API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 2nd, 2022
93
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 62.00 KB | None | 0 0
raw download clone embed print report
  1. <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  2. <TrustFrameworkPolicy
  3. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4. xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  5. xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  6. PolicySchemaVersion="0.3.0.0"
  7. TenantId="{Settings:Tenant}"
  8. PolicyId="B2C_1A_JITMigraion_TrustFrameworkBase"
  9. PublicPolicyUri="http://{Settings:Tenant}/B2C_1A_JITMigraion_TrustFrameworkBase">
  10.  
  11. <BuildingBlocks>
  12. <ClaimsSchema>
  13. <!-- The ClaimsSchema is divided into three sections:
  14. 1. Section I lists the minimum claims that are required for the user journeys to work properly.
  15. 2. Section II lists the claims required for query string parameters and other special parameters
  16. to be passed to other claims providers, esp. login.microsoftonline.com for authentication.
  17. Please do not modify these claims.
  18. 3. Section III lists any additional (optional) claims that can be collected from the user, stored
  19. in the directory and sent in tokens during sign in. Add new claims to be collected from the user
  20. and/or sent in the token in Section III. -->
  21.  
  22. <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames.
  23. The trust framework policy treats Azure AD as any other claims provider and all its restrictions
  24. are modelled in the policy. A policy could be modified to add more restrictions, or use another
  25. claims provider for credential storage which will have its own restrictions. -->
  26.  
  27. <!-- SECTION I: Claims required for user journeys to work properly -->
  28.  
  29. <ClaimType Id="socialIdpUserId">
  30. <DisplayName>Username</DisplayName>
  31. <DataType>string</DataType>
  32. <UserHelpText/>
  33. <UserInputType>TextBox</UserInputType>
  34. <Restriction>
  35. <Pattern RegularExpression="^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$" HelpText="The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -" />
  36. </Restriction>
  37. </ClaimType>
  38.  
  39. <ClaimType Id="tenantId">
  40. <DisplayName>User's Object's Tenant ID</DisplayName>
  41. <DataType>string</DataType>
  42. <DefaultPartnerClaimTypes>
  43. <Protocol Name="OAuth2" PartnerClaimType="tid" />
  44. <Protocol Name="OpenIdConnect" PartnerClaimType="tid" />
  45. <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/identity/claims/tenantid" />
  46. </DefaultPartnerClaimTypes>
  47. <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>
  48. </ClaimType>
  49.  
  50. <ClaimType Id="objectId">
  51. <DisplayName>User's Object ID</DisplayName>
  52. <DataType>string</DataType>
  53. <DefaultPartnerClaimTypes>
  54. <Protocol Name="OAuth2" PartnerClaimType="oid" />
  55. <Protocol Name="OpenIdConnect" PartnerClaimType="oid" />
  56. <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" />
  57. </DefaultPartnerClaimTypes>
  58. <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>
  59. </ClaimType>
  60.  
  61. <!-- Claims needed for local accounts. -->
  62. <ClaimType Id="signInName">
  63. <DisplayName>Sign in name</DisplayName>
  64. <DataType>string</DataType>
  65. <UserHelpText/>
  66. <UserInputType>TextBox</UserInputType>
  67. </ClaimType>
  68.  
  69. <ClaimType Id="signInNames.emailAddress">
  70. <DisplayName>Email Address</DisplayName>
  71. <DataType>string</DataType>
  72. <UserHelpText>Email address to use for signing in.</UserHelpText>
  73. <UserInputType>TextBox</UserInputType>
  74. </ClaimType>
  75.  
  76. <ClaimType Id="password">
  77. <DisplayName>Password</DisplayName>
  78. <DataType>string</DataType>
  79. <UserHelpText>Enter password</UserHelpText>
  80. <UserInputType>Password</UserInputType>
  81. </ClaimType>
  82.  
  83. <!-- The claim types newPassword and reenterPassword are considered special, please do not change the names.
  84. The UI validates the the user correctly re-entered their password during account creation based on these
  85. claim types. -->
  86. <ClaimType Id="newPassword">
  87. <DisplayName>New Password</DisplayName>
  88. <DataType>string</DataType>
  89. <UserHelpText>Enter new password</UserHelpText>
  90. <UserInputType>Password</UserInputType>
  91. <Restriction>
  92. <Pattern RegularExpression="^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]))([A-Za-z\d@#$%^&amp;*\-_+=[\]{}|\\:',?/`~&quot;();!]|\.(?!@)){8,16}$" HelpText="8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \ : ' , ? / ` ~ &quot; ( ) ; ." />
  93. </Restriction>
  94. </ClaimType>
  95. <!-- The password regular expression above is constructed for AAD passwords based on restrictions at https://msdn.microsoft.com/en-us/library/azure/jj943764.aspx
  96.  
  97. ^( # one of the following four combinations must appear in the password
  98. (?=.*[a-z])(?=.*[A-Z])(?=.*\d) | # matches lower case, upper case or digit
  99. (?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]) | # matches lower case, upper case or special character (i.e. non-alpha or digit)
  100. (?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9]) | # matches lower case, digit, or special character
  101. (?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]) # matches upper case, digit, or special character
  102. )
  103. ( # The password must match the following restrictions
  104. [A-Za-z\d@#$%^&*\-_+=[\]{}|\\:',?/`~"();!] | # The list of all acceptable characters (without .)
