM2Vj\",\"State\":\"CfDJ8MzCP1neA_FHg-3dbgjGnU81QcHFYzWu56SSXzDSEyq_TF552UxqOKXSzTJDPtMWLezmOzuzQv_gN1zRvN1FgRSjfjiwTYet7G-jviv1ZP8NfUqPaZdGDseHtJYlCLpJ5T0nqLpFiHHYvjGxmWFnVwXeXfeW_iyXQmt19rr4h01kCP7lEwMIhgRksb0raZsjnakzpX68LSKkN06AVwtxO3S4hV0Ueu96BWCs5UU87o9de6sKd9WVs0tyJW5H2pxYEfFhn9fiG-5yvzUPswJWsJomZTwLdP_dEYXaF2XixKGQ_9srK0lADf-RuI8wJe4Gf3LFoO7IJvYT9pi8OUa0MfJCb6OB8w15fAnO5EgwrTi6t-WjO9Q_qdJ3xrEfAcmi2jaoq6AIHYTKdfNE5y9W8rpwplyxyURxwUK6aN3uaaRA4NVRJe7p_DuKnbeuQMjRvnbe3UhhfCUSKl2CWcKhvdQ5OJxZj4OLDJ1OLebYr5qTXsZl6CbIHmgvcUb-pd7EPHqAAgbL7nG9HM1845IBjjMlRmGuxxrg7jSxtyhv5ko5ieRTsGARlAant04ccccJo9n-rgpgrl-8vFddiQ2hnX3JjyEZYFPZelC8ekR7acH-pwA79PTkum4hVaYx1C0sPSkPcXKv04MqdfJe7MzzRtKGc6G3GglbJrrgc5cfXBxk3QkjyRLSQMFBQAOgNxhYV0GLclfQoP5L1u06_50Num2vMUYCVQKVbBnZzLjmhD-6\",\"ClientId\":\"c7f00b2a-7ef6-4e46-9637-a05b8a224b0e\",\"ResponseType\":\"id_token\",\"ResponseMode\":\"form_post\",\"ResponseRedirector\":{\"URI\":\"https://signin-oidc\",\"D\":false,\"WF\":true,\"R\":false},\"AppModelVersion\":1,\"ScopedProviders\":[]}",
"p": true,
"t": "OAuth2"
},
"IMESSAGE": {
"c": "2019-05-01T11:06:46.8500747Z",
"k": "IMESSAGE",
"v": "2f2f07f5-cce4-4092-b1af-946747ce0c0b",
"p": true
},
"EID": {
"c": "2019-05-01T11:06:46.8698452Z",
"k": "EID",
"v": "urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0",
"p": true
},
"TAGE": {
"c": "2019-05-01T11:06:52.7460274Z",
"k": "TAGE",
"v": "FacebookExchange",
"p": true
},
"CMESSAGE": {
"c": "2019-05-01T11:06:52.730404Z",
"k": "CMESSAGE",
"v": "2f2f07f5-cce4-4092-b1af-946747ce0c0b",
"p": true
},
"Facebook-OAUTH": {
"ContentType": "Json",
"Created": "2019-05-01T11:06:53.089828Z",
"Key": "Facebook-OAUTH",
"Persistent": true,
"Value": "{};2;Facebook-OAUTH;False"
},
"ComplexItems": "_MachineEventQ, REPRM, TCTX"
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.NoOpHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.OutputClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "OutputClaimsTransformation",
"Value": {
"Values": [
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "id",
"PolicyClaimType": "issuerUserId"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "first_name",
"PolicyClaimType": "givenName"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "last_name",
"PolicyClaimType": "surname"
}
},
{
"Key": "MappingFromPartnerClaimType",
"Value": {
"PartnerClaimType": "name",
"PolicyClaimType": "displayName"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "idp",
"PolicyClaimType": "issuer"
}
},
{
"Key": "MappingDefaultValueForClaim",
"Value": {
"PartnerClaimType": "authenticationSource",
"PolicyClaimType": "authenticationSource"
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateRandomUPNUserName"
},
{
"Key": "InputParameter",
"Value": {
"Id": "randomGeneratorType",
"Value": "GUID"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "upnUserName",
"Value": "f396eb78-04c1-422a-a0dc-0318235788a1"
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateUserPrincipalName"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "upnUserName",
"Value": "f396eb78-04c1-422a-a0dc-0318235788a1"
}
},
{
"Key": "InputParameter",
"Value": {
"Id": "stringFormat",
"Value": "cpim_{0}@{RelyingPartyTenantId}"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userPrincipalName",
"Value": ""
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateUserIdentity"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "issuerUserId",
"Value": ""
}
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "issuer",
"Value": "facebook.com"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userIdentity",
"Value": "Microsoft.Cpim.Data.UserIdentity"
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "CreateSubjectClaimFromUserIdentity"
},
{
"Key": "InputParameter",
"Value": {
"Id": "value",
"Value": "Not supported currently. Use oid claim."
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "sub",
"Value": "Not supported currently. Use oid claim."
