Created
April 27, 2021 01:51
-
-
Save rbrayb/a1472ee0d3269a620a94f9c737687383 to your computer and use it in GitHub Desktop.
Implementing security questions and answers on Azure AD B2C
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_Username_SecurityQuestions_PasswordReset" PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_Username_SecurityQuestions_PasswordReset"> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_Username_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="extension_secqa_q1"> | |
| <DisplayName>Question 1</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText/> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="extension_secqa_q2"> | |
| <DisplayName>Question 2</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText/> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="extension_secqa_q3"> | |
| <DisplayName>Question 3</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText/> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="extension_secqa_a1"> | |
| <DisplayName>Answer 1</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText/> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="extension_secqa_a2"> | |
| <DisplayName>Answer 2</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText/> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="extension_secqa_a3"> | |
| <DisplayName>Answer 3</DisplayName> | |
| <DataType>string</DataType> | |
| <UserHelpText/> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="randomNumber"> | |
| <DisplayName>Random number</DisplayName> | |
| <DataType>string</DataType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="SetRandomNumber" TransformationMethod="CreateRandomString"> | |
| <InputParameters> | |
| <InputParameter Id="randomGeneratorType" DataType="string" Value="INTEGER"/> | |
| <InputParameter Id="maximumNumber" DataType="int" Value="3"/> | |
| <InputParameter Id="stringFormat" DataType="string" Value="{0}"/> | |
| <InputParameter Id="base64" DataType="boolean" Value="false"/> | |
| </InputParameters> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="randomNumber" TransformationClaimType="outputClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>Self Asserted User</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="SelfAsserted-User-Secret-QA"> | |
| <DisplayName>Get user name</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="randomNumber" /> | |
| </PersistedClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="SetRandomNumber"/> | |
| </OutputClaimsTransformations> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserReadUsingUserName"> | |
| <Metadata> | |
| <Item Key="Operation">Read</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication"/> | |
| </OutputClaims> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| <ClaimsProvider> | |
| <DisplayName>Self Asserted QA</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="SelfAsserted-Secret-QA-1"> | |
| <DisplayName>Allow user to answer security questions</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName"/> | |
| <InputClaim ClaimTypeReferenceId="extension_secqa_q1" DefaultValue="First Name?"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_secqa_q1" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_secqa_a1" Required="true"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-Secret-QA-2"> | |
| <DisplayName>Allow user to answer security questions</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName"/> | |
| <InputClaim ClaimTypeReferenceId="extension_secqa_q2" DefaultValue="Surname?"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_secqa_q2" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_secqa_a2" Required="true"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-Secret-QA-3"> | |
| <DisplayName>Allow user to answer security questions</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName"/> | |
| <InputClaim ClaimTypeReferenceId="extension_secqa_q3" DefaultValue="Nickname?"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_secqa_q3" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="extension_secqa_a3" Required="true"/> | |
| </OutputClaims> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="PasswordReset_SecQA"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="GetUser" TechnicalProfileReferenceId="SelfAsserted-User-Secret-QA"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="ReadUser" TechnicalProfileReferenceId="AAD-UserReadUsingUserName"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>randomNumber</Value> | |
| <Value>0</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="ValidateQA-1" TechnicalProfileReferenceId="SelfAsserted-Secret-QA-1"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>randomNumber</Value> | |
| <Value>1</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="ValidateQA-2" TechnicalProfileReferenceId="SelfAsserted-Secret-QA-2"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="5" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>randomNumber</Value> | |
| <Value>2</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="ValidateQA-3" TechnicalProfileReferenceId="SelfAsserted-Secret-QA-3"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="6" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>randomNumber</Value> | |