  105. \.(?!@) # or . can appear as long as not followed by @
  106. ) {8,16}$ # the length must be between 8 and 16 chars inclusive
  107.  
  108. -->
  109.  
  110. <ClaimType Id="reenterPassword">
  111. <DisplayName>Confirm New Password</DisplayName>
  112. <DataType>string</DataType>
  113. <UserHelpText>Confirm new password</UserHelpText>
  114. <UserInputType>Password</UserInputType>
  115. <Restriction>
  116. <Pattern RegularExpression="^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]))([A-Za-z\d@#$%^&amp;*\-_+=[\]{}|\\:',?/`~&quot;();!]|\.(?!@)){8,16}$" HelpText=" " />
  117. </Restriction>
  118. </ClaimType>
  119.  
  120. <ClaimType Id="passwordPolicies">
  121. <DisplayName>Password Policies</DisplayName>
  122. <DataType>string</DataType>
  123. <UserHelpText>Password policies used by Azure AD to determine password strength, expiry etc.</UserHelpText>
  124. </ClaimType>
  125.  
  126. <ClaimType Id="client_id">
  127. <DisplayName>client_id</DisplayName>
  128. <DataType>string</DataType>
  129. <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>
  130. <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>
  131. </ClaimType>
  132.  
  133. <ClaimType Id="resource_id">
  134. <DisplayName>resource_id</DisplayName>
  135. <DataType>string</DataType>
  136. <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>
  137. <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>
  138. </ClaimType>
  139.  
  140. <ClaimType Id="sub">
  141. <DisplayName>Subject</DisplayName>
  142. <DataType>string</DataType>
  143. <DefaultPartnerClaimTypes>
  144. <Protocol Name="OpenIdConnect" PartnerClaimType="sub" />
  145. </DefaultPartnerClaimTypes>
  146. <UserHelpText/>
  147. </ClaimType>
  148.  
  149. <ClaimType Id="alternativeSecurityId">
  150. <DisplayName>AlternativeSecurityId</DisplayName>
  151. <DataType>string</DataType>
  152. <UserHelpText/>
  153. </ClaimType>
  154.  
  155. <ClaimType Id="mailNickName">
  156. <DisplayName>MailNickName</DisplayName>
  157. <DataType>string</DataType>
  158. <UserHelpText>Your mail nick name as stored in the Azure Active Directory.</UserHelpText>
  159. </ClaimType>
  160.  
  161. <ClaimType Id="identityProvider">
  162. <DisplayName>Identity Provider</DisplayName>
  163. <DataType>string</DataType>
  164. <DefaultPartnerClaimTypes>
  165. <Protocol Name="OAuth2" PartnerClaimType="idp" />
  166. <Protocol Name="OpenIdConnect" PartnerClaimType="idp" />
  167. <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/identity/claims/identityprovider" />
  168. </DefaultPartnerClaimTypes>
  169. <UserHelpText/>
  170. </ClaimType>
  171.  
  172. <ClaimType Id="displayName">
  173. <DisplayName>Display Name</DisplayName>
  174. <DataType>string</DataType>
  175. <DefaultPartnerClaimTypes>
  176. <Protocol Name="OAuth2" PartnerClaimType="unique_name" />
  177. <Protocol Name="OpenIdConnect" PartnerClaimType="name" />
  178. <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" />
  179. </DefaultPartnerClaimTypes>
  180. <UserHelpText>Your display name.</UserHelpText>
  181. <UserInputType>TextBox</UserInputType>
  182. </ClaimType>
  183.  
  184. <ClaimType Id="email">
  185. <DisplayName>Email Address</DisplayName>
  186. <DataType>string</DataType>
  187. <DefaultPartnerClaimTypes>
  188. <Protocol Name="OpenIdConnect" PartnerClaimType="email" />
  189. </DefaultPartnerClaimTypes>
  190. <UserHelpText>Email address that can be used to contact you.</UserHelpText>
  191. <UserInputType>TextBox</UserInputType>
  192. <Restriction>
  193. <Pattern RegularExpression="^[a-zA-Z0-9.!#$%&amp;'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." />
  194. </Restriction>
  195. </ClaimType>
  196.  
  197. <ClaimType Id="otherMails">
  198. <DisplayName>Alternate Email Addresses</DisplayName>
  199. <DataType>stringCollection</DataType>
  200. <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>
  201. </ClaimType>
  202.  
  203. <ClaimType Id="userPrincipalName">
  204. <DisplayName>UserPrincipalName</DisplayName>
  205. <DataType>string</DataType>
  206. <DefaultPartnerClaimTypes>
  207. <Protocol Name="OAuth2" PartnerClaimType="upn" />
  208. <Protocol Name="OpenIdConnect" PartnerClaimType="upn" />
  209. <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/identity/claims/userprincipalname" />
  210. </DefaultPartnerClaimTypes>
  211. <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>
  212. </ClaimType>
  213.  
  214. <ClaimType Id="upnUserName">
  215. <DisplayName>UPN User Name</DisplayName>
  216. <DataType>string</DataType>
  217. <UserHelpText>The user name for creating user principal name.</UserHelpText>
  218. </ClaimType>
  219.  
  220. <ClaimType Id="newUser">
  221. <DisplayName>User is new</DisplayName>
  222. <DataType>boolean</DataType>
  223. <UserHelpText/>
  224. </ClaimType>
  225.  
