3

I would like the policyId to be included in the claims that are returned when my Customized SignUpSignIn policy is executed.

I think this should be in claim Id tfp.

There is an article on how to do this.

In the section "Setting claim representing policy ID" it says to include the key AuthenticationContextReferenceClaimPattern in the "Token Issuer" ClaimsProvider override.

<ClaimsProviders>
  <ClaimsProvider>
    <DisplayName>Token Issuer</DisplayName>
    <TechnicalProfiles>
      <TechnicalProfile Id="JwtIssuer">
        <Metadata>
          .....
          <Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
        </Metadata>
      </TechnicalProfile>
    </TechnicalProfiles>
  </ClaimsProvider>
</ClaimsProviders>

And then you have to add the trustFrameworkPolicy in your outputClaims. I think like this:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
      ......
      <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
    </OutputClaims>
  <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>

But when I upload this Custom Policy file an error is displayed:

"Policy "B2C_1A_xxxx" of tenant "yyyyy.onmicrosoft.com" makes a reference to ClaimType with id "trustframeworkPolicy" but neither the policy nor any of its base policies contain such an element."

Meaning it can't find the ClaimTypeReferenceId: "trustFrameworkPolicy".

Do I have to add a claim definition of the ClaimType "trustframeworkPolicy"? in the ClaimsSchema?

If so: What's it like?

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
Rikkert
  • 75
  • 5

2 Answers2

4

Add the following ClaimType to TrustFrameworkExtensions.xml:

<ClaimType Id="trustFrameworkPolicy">
    <DisplayName>Trust Framework Policy</DisplayName>
    <DataType>string</DataType>
    <DefaultPartnerClaimTypes>
        <Protocol Name="OAuth2" PartnerClaimType="tfp" />
        <Protocol Name="OpenIdConnect" PartnerClaimType="tfp" />
    </DefaultPartnerClaimTypes>
</ClaimType>

Note: ClaimType should be a child node of <ClaimsSchema><BuildingBlocks>

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
  • 2
    This was the correct answer! To include the PolicyName in the "tfp" claim I had to do the actions in my Question and add the claimType like @spottedmahn showed me. – Rikkert Oct 14 '17 at 12:35
  • 1
    [GitHub Issue](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/issues/11) to get that `ClaimType` added to the starter pack. – spottedmahn Oct 16 '17 at 12:40
  • Thank you so much! – Granville Schmidt May 18 '18 at 15:03
  • I have done the steps that are specified here. But I keep getting "{policy}" as the tfp value... Is there a fix for this ? – Lahib Jun 30 '21 at 07:17
1

The PolicyId is in the ACR claim when using the Starter Pack

jwt token with acr tag

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
  • @Rikkert Check out this other answer for further details: https://stackoverflow.com/questions/46688455/in-azure-ad-b2c-should-the-acr-or-tfp-claim-have-the-policy-name/46697200#46697200 – Pytry Oct 11 '17 at 20:47
  • @Pytry This is only configurable when using the regular B2C_1_SiUpIn Policy. You don't have a "Token, session & SSO config" screen when using Custom Policies. You have to configure it with xml files. – Rikkert Oct 11 '17 at 21:19
  • 1
    @spottedmahn I don't see the 'acr' claim. I only see a claim "http://schemas.microsoft.com/claims/authnclassreference". It's value is the (correct) policyname. But I want to put the policyname in an outputclaim. And I can't write ClaimTypeReferenceId="http://schemas.microsoft.com/claims/authnclassreference" because then I get the "ClaimType not found" error when uploading the xml file. – Rikkert Oct 11 '17 at 21:57