| <Value>0</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>extension_secqa_a1</Value> | |
| <Value>Tom</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="NewCredentials-1" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="7" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>randomNumber</Value> | |
| <Value>1</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>extension_secqa_a2</Value> | |
| <Value>Jones</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="NewCredentials-2" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="8" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>randomNumber</Value> | |
| <Value>2</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> | |
| <Value>extension_secqa_a3</Value> | |
| <Value>Tommy</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="NewCredentials-3" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| </UserJourneys> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="PasswordReset_SecQA"/> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect"/> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="randomNumber" /> | |
| <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="sub"/> | |
| <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub"/> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" | |
| PolicySchemaVersion="0.3.0.0" | |
| TenantId="tenant.onmicrosoft.com" | |
| PolicyId="B2C_1A_Username_SUSI" | |
| PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_Username_SUSI"> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_Username_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <RelyingParty> | |
| <DefaultUserJourney ReferenceId="SignUpOrSignInWithUsername" /> | |
| <TechnicalProfile Id="PolicyProfile"> | |
| <DisplayName>PolicyProfile</DisplayName> | |
| <Protocol Name="OpenIdConnect" /> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="displayName" /> | |
| <OutputClaim ClaimTypeReferenceId="givenName" /> | |
| <OutputClaim ClaimTypeReferenceId="surname" /> | |
| <OutputClaim ClaimTypeReferenceId="email" /> | |
| <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> | |
| <OutputClaim ClaimTypeReferenceId="signinname" /> | |
| </OutputClaims> | |
| <SubjectNamingInfo ClaimType="sub" /> | |
| </TechnicalProfile> | |
| </RelyingParty> | |
| </TrustFrameworkPolicy> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="tenant.onmicrosoft.com" PolicyId="B2C_1A_Username_TrustFrameworkExtensions" PublicPolicyUri="http://tenant.onmicrosoft.com/B2C_1A_Username_TrustFrameworkExtensions"> | |
| <BasePolicy> | |
| <TenantId>tenant.onmicrosoft.com</TenantId> | |
| <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId> | |
| </BasePolicy> | |
| <BuildingBlocks> | |
| <ClaimsSchema> | |
| <ClaimType Id="emails"> | |
| <DisplayName>Email Addresses</DisplayName> | |
| <DataType>stringCollection</DataType> | |
| <AdminHelpText>Email addresses of the user.</AdminHelpText> | |
| <UserHelpText>Your email addresses.</UserHelpText> | |
| </ClaimType> | |
| <ClaimType Id="strongAuthenticationEmailAddress"> | |
| <DisplayName>Email Address</DisplayName> | |
| <DataType>string</DataType> | |
| <AdminHelpText>Email address that the user can use for strong authentication.</AdminHelpText> | |
| <UserHelpText>Email address to use for strong authentication.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| <ClaimType Id="accountEnabled"> | |
| <DisplayName>Account Enabled</DisplayName> | |
| <DataType>boolean</DataType> | |
| <AdminHelpText>Specifies whether the user's account is enabled.</AdminHelpText> | |
| <UserHelpText>Specifies whether your account is enabled.</UserHelpText> | |
| </ClaimType> | |
| <ClaimType Id="signInNamesInfo.emailAddress"> | |
| <DisplayName>Email Address</DisplayName> | |
| <DataType>string</DataType> | |
| <AdminHelpText>Email address that the user can use to sign in.</AdminHelpText> | |
| <UserHelpText>Email address to use for signing in.</UserHelpText> | |
| <UserInputType>TextBox</UserInputType> | |
| </ClaimType> | |
| </ClaimsSchema> | |
| <ClaimsTransformations> | |
| <ClaimsTransformation Id="CreateSubjectClaimFromObjectID" TransformationMethod="CreateStringClaim"> | |
| <InputParameters> | |
| <InputParameter Id="value" DataType="string" Value="Not supported currently. Use oid claim."/> | |
| </InputParameters> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="sub" TransformationClaimType="createdClaim"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="CreateEmailsFromOtherMailsAndSignInNamesInfo" TransformationMethod="AddItemToStringCollection"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInNamesInfo.emailAddress" TransformationClaimType="item"/> | |
| <InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="AddStrongAuthenticationEmailToEmails" TransformationMethod="AddItemToStringCollection"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" TransformationClaimType="item"/> | |
| <InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection"/> | |
| </OutputClaims> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="AssertEmailAndstrongAuthenticationEmailAddressAreEqual" TransformationMethod="AssertStringClaimsAreEqual"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim1"/> | |
| <InputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" TransformationClaimType="inputClaim2"/> | |