  226. <ClaimType Id="executed-SelfAsserted-Input">
  227. <DisplayName>Executed-SelfAsserted-Input</DisplayName>
  228. <DataType>string</DataType>
  229. <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>
  230. </ClaimType>
  231.  
  232. <ClaimType Id="authenticationSource">
  233. <DisplayName>AuthenticationSource</DisplayName>
  234. <DataType>string</DataType>
  235. <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>
  236. </ClaimType>
  237.  
  238. <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->
  239.  
  240. <ClaimType Id="nca">
  241. <DisplayName>nca</DisplayName>
  242. <DataType>string</DataType>
  243. <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>
  244. </ClaimType>
  245.  
  246. <ClaimType Id="grant_type">
  247. <DisplayName>grant_type</DisplayName>
  248. <DataType>string</DataType>
  249. <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>
  250. </ClaimType>
  251.  
  252. <ClaimType Id="scope">
  253. <DisplayName>scope</DisplayName>
  254. <DataType>string</DataType>
  255. <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>
  256. </ClaimType>
  257.  
  258. <ClaimType Id="objectIdFromSession">
  259. <DisplayName>objectIdFromSession</DisplayName>
  260. <DataType>boolean</DataType>
  261. <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>
  262. </ClaimType>
  263.  
  264. <ClaimType Id="isActiveMFASession">
  265. <DisplayName>isActiveMFASession</DisplayName>
  266. <DataType>boolean</DataType>
  267. <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>
  268. </ClaimType>
  269.  
  270. <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->
  271.  
  272. <ClaimType Id="givenName">
  273. <DisplayName>Given Name</DisplayName>
  274. <DataType>string</DataType>
  275. <DefaultPartnerClaimTypes>
  276. <Protocol Name="OAuth2" PartnerClaimType="given_name" />
  277. <Protocol Name="OpenIdConnect" PartnerClaimType="given_name" />
  278. <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
  279. </DefaultPartnerClaimTypes>
  280. <UserHelpText>Your given name (also known as first name).</UserHelpText>
  281. <UserInputType>TextBox</UserInputType>
  282. </ClaimType>
  283.  
  284. <ClaimType Id="surname">
  285. <DisplayName>Surname</DisplayName>
  286. <DataType>string</DataType>
  287. <DefaultPartnerClaimTypes>
  288. <Protocol Name="OAuth2" PartnerClaimType="family_name" />
  289. <Protocol Name="OpenIdConnect" PartnerClaimType="family_name" />
  290. <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
  291. </DefaultPartnerClaimTypes>
  292. <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>
  293. <UserInputType>TextBox</UserInputType>
  294. </ClaimType>
  295.  
  296. </ClaimsSchema>
  297.  
  298. <ClaimsTransformations>
  299. <ClaimsTransformation Id="CreateOtherMailsFromEmail" TransformationMethod="AddItemToStringCollection">
  300. <InputClaims>
  301. <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="item" />
  302. <InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
  303. </InputClaims>
  304. <OutputClaims>
  305. <OutputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
  306. </OutputClaims>
  307. </ClaimsTransformation>
  308.  
  309. <ClaimsTransformation Id="CreateRandomUPNUserName" TransformationMethod="CreateRandomString">
  310. <InputParameters>
  311. <InputParameter Id="randomGeneratorType" DataType="string" Value="GUID" />
  312. </InputParameters>
  313. <OutputClaims>
  314. <OutputClaim ClaimTypeReferenceId="upnUserName" TransformationClaimType="outputClaim" />
  315. </OutputClaims>
  316. </ClaimsTransformation>
  317.  
  318. <ClaimsTransformation Id="CreateUserPrincipalName" TransformationMethod="FormatStringClaim">
  319. <InputClaims>
  320. <InputClaim ClaimTypeReferenceId="upnUserName" TransformationClaimType="inputClaim" />
  321. </InputClaims>
  322. <InputParameters>
  323. <InputParameter Id="stringFormat" DataType="string" Value="cpim_{0}@{RelyingPartyTenantId}" />
  324. </InputParameters>
  325. <OutputClaims>
  326. <OutputClaim ClaimTypeReferenceId="userPrincipalName" TransformationClaimType="outputClaim" />
  327. </OutputClaims>
  328. </ClaimsTransformation>
  329.  
  330. <ClaimsTransformation Id="CreateAlternativeSecurityId" TransformationMethod="CreateAlternativeSecurityId">
  331. <InputClaims>
  332. <InputClaim ClaimTypeReferenceId="socialIdpUserId" TransformationClaimType="key" />
  333. <InputClaim ClaimTypeReferenceId="identityProvider" TransformationClaimType="identityProvider" />
  334. </InputClaims>
  335. <OutputClaims>
  336. <OutputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="alternativeSecurityId" />
  337. </OutputClaims>
  338. </ClaimsTransformation>
  339.  
  340. <ClaimsTransformation Id="CreateSubjectClaimFromAlternativeSecurityId" TransformationMethod="CreateStringClaim">
  341. <InputParameters>
  342. <InputParameter Id="value" DataType="string" Value="Not supported currently. Use oid claim." />
  343. </InputParameters>
  344. <OutputClaims>
  345. <OutputClaim ClaimTypeReferenceId="sub" TransformationClaimType="createdClaim" />
  346. </OutputClaims>
  347. </ClaimsTransformation>
  348.  
