Salesforce is IDP and using OpenId protocol in custom policies in azure B2C. After successful authentication, I am able to read all other claims but not ‘custom_attributes’.
When I tried to connect Salesforce from sample C# app, its salesforce is correctly sending the custom attributes.
"custom_attributes": {
"customername": "ABC"
},
So, in B2C custom policies whenever I set ‘custom_attributes’ in OutputClaims, Login popup shows message ‘AADB2C: An exception has occurred.’ I tried with using OutputClaimsTransformation as well, but still same issue.
Can someone help me, how I can read custom_attributes of salesforce in custom policies of azure B2C?
Technical Profile:
<TechnicalProfile Id="Salesforce-OpenIdConnect">
<DisplayName>Salesforce</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="METADATA">openidcofig meatadata path</Item>
<Item Key="response_types">code</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="scope">openid id profile email</Item>
<Item Key="issuer">issuer</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<!-- Update the Client ID below to the Application ID -->
<Item Key="client_id">clientid</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_Secret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="identityUrl" PartnerClaimType="aud" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="custom_attributes" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="GetCustomerNameClaimFromJson" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
Claim Type:
<ClaimType Id="custom_attributes">
<DisplayName>custom_attributes</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="custom_attributes" />
</DefaultPartnerClaimTypes>
</ClaimType>
Claim transformation:
<ClaimsTransformation Id="GetCustomerNameClaimFromJson" TransformationMethod="GetClaimFromJson">
<InputClaims>
<InputClaim ClaimTypeReferenceId="custom_attributes" TransformationClaimType="inputJson" />
</InputClaims>
<InputParameters>
<InputParameter Id="claimToExtract" DataType="string" Value="customername" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="customername" TransformationClaimType="extractedClaim" />
</OutputClaims>
</ClaimsTransformation>
User Journey:
<UserJourney Id="CustomSignUpSignIn">
<OrchestrationSteps>
<!-- For social IDP authentication, attempt to find the user account in the directory. -->
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="SalesforceExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
<!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). -->
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SalesforceExchange" TechnicalProfileReferenceId="Salesforce-OpenIdConnect" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
I am expecting in OutputClaims of my technical profile, it should read 'custom_attributes' claim from openid response of salesforce. Am able to read every other claims except this one. Not sure if its because it is in JSON format. And if so, there is no such data type in ClaimTypes provided by azure b2c. I have tested this given ClaimTransformation method works perfectly by providing some default value in ImputClaims.