| </InputClaims> | |
| <InputParameters> | |
| <InputParameter Id="stringComparison" DataType="string" Value="ordinalIgnoreCase"/> | |
| </InputParameters> | |
| </ClaimsTransformation> | |
| <ClaimsTransformation Id="AssertAccountEnabledIsTrue" TransformationMethod="AssertBooleanClaimIsEqualToValue"> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="accountEnabled" TransformationClaimType="inputClaim"/> | |
| </InputClaims> | |
| <InputParameters> | |
| <InputParameter Id="valueToCompareTo" DataType="boolean" Value="true"/> | |
| </InputParameters> | |
| </ClaimsTransformation> | |
| </ClaimsTransformations> | |
| <ContentDefinitions> | |
| <ContentDefinition Id="api.localaccountpasswordchange1.1"> | |
| <LoadUri>~/tenant/default/selfAsserted.cshtml</LoadUri> | |
| <RecoveryUri>~/common/default_page_error.html</RecoveryUri> | |
| <DataUri>urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0</DataUri> | |
| <Metadata> | |
| <Item Key="DisplayName">Local account change password page</Item> | |
| </Metadata> | |
| </ContentDefinition> | |
| </ContentDefinitions> | |
| </BuildingBlocks> | |
| <ClaimsProviders> | |
| <ClaimsProvider> | |
| <DisplayName>Local Account SignIn</DisplayName> | |
| <TechnicalProfiles> | |
| <TechnicalProfile Id="AAD-UserWriteUsingLogonName"> | |
| <Metadata> | |
| <Item Key="Operation">Write</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true"/> | |
| </InputClaims> | |
| <PersistedClaims> | |
| <PersistedClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName"/> | |
| <PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress"/> | |
| <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password"/> | |
| <PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="SomeDefaultDisplayNameValue"/> | |
| <!-- Optional claims. --> | |
| <PersistedClaim ClaimTypeReferenceId="givenName"/> | |
| <PersistedClaim ClaimTypeReferenceId="surname"/> | |
| </PersistedClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication"/> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| </OutputClaims> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="LocalAccountSignUpWithLogonName"> | |
| <DisplayName>User ID signup</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="IpAddressClaimReferenceId">IpAddress</Item> | |
| <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item> | |
| <Item Key="LocalAccountType">Username</Item> | |
| <Item Key="LocalAccountProfile">true</Item> | |
| <Item Key="language.button_continue">Create</Item> | |
| <Item Key="EnforceEmailVerification">false</Item> | |
| </Metadata> | |
| <CryptographicKeys> | |
| <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer"/> | |
| </CryptographicKeys> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="signInName" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="newPassword" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true"/> | |
| <OutputClaim ClaimTypeReferenceId="newUser"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource"/> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| <OutputClaim ClaimTypeReferenceId="givenName" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="surname" Required="true"/> | |
| </OutputClaims> | |
| <ValidationTechnicalProfiles> | |
| <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonName"/> | |
| </ValidationTechnicalProfiles> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Username"> | |
| <DisplayName>Local Account Signin</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="SignUpTarget">SignUpWithLogonUsernameExchange</Item> | |
| <Item Key="setting.operatingMode">Username</Item> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| </Metadata> | |
| <IncludeInSso>false</IncludeInSso> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="password" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource"/> | |
| </OutputClaims> | |
| <ValidationTechnicalProfiles> | |
| <ValidationTechnicalProfile ReferenceId="login-NonInteractive"/> | |
| </ValidationTechnicalProfiles> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="LocalAccountDiscoveryUsingUserNameAndValidateStrongAuthenticationEmailAddress"> | |
| <DisplayName>Reset password using username</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="IpAddressClaimReferenceId">IpAddress</Item> | |
| <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordchange1.1</Item> | |
| <Item Key="AllowGenerationOfClaimsWithNullValues">true</Item> | |
| <Item Key="UserMessageIfClaimsTransformationStringsAreNotEqual">An account could not be found for the provided user ID.</Item> | |
| <Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Your account has been locked. Contact your support person to unlock it, then try again.</Item> | |
| <Item Key="LocalAccountType">Username</Item> | |
| <Item Key="LocalAccountProfile">true</Item> | |
| <!-- Reduce the default self-asserted retry limit of 7 for the reset journey --> | |
| <Item Key="setting.retryLimit">3</Item> | |
| <Item Key="EnforceEmailVerification">false</Item> | |
| </Metadata> | |
| <CryptographicKeys> | |
| <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer"/> | |
| </CryptographicKeys> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="signInName" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> | |