  349. </ClaimsTransformations>
  350.  
  351. <ClientDefinitions>
  352. <ClientDefinition Id="DefaultWeb">
  353. <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>
  354. </ClientDefinition>
  355. </ClientDefinitions>
  356.  
  357. <ContentDefinitions>
  358.  
  359. <!-- This content definition is to render an error page that displays unhandled errors. -->
  360. <ContentDefinition Id="api.error">
  361. <LoadUri>~/tenant/default/exception.cshtml</LoadUri>
  362. <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
  363. <DataUri>urn:com:microsoft:aad:b2c:elements:globalexception:1.1.0</DataUri>
  364. <Metadata>
  365. <Item Key="DisplayName">Error page</Item>
  366. </Metadata>
  367. </ContentDefinition>
  368.  
  369. <ContentDefinition Id="api.idpselections">
  370. <LoadUri>~/tenant/default/idpSelector.cshtml</LoadUri>
  371. <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
  372. <DataUri>urn:com:microsoft:aad:b2c:elements:idpselection:1.0.0</DataUri>
  373. <Metadata>
  374. <Item Key="DisplayName">Idp selection page</Item>
  375. <Item Key="language.intro">Sign in</Item>
  376. </Metadata>
  377. </ContentDefinition>
  378.  
  379. <ContentDefinition Id="api.idpselections.signup">
  380. <LoadUri>~/tenant/default/idpSelector.cshtml</LoadUri>
  381. <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
  382. <DataUri>urn:com:microsoft:aad:b2c:elements:idpselection:1.0.0</DataUri>
  383. <Metadata>
  384. <Item Key="DisplayName">Idp selection page</Item>
  385. <Item Key="language.intro">Sign up</Item>
  386. </Metadata>
  387. </ContentDefinition>
  388.  
  389. <ContentDefinition Id="api.signuporsignin">
  390. <LoadUri>~/tenant/default/unified.cshtml</LoadUri>
  391. <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
  392. <DataUri>urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0</DataUri>
  393. <Metadata>
  394. <Item Key="DisplayName">Signin and Signup</Item>
  395. </Metadata>
  396. </ContentDefinition>
  397.  
  398. <ContentDefinition Id="api.selfasserted">
  399. <LoadUri>~/tenant/default/selfAsserted.cshtml</LoadUri>
  400. <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
  401. <DataUri>urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0</DataUri>
  402. <Metadata>
  403. <Item Key="DisplayName">Collect information from user page</Item>
  404. </Metadata>
  405. </ContentDefinition>
  406.  
  407. <ContentDefinition Id="api.selfasserted.profileupdate">
  408. <LoadUri>~/tenant/default/updateProfile.cshtml</LoadUri>
  409. <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
  410. <DataUri>urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0</DataUri>
  411. <Metadata>
  412. <Item Key="DisplayName">Collect information from user page</Item>
  413. </Metadata>
  414. </ContentDefinition>
  415.  
  416. <ContentDefinition Id="api.localaccountsignup">
  417. <LoadUri>~/tenant/default/selfAsserted.cshtml</LoadUri>
  418. <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
  419. <DataUri>urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0</DataUri>
  420. <Metadata>
  421. <Item Key="DisplayName">Local account sign up page</Item>
  422. </Metadata>
  423. </ContentDefinition>
  424.  
  425. <ContentDefinition Id="api.localaccountpasswordreset">
  426. <LoadUri>~/tenant/default/selfAsserted.cshtml</LoadUri>
  427. <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
  428. <DataUri>urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0</DataUri>
  429. <Metadata>
  430. <Item Key="DisplayName">Local account change password page</Item>
  431. </Metadata>
  432. </ContentDefinition>
  433.  
  434. </ContentDefinitions>
  435. </BuildingBlocks>
  436.  
  437. <!--
  438. A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed
  439. in this section, then it cannot be used in a technical policy.
  440. -->
  441. <ClaimsProviders>
  442.  
  443. <ClaimsProvider>
  444. <!-- The following Domain element allows this profile to be used if the request comes with domain_hint
  445. query string parameter, e.g. domain_hint=facebook.com -->
  446. <Domain>facebook.com</Domain>
  447. <DisplayName>Facebook</DisplayName>
  448. <TechnicalProfiles>
  449. <TechnicalProfile Id="Facebook-OAUTH">
  450. <!-- The text in the following DisplayName element is shown to the user on the claims provider
  451. selection screen. -->
  452. <DisplayName>Facebook</DisplayName>
  453. <Protocol Name="OAuth2" />
  454. <Metadata>
  455. <Item Key="ProviderName">facebook</Item>
  456. <Item Key="authorization_endpoint">https://www.facebook.com/dialog/oauth</Item>
  457. <Item Key="AccessTokenEndpoint">https://graph.facebook.com/oauth/access_token</Item>
  458. <Item Key="HttpBinding">GET</Item>
  459. <Item Key="UsePolicyInRedirectUri">0</Item>
  460.  
