SignUpOrSignIn Custom Policy Error

[aherrick]

I've followed the Guide here:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom#

I've ripped out the "Facebook" references as I don't need Social. Was also seeing this issue before removing Facebook references: https://github.com/MicrosoftDocs/azure-docs/issues/7581

When trying to upload SignUpOrSignin.xml receive the following error:

Unable to upload policy. Reason : Validation failed: 3 validation error(s) found in policy "B2C_1A_SIGNUP_SIGNIN" of tenant "mytenant.onmicrosoft.com".Claim type "alternativeSecurityId" is the input claim of technical profile "AAD-UserReadUsingAlternativeSecurityId-NoError" in step "3" of user journey "SignUpOrSignIn" but it is not an output claim in any of the previous steps.Claim type "alternativeSecurityId" is the input claim of technical profile "AAD-UserWriteUsingAlternativeSecurityId" in step "6" of user journey "SignUpOrSignIn" but it is not an output claim in any of the previous steps.Claim type "identityProvider" is the output claim of the relying party's technical profile, but it is not an output claim in any of the steps of user journey "SignUpOrSignIn".

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: bee63035-00ee-f7fd-97a1-69dae5f808ef
• Version Independent ID: a3447928-73cc-0290-6d46-b89234757e3b
• Content: Get started with custom policies in Azure Active Directory B2C
• Content Source: articles/active-directory-b2c/active-directory-b2c-get-started-custom.md
• Service: active-directory
• GitHub Login: @davidmu1
• Microsoft Alias: davidmu

[SaurabhSharma-MSFT]

@aherrick Thanks for your feedback! We will investigate and update as appropriate.

[MarileeTurscak-MSFT]

@aherrick , can you please post what you included in your xml?

[aherrick]

@MarileeTurscak-MSFT which XMLs are you looking for? As there are multiple uploaded.

[MarileeTurscak-MSFT]

SignUpOrSignin.xml. Do you have multiple?

[aherrick]

It's the same one from the base policy GH from the guide. See below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_signup_signin"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_signup_signin">

  <BasePolicy>
    <TenantId>mytenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

[MarileeTurscak-MSFT]

This sort of troubleshooting question is more suited for the MSDN forums. Please open a question here: https://social.msdn.microsoft.com/Forums/azure/en-US/home?forum=windowsazuread

[aherrick]

Just a heads up I was able to get passed this error by keeping the files exactly the same including the Facebook policy.

[Thundercatz]

Just a heads up I was able to get passed this error by keeping the files exactly the same including the Facebook policy.

Its it possible that you could elaborate a bit more?

As I saw you were having problems with the " does not have CryptographicKey referenced by storageReferenceId "B2C_1A_FacebookSecret" problem on the other thread.

Did you keep that too? because for me, when I upload the custom policy base file it returns me that error.

So you didnt remove anything from the extensions file, the signInAndSignup but did you remove all references to facebook on the base policy?

Hope I made my problem clear

[krob527]

I was having the same issue, but I was intentionally removing the Facebook ClaimsProvider and wanting to add SAML providers. I ended up having to replace the User Journey section of Base.xml from SocialAndLocal with the same section from LocalAccounts. I also had to remove the ValidationTechNicalProfiles from the same file.

[Calvin-Yuhui-Liu]

I was having the same issue, but I was intentionally removing the Facebook ClaimsProvider and wanting to add SAML providers. I ended up having to replace the User Journey section of Base.xml from SocialAndLocal with the same section from LocalAccounts. I also had to remove the ValidationTechNicalProfiles from the same file.

I have the same issue and didn't figure out a way to fix it -- the default TrustFrameworkBase.xml in LocalAccounts folder has empty UserJourneys section so where did you get the "same section from LocalAccounts"? Would you please clarify it? Thank you.

[shaima-MS]

i have resolved this by adding to the AAD-UserReadUsingObjectId technical profile in the base policy. ;) Good luck

[krob527]

@Calvin-Yuhui-Liu when you download the samples there are different folders, one is name "Local Accounts" with sample files that can be used.

[avolcoff]

I solved a similar issue by adding a DefaultValue attribute to a new custom attribute that I added e.g. <OutputClaim ClaimTypeReferenceId="role" DefaultValue="" />

[rf-0]

@krob527 is right. If you're also using social accounts, then they must output the claim (or any custom claim defined in the local signup).

[likymm]

Is there any update with this issue?