email claim not coming from federated OIDC ADB2C IDP
Question
We are using B2C and have successfully connected an AD federation using OIDC, that all works fine. However, we want to enable an external B2C IdP instance to enable another federation. We configured our host B2C the same as the AD one, getting the email, firstname, surname from the federation source.
Heres the technical profile to enable federation in our base.xml file
<ClaimsProvider>
<Domain>testdomain</Domain>
<DisplayName>Login using External Tenant</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="TestDomain">
<DisplayName>Test domain</DisplayName>
<Description>Login with your test domain account</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">Link to the federated tenant well known endpoint</Item>
<Item Key="client_id">xxx</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid email profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ClaimTypeOnWhichToEnable">identityProviders</Item>
<Item Key="ClaimValueOnWhichToEnable">testdomain</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="testdomain"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="login_hint" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<OutputClaim ClaimTypeReferenceId="objectIdExternalTenant" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="federatedGivenName" PartnerClaimType="given_name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedSurname" PartnerClaimType="family_name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedDisplayName" PartnerClaimType="name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedIDPEmailAddress" PartnerClaimType="email" DefaultValue="Not Set"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
<EnabledForUserJourneys>OnItemExistenceInStringCollectionClaim</EnabledForUserJourneys>
</TechnicalProfile>
Here's the setup for the app registration on the federation idp side. Note the settings saying you can only enable openid and offline_access scopes.
See attached pictures fed1 fed2
When we login through our home realm discover page, it takes us to the federated Idp, we login to that but we cannot get the email claim back, given_name, family_name, name, sub are all there but it doesn't populate the email claim. Any ideas why this claim won't come through?
Thanks in advance.
1 answers
solution1
0 2022-06-14 14:17:17
Instead of " email ", try " signInNames.emailAddress ".
Search your TrustFrameworkBase.xml file for " signInNames.emailAddress " to confirm that it is there.
Here is a list of user attributes:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.