  461. <!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->
  462. <Item Key="AccessTokenResponseFormat">json</Item>
  463. </Metadata>
  464. <CryptographicKeys>
  465. <Key Id="client_secret" StorageReferenceId="B2C_1A_FacebookSecret" />
  466. </CryptographicKeys>
  467. <InputClaims />
  468. <OutputClaims>
  469. <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="id" />
  470. <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="first_name" />
  471. <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name" />
  472. <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
  473. <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
  474. <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="facebook.com" />
  475. <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
  476. </OutputClaims>
  477. <OutputClaimsTransformations>
  478. <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
  479. <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
  480. <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
  481. </OutputClaimsTransformations>
  482. <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
  483. </TechnicalProfile>
  484. </TechnicalProfiles>
  485. </ClaimsProvider>
  486.  
  487. <ClaimsProvider>
  488. <DisplayName>Local Account SignIn</DisplayName>
  489. <TechnicalProfiles>
  490. <TechnicalProfile Id="login-NonInteractive">
  491. <DisplayName>Local Account SignIn</DisplayName>
  492. <Protocol Name="OpenIdConnect" />
  493. <Metadata>
  494. <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item>
  495. <Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item>
  496. <Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item>
  497.  
  498. <Item Key="ProviderName">https://sts.windows.net/</Item>
  499. <Item Key="METADATA">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>
  500. <Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
  501. <Item Key="response_types">id_token</Item>
  502. <Item Key="response_mode">query</Item>
  503. <Item Key="scope">email openid</Item>
  504. <Item Key="grant_type">password</Item>
  505.  
  506. <!-- Policy Engine Clients -->
  507. <Item Key="UsePolicyInRedirectUri">false</Item>
  508. <Item Key="HttpBinding">POST</Item>
  509. </Metadata>
  510. <InputClaims>
  511. <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
  512. <InputClaim ClaimTypeReferenceId="password" Required="true" />
  513. <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
  514. <InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
  515. <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
  516. </InputClaims>
  517. <OutputClaims>
  518. <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" />
  519. <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" />
  520. <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
  521. <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
  522. <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
  523. <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
  524. <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
  525. </OutputClaims>
  526. </TechnicalProfile>
  527. </TechnicalProfiles>
  528. </ClaimsProvider>
  529.  
  530. <ClaimsProvider>
  531. <DisplayName>Azure Active Directory</DisplayName>
  532. <TechnicalProfiles>
  533.  
  534. <TechnicalProfile Id="AAD-Common">
  535. <DisplayName>Azure Active Directory</DisplayName>
  536. <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  537.  
  538. <CryptographicKeys>
  539. <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  540. </CryptographicKeys>
  541.  
  542. <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->
  543. <IncludeInSso>false</IncludeInSso>
  544. <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
  545. </TechnicalProfile>
  546.  
  547. <!-- Technical profiles for social logins -->
  548.  
  549. <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
  550. <Metadata>
  551. <Item Key="Operation">Write</Item>
  552. <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
  553. <Item Key="UserMessageIfClaimsPrincipalAlreadyExists">You are already registered, please press the back button and sign in instead.</Item>
  554. </Metadata>
  555. <IncludeInSso>false</IncludeInSso>
  556. <InputClaimsTransformations>
  557. <InputClaimsTransformation ReferenceId="CreateOtherMailsFromEmail" />
  558. </InputClaimsTransformations>
  559. <InputClaims>
  560. <InputClaim ClaimTypeReferenceId="AlternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />
  561. </InputClaims>
  562. <PersistedClaims>
  563. <!-- Required claims -->
  564. <PersistedClaim ClaimTypeReferenceId="alternativeSecurityId" />
  565. <PersistedClaim ClaimTypeReferenceId="userPrincipalName" />
  566. <PersistedClaim ClaimTypeReferenceId="mailNickName" DefaultValue="unknown" />
  567. <PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
  568.  
  569. <!-- Optional claims -->
  570. <PersistedClaim ClaimTypeReferenceId="otherMails" />
  571. <PersistedClaim ClaimTypeReferenceId="givenName" />
  572. <PersistedClaim ClaimTypeReferenceId="surname" />
  573. </PersistedClaims>
  574. <OutputClaims>
  575. <OutputClaim ClaimTypeReferenceId="objectId" />
  576. <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
  577. <!-- The following other mails claim is needed for the case when a user is created, we get otherMails from directory. Self-asserted provider also has an
  578. OutputClaims, and if this is absent, Self-Asserted provider will prompt the user for otherMails. -->
  579. <OutputClaim ClaimTypeReferenceId="otherMails" />
  580. </OutputClaims>
  581. <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  582. <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
  583. </TechnicalProfile>
  584.  
  585. <TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">
  586. <Metadata>
  587. <Item Key="Operation">Read</Item>
  588. <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  589. <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">User does not exist. Please sign up before you can sign in.</Item>
  590. </Metadata>
  591. <InputClaims>
  592. <InputClaim ClaimTypeReferenceId="AlternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />
  593. </InputClaims>
  594. <OutputClaims>
  595. <!-- Required claims -->
  596.  
  597. <OutputClaim ClaimTypeReferenceId="objectId" />
  598.  
  599. <!-- Optional claims -->
  600. <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  601. <OutputClaim ClaimTypeReferenceId="displayName" />
  602. <OutputClaim ClaimTypeReferenceId="otherMails" />
  603. <OutputClaim ClaimTypeReferenceId="givenName" />
  604. <OutputClaim ClaimTypeReferenceId="surname" />
  605. </OutputClaims>
  606. <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  607. </TechnicalProfile>
  608.  
  609. <TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId-NoError">
  610. <Metadata>
  611. <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
  612. </Metadata>
  613. <IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingAlternativeSecurityId" />
  614. </TechnicalProfile>
  615.  