}
}
]
}
},
{
"Key": "ClaimsTransformation",
"Value": {
"Values": [
{
"Key": "Id",
"Value": "AppendUserIdentity"
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "userIdentity",
"Value": "Microsoft.Cpim.Data.UserIdentity"
}
},
{
"Key": "InputClaim",
"Value": {
"PolicyClaimType": "userIdentities",
"Value": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
},
{
"Key": "Result",
"Value": {
"PolicyClaimType": "userIdentities",
"Value": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
}
]
}
}
]
}
}
]
},
"Statebag": {
"Complex-CLMS": {
"issuerUserId": "",
"givenName": "",
"surname": "",
"displayName": "",
"email": "",
"issuer": "facebook.com",
"authenticationSource": "socialIdpAuthentication",
"upnUserName": "",
"userPrincipalName": "",
"userIdentity": "Microsoft.Cpim.Data.UserIdentity",
"sub": "Not supported currently. Use oid claim.",
"userIdentities": "System.Collections.ObjectModel.Collection`1[Microsoft.Cpim.Data.UserIdentity]"
}
}
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.SSO.SSOSessionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.OrchestrationManager"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"Statebag": {
"ORCH_CS": {
"c": "2019-05-01T11:06:53.1216701Z",
"k": "ORCH_CS",
"v": "3",
"p": true
}
}
}
},
{
"Kind": "Transition",
"Content": {
"EventName": "ClaimsExchange",
"StateName": "AwaitingNextStep"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.ShouldOrchestrationStepBeInvokedHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "EnabledForUserJourneysTrue",
"Value": {
"Values": [
{
"Key": "CurrentStep",
"Value": 3
},
{
"Key": "TechnicalProfileEnabled",
"Value": {
"EnabledRule": "Always",
"EnabledResult": true,
"TechnicalProfile": "AAD-UserReadUsingUserIdentity-NoError"
}
}
]
}
}
]
},
"Statebag": {
"MACHSTATE": {
"c": "2019-05-01T11:06:53.1216701Z",
"k": "MACHSTATE",
"v": "AwaitingNextStep",
"p": true
}
},
"PredicateResult": "True"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolARedirectionHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolAnApiHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.SSO.IsSSOSessionParticipantHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"PredicateResult": "False"
}
},
{
"Kind": "Predicate",
"Content": "Web.TPEngine.StateMachineHandlers.IsClaimsExchangeProtocolAServiceCallHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true,
"RecorderRecord": {
"Values": [
{
"Key": "InitiatingClaimsExchange",
"Value": {
"ProtocolType": "backend protocol",
"TargetEntity": "FacebookExchange",
"TechnicalProfileId": "AAD-UserReadUsingUserIdentity-NoError",
"ProtocolProviderType": "AzureActiveDirectoryProvider"
}
}
]
},
"PredicateResult": "True"
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.GenerateRequestInputParamsHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": false
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.InputClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.PersistedClaimsTransformationHandler"
},
{
"Kind": "HandlerResult",
"Content": {
"Result": true
}
},
{
"Kind": "Action",
"Content": "Web.TPEngine.StateMachineHandlers.OutputClaimsTransformationHandler"
},
{
"Kind": "FatalException",
"Content": {
"Time": "11:06 AM",
"Exception": {
"Kind": "Handled",
"HResult": "80004002",
"Message": "Unable to cast object of type 'Microsoft.Cpim.Data.UserIdentity' to type 'System.String'.",
"Data": {
"TenantId": "",
"PolicyId": "",
"TechnicalProfileId": "AAD-UserReadUsingUserIdentity-NoError"
}
}
}
}
]
@xinaxu plz find attached my policy file with some changes as suggested at this post. TRUSTFRAMEWORKBASE.xml.txt
@iamkoch Could you try adding below to the metadata of that technical profile. <Item Key="api-version">1.6</Item>
UserIdentity is only supported by 1.6 api version, which comes more consistent with what AAD graph has documented. If not using 1.6 api-version. Then AlternativeSecurityId should be used.
@filipemiguelaugusto Looks like you have commented out AddItemToUserIdentityCollection
. Your policy is mixing AlternativeSecurityId and UserIdentity, for example CreateAlternativeSecurityId
is expecting claim type of data type AlternativeSecurityId
but your alternativeSecurityId
is of type userIdentity
.
I would suggest renaming all your claim types, transformations to alternativeSecurityId and make sure there is no UserIdentiteis appeared in the policy.
<ClaimType Id="alternativeSecurityId">
<DisplayName>userIdentity</DisplayName>
<DataType>userIdentity</DataType>
<AdminHelpText>userIdentity</AdminHelpText>
<UserHelpText>userIdentity</UserHelpText>
</ClaimType>
<ClaimsTransformation Id="CreateUserIdentity" TransformationMethod="CreateAlternativeSecurityId">
<InputClaims>
<InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="key" />
<InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" />
</OutputClaims>
</ClaimsTransformation>
@xinaxu Adding that key worked for me. I added to both the AAD-Common and AAD-UserReadUsingObjectId technical profiles. For whatever reason, I had ApiVersion instead of api-version as the key. This should be updated in msft docs and I could find the places where that is the case
@seantleonard I see your confusion. We will update the samples.
@xinaxu Adding that key worked for me also. I replaced it everywhere i had ApiVersion to api-version. Thanks for the help provided.
Hi, as of today should we use userIdentities or alternativeSecurityIds ?
It seems that the account linking example is now out of date. It refers to the
userIdentities
claim being of typeuserIdentityCollection
, which it is now not. Instead, any reference toUserIdentity
andUserIdentityCollection
are nowAlternativeSecurityId
andAlternativeSecurityIdCollection
. This change seems to be spread across a few different docs, i.e. how to link is in this repo, but how to usealternativeSecurityId
with respect to linking and claim transformations is found elsewhereIf I have time to change these samples and test them, which is unlikely, then I will. Otherwise, for those who need to know what to do, I'll outline the steps below.
I have had to refactor the account linking example to use, in all policies that reference them. the following:
identityProvider
in place ofissuer
alternativeSecurityId
in place ofuserIdentity
alternativeSecurityIdCollection
in place ofuserIdentityCollection
alternativeSecurityIds
in place ofuserIdentities
Also, the transformations that relate to modifying and creating
userIdentity
now need to refer toalternativeSecurityId
, as follows: