search

Azure-Samples / active-directory-b2c-custom-policy-starterpack

Azure AD B2C now allows uploading of a Custom Policy which allows full control and customization of the Identity Experience Framework
http://aka.ms/aadb2ccustom
MIT License
339 stars 395 forks source link

Fix validation errors during upload SignUpOrSignin policy from SocialAndLocalAccountsWithMfa folder #144

Open tanopaterno opened 1 year ago

tanopaterno commented 1 year ago

During the upload of SignUpOrSignin.xml policy file from the SocialAndLocalAccountWithMfa folder, show me this validation errors:

upload-custom-policy-validation-errors

This validation errors occurred because in the LocalAccountSignUpWithLogonEmail TechnicalProfile of TrustFrameworkBase.xml are missing the alternativeSecurityId and identityProvider OutputClaims.

In this case, update the LocalAccountSignUpWithLogonEmail TechnicalProfile into TrustFrameworkBase.xml policy file with the following code:

<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
          <DisplayName>Email signup</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
            <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
          </CryptographicKeys>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="email" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="objectId" />
            <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
            <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
            <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
            <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
            <OutputClaim ClaimTypeReferenceId="authenticationSource" />
            <OutputClaim ClaimTypeReferenceId="newUser" />

            <!-- Optional claims, to be collected from the user -->
            <OutputClaim ClaimTypeReferenceId="displayName" />
            <OutputClaim ClaimTypeReferenceId="givenName" />
            <OutputClaim ClaimTypeReferenceId="surName" />

            <!-- OutputClaims added for resolve the validation errors -->
            <OutputClaim ClaimTypeReferenceId="alternativeSecurityId" />
            <OutputClaim ClaimTypeReferenceId="identityProvider" />

          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
          </ValidationTechnicalProfiles>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
        </TechnicalProfile>

After you update the TrustFrameworkBase.xml policy file, upload this with 'Overwrite the custom policy if it already exists' option checked and the next upload of SignUpOrSignIn.xml policy file not show the validation errors.

nheath99 commented 1 year ago

It was also necessary for me to add the following in the ClaimsSchema section:

<ClaimType Id="alternativeSecurityId">
  <DisplayName>alternativeSecurityId</DisplayName>
  <DataType>string</DataType>
  <UserHelpText />
</ClaimType>