  616. <!-- Technical profiles for local accounts -->
  617.  
  618. <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
  619. <Metadata>
  620. <Item Key="Operation">Write</Item>
  621. <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
  622. </Metadata>
  623. <IncludeInSso>false</IncludeInSso>
  624. <InputClaims>
  625. <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true" />
  626. </InputClaims>
  627. <PersistedClaims>
  628. <!-- Required claims -->
  629. <PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
  630. <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password"/>
  631. <PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
  632. <PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration" />
  633.  
  634. <!-- Optional claims. -->
  635. <PersistedClaim ClaimTypeReferenceId="givenName" />
  636. <PersistedClaim ClaimTypeReferenceId="surname" />
  637. </PersistedClaims>
  638. <OutputClaims>
  639. <OutputClaim ClaimTypeReferenceId="objectId" />
  640. <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
  641. <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
  642. <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  643. <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
  644. </OutputClaims>
  645. <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  646. <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
  647. </TechnicalProfile>
  648.  
  649. <TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
  650. <Metadata>
  651. <Item Key="Operation">Read</Item>
  652. <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  653. <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
  654. </Metadata>
  655. <IncludeInSso>false</IncludeInSso>
  656. <InputClaims>
  657. <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames" Required="true" />
  658. </InputClaims>
  659. <OutputClaims>
  660. <!-- Required claims -->
  661. <OutputClaim ClaimTypeReferenceId="objectId" />
  662. <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
  663.  
  664. <!-- Optional claims -->
  665. <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  666. <OutputClaim ClaimTypeReferenceId="displayName" />
  667. <OutputClaim ClaimTypeReferenceId="otherMails" />
  668. <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
  669. </OutputClaims>
  670. <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  671. </TechnicalProfile>
  672.  
  673. <TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
  674. <Metadata>
  675. <Item Key="Operation">Write</Item>
  676. <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  677. </Metadata>
  678. <IncludeInSso>false</IncludeInSso>
  679. <InputClaims>
  680. <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  681. </InputClaims>
  682. <PersistedClaims>
  683. <PersistedClaim ClaimTypeReferenceId="objectId" />
  684. <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password"/>
  685.  
  686. </PersistedClaims>
  687. <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  688. </TechnicalProfile>
  689.  
  690. <!-- Technical profiles for updating user record using objectId -->
  691.  
  692. <TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">
  693. <Metadata>
  694. <Item Key="Operation">Write</Item>
  695. <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
  696. <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  697. </Metadata>
  698. <IncludeInSso>false</IncludeInSso>
  699. <InputClaims>
  700. <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  701. </InputClaims>
  702. <PersistedClaims>
  703. <!-- Required claims -->
  704. <PersistedClaim ClaimTypeReferenceId="objectId" />
  705.  
  706. <!-- Optional claims -->
  707. <PersistedClaim ClaimTypeReferenceId="givenName" />
  708. <PersistedClaim ClaimTypeReferenceId="surname" />
  709. </PersistedClaims>
  710. <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  711. </TechnicalProfile>
  712.  
  713. <!-- The following technical profile is used to read data after user authenticates. -->
  714. <TechnicalProfile Id="AAD-UserReadUsingObjectId">
  715. <Metadata>
  716. <Item Key="Operation">Read</Item>
  717. <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  718. </Metadata>
  719. <IncludeInSso>false</IncludeInSso>
  720. <InputClaims>
  721. <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  722. </InputClaims>
  723. <OutputClaims>
  724.  
  725. <!-- Optional claims -->
  726. <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
  727. <OutputClaim ClaimTypeReferenceId="displayName" />
  728. <OutputClaim ClaimTypeReferenceId="otherMails" />
  729. <OutputClaim ClaimTypeReferenceId="givenName" />
  730. <OutputClaim ClaimTypeReferenceId="surname" />
  731. </OutputClaims>
  732. <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  733. </TechnicalProfile>
  734.  
  735. </TechnicalProfiles>
  736. </ClaimsProvider>
  737.  
  738. <ClaimsProvider>
  739. <DisplayName>Self Asserted</DisplayName>
  740. <TechnicalProfiles>
  741.  
  742. <TechnicalProfile Id="SelfAsserted-Social">
  743. <DisplayName>User ID signup</DisplayName>
  744. <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  745. <Metadata>
  746. <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
  747. </Metadata>
  748. <CryptographicKeys>
  749. <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  750. </CryptographicKeys>
  751. <InputClaims>
  752. <!-- These claims ensure that any values retrieved in the previous steps (e.g. from an external IDP) are prefilled.
  753. Note that some of these claims may not have any value, for example, if the external IDP did not provide any of
  754. these values, or if the claim did not appear in the OutputClaims section of the IDP.
  755. In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its
  756. value will not be prefilled, but the user will still be prompted for it (with an empty value). -->
  757. <InputClaim ClaimTypeReferenceId="displayName" />
  758. <InputClaim ClaimTypeReferenceId="givenName" />
  759. <InputClaim ClaimTypeReferenceId="surname" />
  760. </InputClaims>
  761. <OutputClaims>
  762. <!-- These claims are not shown to the user because their value is obtained through the "ValidationTechnicalProfiles"
  763. referenced below, or a default value is assigned to the claim. A claim is only shown to the user to provide a
  764. value if its value cannot be obtained through any other means. -->
  765. <OutputClaim ClaimTypeReferenceId="objectId" />
  766. <OutputClaim ClaimTypeReferenceId="newUser" />
  767. <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
  768.  
  769. <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been
  770. collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e.
  771. in AAD-UserWriteUsingAlternativeSecurityId. -->
  772. <OutputClaim ClaimTypeReferenceId="displayName" />
  773. <OutputClaim ClaimTypeReferenceId="givenName" />
  774. <OutputClaim ClaimTypeReferenceId="surname" />
  775. </OutputClaims>
  776. <ValidationTechnicalProfiles>
  777. <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
  778. </ValidationTechnicalProfiles>
  779. <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialSignup" />
  780. </TechnicalProfile>
  781.  
  782. <TechnicalProfile Id="SelfAsserted-ProfileUpdate">
  783. <DisplayName>User ID signup</DisplayName>
  784. <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  785. <Metadata>
  786. <Item Key="ContentDefinitionReferenceId">api.selfasserted.profileupdate</Item>
  787. </Metadata>
  788. <IncludeInSso>false</IncludeInSso>
  789. <InputClaims>
  790.  
  791. <InputClaim ClaimTypeReferenceId="alternativeSecurityId" />
  792.  
  793. <InputClaim ClaimTypeReferenceId="userPrincipalName" />
  794.  
  795. <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the
  796. ValidationTechnicalProfile referenced below so it can be written to directory after being updateed by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->
  797. <InputClaim ClaimTypeReferenceId="givenName" />
  798. <InputClaim ClaimTypeReferenceId="surname" />
  799. </InputClaims>
  800. <OutputClaims>
  801. <!-- Required claims -->
  802. <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
  803.  
  804. <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the
  805. ValidationTechnicalProfile referenced below so it can be written to directory after being updateed by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->
  806. <OutputClaim ClaimTypeReferenceId="givenName" />
  807. <OutputClaim ClaimTypeReferenceId="surname" />
  808. </OutputClaims>
  809. <ValidationTechnicalProfiles>
  810. <ValidationTechnicalProfile ReferenceId="AAD-UserWriteProfileUsingObjectId" />
  811. </ValidationTechnicalProfiles>
  812. </TechnicalProfile>
  813. </TechnicalProfiles>
  814. </ClaimsProvider>
  815.  
  816. <ClaimsProvider>
  817. <DisplayName>Local Account</DisplayName>
  818. <TechnicalProfiles>
  819.  
  820. <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
  821. <DisplayName>Email signup</DisplayName>
  822. <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  823. <Metadata>
  824. <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
  825. <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
  826. <Item Key="language.button_continue">Create</Item>
  827. </Metadata>
  828. <CryptographicKeys>
  829. <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  830. </CryptographicKeys>
  831. <InputClaims>
  832. <InputClaim ClaimTypeReferenceId="email" />
  833. </InputClaims>
  834. <OutputClaims>
  835. <OutputClaim ClaimTypeReferenceId="objectId" />
  836. <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
  837. <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
  838. <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
  839. <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
  840. <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  841. <OutputClaim ClaimTypeReferenceId="newUser" />
  842.  
  843. <!-- Optional claims, to be collected from the user -->
  844. <OutputClaim ClaimTypeReferenceId="displayName" />
  845. <OutputClaim ClaimTypeReferenceId="givenName" />
  846. <OutputClaim ClaimTypeReferenceId="surName" />
  847. </OutputClaims>
  848. <!-- Demo: Remove the validation technical profile to the extension policy
  849. <ValidationTechnicalProfiles>
  850. <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
  851. </ValidationTechnicalProfiles> -->
  852. <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
  853. </TechnicalProfile>
  854.  
  855. <!-- This technical profile uses a validation technical profile to authenticate the user. -->
  856. <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
  857. <DisplayName>Local Account Signin</DisplayName>
  858. <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  859. <Metadata>
  860. <Item Key="SignUpTarget"></Item>
  861. <Item Key="setting.operatingMode">Email</Item>
  862. <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
  863. <Item Key="setting.showSignupLink">false</Item>
  864. <Item Key="setting.forgotPasswordLinkLocation">None</Item>
  865. </Metadata>
  866. <IncludeInSso>false</IncludeInSso>
  867. <InputClaims>
  868. <InputClaim ClaimTypeReferenceId="signInName" />
  869. </InputClaims>
  870. <OutputClaims>
  871. <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
  872. <OutputClaim ClaimTypeReferenceId="password" Required="true" />
  873. <OutputClaim ClaimTypeReferenceId="objectId" />
  874. <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  875. </OutputClaims>
  876. <!-- Demo: Remove the validation technical profile to the extension policy
  877. <ValidationTechnicalProfiles>
  878. <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
  879. </ValidationTechnicalProfiles> -->
  880. <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
  881. </TechnicalProfile>
  882.  
  883. <!-- This technical profile forces the user to verify the email address that they provide on the UI. Only after email is verified, the user account is
  884. read from the directory. -->
  885. <TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
  886. <DisplayName>Reset password using email address</DisplayName>
  887. <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  888. <Metadata>
  889. <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
  890. <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  891. </Metadata>
  892. <CryptographicKeys>
  893. <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  894. </CryptographicKeys>
  895. <IncludeInSso>false</IncludeInSso>
  896. <OutputClaims>
  897. <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
  898. <OutputClaim ClaimTypeReferenceId="objectId" />
  899. <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  900. <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  901.  