| <OutputClaim ClaimTypeReferenceId="emails"/> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| <OutputClaim ClaimTypeReferenceId="sub"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource"/> | |
| <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress"/> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID"/> | |
| </OutputClaimsTransformations> | |
| <ValidationTechnicalProfiles> | |
| <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingUserNameAndValidateStrongAuthenticationEmailAddress"/> | |
| </ValidationTechnicalProfiles> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-UserReadUsingUserNameAndValidateStrongAuthenticationEmailAddress"> | |
| <Metadata> | |
| <Item Key="Operation">Read</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
| </Metadata> | |
| <InputClaims> | |
| <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true"/> | |
| </InputClaims> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="objectId"/> | |
| <OutputClaim ClaimTypeReferenceId="accountEnabled"/> | |
| <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication"/> | |
| <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="AssertEmailAndstrongAuthenticationEmailAddressAreEqual"/> | |
| <OutputClaimsTransformation ReferenceId="AssertAccountEnabledIsTrue"/> | |
| <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromObjectID"/> | |
| </OutputClaimsTransformations> | |
| <IncludeTechnicalProfile ReferenceId="AAD-ReadCommon"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="AAD-ReadCommon"> | |
| <Metadata> | |
| <Item Key="Operation">Read</Item> | |
| <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> | |
| </Metadata> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="userPrincipalName"/> | |
| <OutputClaim ClaimTypeReferenceId="displayName"/> | |
| <OutputClaim ClaimTypeReferenceId="otherMails"/> | |
| <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" PartnerClaimType="signInNames.emailAddress"/> | |
| </OutputClaims> | |
| <OutputClaimsTransformations> | |
| <OutputClaimsTransformation ReferenceId="CreateEmailsFromOtherMailsAndSignInNamesInfo"/> | |
| <OutputClaimsTransformation ReferenceId="AddStrongAuthenticationEmailToEmails"/> | |
| </OutputClaimsTransformations> | |
| <IncludeTechnicalProfile ReferenceId="AAD-Common"/> | |
| </TechnicalProfile> | |
| <TechnicalProfile Id="SelfAsserted-Input"> | |
| <DisplayName>Self Asserted</DisplayName> | |
| <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> | |
| <Metadata> | |
| <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item> | |
| <Item Key="AllowGenerationOfClaimsWithNullValues">true</Item> | |
| </Metadata> | |
| <CryptographicKeys> | |
| <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer"/> | |
| </CryptographicKeys> | |
| <OutputClaims> | |
| <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true"/> | |
| <!-- Note: Claims such as emails are not listed here because without a ValidationTechnicalProfile when SelfAsserted-Input is shown to the user, | |
| the user will be prompted for such claims. As a result, that claim is kept in the technical profiles that have ValidationTechnicalProfile --> | |
| </OutputClaims> | |
| <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/> | |
| </TechnicalProfile> | |
| </TechnicalProfiles> | |
| </ClaimsProvider> | |
| </ClaimsProviders> | |
| <UserJourneys> | |
| <UserJourney Id="SignUpOrSignInWithUsername"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninUsernameExchange"/> | |
| </ClaimsProviderSelections> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <Preconditions> | |
| <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> | |
| <Value>objectId</Value> | |
| <Action>SkipThisOrchestrationStep</Action> | |
| </Precondition> | |
| </Preconditions> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="SignUpWithLogonUsernameExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonName"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="PasswordResetWithUsername"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="test" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingUserNameAndValidateStrongAuthenticationEmailAddress"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| <UserJourney Id="ProfileEditWithUsername"> | |
| <OrchestrationSteps> | |
| <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections"> | |
| <ClaimsProviderSelections> | |
| <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninUsernameExchange"/> | |
| </ClaimsProviderSelections> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="2" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="3" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="4" Type="ClaimsExchange"> | |
| <ClaimsExchanges> | |
| <ClaimsExchange Id="B2CUserProfileUpdateExchange" TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate"/> | |
| </ClaimsExchanges> | |
| </OrchestrationStep> | |
| <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/> | |
| </OrchestrationSteps> | |
| <ClientDefinition ReferenceId="DefaultWeb"/> | |
| </UserJourney> | |
| </UserJourneys> | |
| </TrustFrameworkPolicy> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://medium.com/the-new-control-plane/implementing-security-questions-and-answers-on-azure-ad-b2c-a12546a208b1