stackoom
  简体   繁体   中英

Azure B2C SAML Email Claim

 原文  2022-12-12 23:25:04       azure-ad-b2c/ azure-ad-b2c-custom-policy/ azure-b2c

Question

I have successfully setup Azure B2C using the local account start packs using B2C as the IDP, we've integrated with a partner and can access their application. How do we go about Passing the local IDP accounts 'email' attribute to the partner as a claim. They're getting first, last name and display name without issue but not receiving the email claim.

Similar issue to this: Azure B2C SAML Custom Policy Assert Email

I've inserted this into the BaseFramework

<ClaimType Id="email">
  <DisplayName>Email Address</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="email" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="email" />
    <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
  </DefaultPartnerClaimTypes>
  ...
</ClaimType>

And this Technical Profile

<TechnicalProfile Id="AAD-UserReadUsingObjectId">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          </Metadata>
          <IncludeInSso>false</IncludeInSso>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          </InputClaims>
          <OutputClaims>
            <!-- Optional claims -->
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
            <OutputClaim ClaimTypeReferenceId="displayName" />
            <OutputClaim ClaimTypeReferenceId="otherMails" />
            <OutputClaim ClaimTypeReferenceId="givenName" />
            <OutputClaim ClaimTypeReferenceId="surname" />
          </OutputClaims>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>

and then this in the SAML flow:

 <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignInWithCA" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true" />
    </TechnicalProfile>
  </RelyingParty>

But it's still not working

As above modified as per documentation

1 answers

solution1
 0  2022-12-13 08:57:38

You didn't need to make any of these changes, except in the third snippet you needed to put this

<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />

This takes the signInNames.emailAddress and issues it as “email” into the token.

Currently you defined a claim called email, read a claim called signInNames.emailAddress, then try to issue a claim called email into the token, which will be null.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Claim not found in custom policy for Azure B2C - Saml Azure B2C - SAML ClaimsProvider downstream - inject an assertion or claim Email claim missing in Azure B2C User Flow Azure B2C SAML Custom Policy Assert Email Azure B2C SAML response missing email address attribute Azure B2C - Renaming an output claim Azure B2C User Attributes Claim - Unable to Save Claim? azure b2c saml logout url Azure B2C modify SAML AccessTokenLifetime Azure B2C encrypting SAML Response
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM