Monday, October 14, 2024

Azure AD B2C: Copy signInNames.emailAddress to email Claim in a Custom Policy

I had a requirement where in an Azure AD B2C custom policy, as part of an UserJourney, there was an OrchestrationStep to invoke a REST endpoint passing in the email claim (if it exists). While the REST endpoint was executed for AzureADSignUpOrSignIn, it wasn't being executed for LocalSignUpOrSignIn. So obviously email was missing in the claims bag. But for LocalSignUpOrSignIn, it has signInNames.emailAddress

In this post, let's see how we can make use of a TechnicalProfile to copy signInNames.emailAddress claim to email  claim.

The first step is creating a ClaimsTransformation. 
<ClaimsTransformations>
  ...
  <ClaimsTransformation Id="CopySignInNamesEmailAddressToEmail" TransformationMethod="CopyClaim">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="signInNames.emailAddress" TransformationClaimType="inputClaim" />
    </InputClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="email" TransformationClaimType="outputClaim" />
    </OutputClaims>
  </ClaimsTransformation>
</ClaimsTransformations>
Then create a TechnicalProfile to use ClaimsTransformation. 
<ClaimsProviders>
  ...
  <ClaimsProvider>
    ...
    <TechnicalProfiles>
      ...
      <TechnicalProfile Id="Transform-SignInNamesEmailAddressToEmail">
        <DisplayName>Transform SignInNames.EmailAddress To Email</DisplayName>
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="email" />
        </OutputClaims>
        <OutputClaimsTransformations>
          <OutputClaimsTransformation ReferenceId="CopySignInNamesEmailAddressToEmail" />
        </OutputClaimsTransformations>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
      </TechnicalProfile>
    </TechnicalProfiles>
  </ClaimsProvider>
</ClaimsProviders>
Then update UserJourney adding an OrchestrationStep.
<UserJourneys>
  ...
  <UserJourney Id="LocalSignUpOrSignIn">
    <OrchestrationSteps>
      ...
      <OrchestrationStep Order="6" Type="ClaimsExchange">
        <!--only execute if email claim does not exist AND signInNames.emailAddress claim exists -->
        <Preconditions>
          <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
            <Value>email</Value>
            <Action>SkipThisOrchestrationStep</Action>
          </Precondition>
          <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
            <Value>signInNames.emailAddress</Value>
            <Action>SkipThisOrchestrationStep</Action>
          </Precondition>
        </Preconditions>
        <ClaimsExchanges>
          <ClaimsExchange Id="TransformSignInNamesEmailAddressToEmail" TechnicalProfileReferenceId="Transform-SignInNamesEmailAddressToEmail" />
        </ClaimsExchanges>
      </OrchestrationStep>
      ...
    </OrchestrationSteps>
  </UserJourney>
</UserJourneys>
Hope this helps.

Happy Coding.

Regards,
Jaliya
Posted by Jaliya Udagedara at 9:52 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)