  902. </OutputClaims>
  903. <!-- Demo: Remove the validation technical profile to the extension policy
  904. <ValidationTechnicalProfiles>
  905. <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
  906. </ValidationTechnicalProfiles> -->
  907. </TechnicalProfile>
  908.  
  909. <TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">
  910. <DisplayName>Change password (username)</DisplayName>
  911. <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  912. <Metadata>
  913. <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  914. </Metadata>
  915. <CryptographicKeys>
  916. <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  917. </CryptographicKeys>
  918. <InputClaims>
  919. <InputClaim ClaimTypeReferenceId="objectId" />
  920.  
  921. </InputClaims>
  922. <OutputClaims>
  923. <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
  924. <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
  925. </OutputClaims>
  926. <!-- Demo: Remove the validation technical profile to the extension policy
  927. <ValidationTechnicalProfiles>
  928. <ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" />
  929. </ValidationTechnicalProfiles> -->
  930. </TechnicalProfile>
  931.  
  932. </TechnicalProfiles>
  933. </ClaimsProvider>
  934.  
  935. <ClaimsProvider>
  936. <DisplayName>Session Management</DisplayName>
  937. <TechnicalProfiles>
  938. <TechnicalProfile Id="SM-Noop">
  939. <DisplayName>Noop Session Management Provider</DisplayName>
  940. <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  941. </TechnicalProfile>
  942.  
  943. <TechnicalProfile Id="SM-AAD">
  944. <DisplayName>Session Mananagement Provider</DisplayName>
  945. <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  946. <PersistedClaims>
  947. <PersistedClaim ClaimTypeReferenceId="objectId" />
  948. <PersistedClaim ClaimTypeReferenceId="signInName" />
  949. <PersistedClaim ClaimTypeReferenceId="authenticationSource" />
  950. <PersistedClaim ClaimTypeReferenceId="identityProvider" />
  951. <PersistedClaim ClaimTypeReferenceId="newUser" />
  952. <PersistedClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" />
  953. </PersistedClaims>
  954. <OutputClaims>
  955. <OutputClaim ClaimTypeReferenceId="objectIdFromSession" DefaultValue="true"/>
  956. </OutputClaims>
  957. </TechnicalProfile>
  958.  
  959. <!-- Profile name is being used to disambiguate AAD session between sign up and sign in -->
  960. <TechnicalProfile Id="SM-SocialSignup">
  961. <IncludeTechnicalProfile ReferenceId="SM-AAD" />
  962. </TechnicalProfile>
  963.  
  964. <TechnicalProfile Id="SM-SocialLogin">
  965. <DisplayName>Session Mananagement Provider</DisplayName>
  966. <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.ExternalLoginSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  967. <Metadata>
  968. <Item Key="AlwaysFetchClaimsFromProvider">true</Item>
  969. </Metadata>
  970. <PersistedClaims>
  971. <PersistedClaim ClaimTypeReferenceId="AlternativeSecurityId" />
  972. </PersistedClaims>
  973. </TechnicalProfile>
  974.  
  975. </TechnicalProfiles>
  976. </ClaimsProvider>
  977.  
  978. <ClaimsProvider>
  979. <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>
  980. <TechnicalProfiles>
  981. <TechnicalProfile Id="TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13">
  982. <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>
  983. <Protocol Name="None" />
  984. <Metadata>
  985. <Item Key="url">{service:te}</Item>
  986. </Metadata>
  987. </TechnicalProfile>
  988. </TechnicalProfiles>
  989. </ClaimsProvider>
  990.  
  991. <ClaimsProvider>
  992. <DisplayName>Token Issuer</DisplayName>
  993. <TechnicalProfiles>
  994. <TechnicalProfile Id="JwtIssuer">
  995. <DisplayName>JWT Issuer</DisplayName>
  996. <Protocol Name="None" />
  997. <OutputTokenFormat>JWT</OutputTokenFormat>
  998. <Metadata>
  999. <Item Key="client_id">{service:te}</Item>
  1000. <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
  1001. <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
  1002. </Metadata>
  1003. <CryptographicKeys>
  1004. <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  1005. <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
  1006. </CryptographicKeys>
  1007. <InputClaims />
  1008. <OutputClaims />
  1009. </TechnicalProfile>
  1010. </TechnicalProfiles>
  1011. </ClaimsProvider>
  1012.  
  1013.  
  1014. <ClaimsProvider>
  1015. <Domain>google.com</Domain>
  1016. <DisplayName>Google</DisplayName>
  1017. <TechnicalProfiles>
  1018. <TechnicalProfile Id="Google-OAUTH">
  1019. <DisplayName>Google</DisplayName>
  1020. <Protocol Name="OAuth2" />
  1021. <Metadata>
  1022. <Item Key="ProviderName">google</Item>
  1023. <Item Key="authorization_endpoint">https://accounts.google.com/o/oauth2/auth</Item>
  1024. <Item Key="AccessTokenEndpoint">https://accounts.google.com/o/oauth2/token</Item>
  1025. <Item Key="ClaimsEndpoint">https://www.googleapis.com/oauth2/v1/userinfo</Item>
  1026. <Item Key="scope">email</Item>
  1027. <Item Key="HttpBinding">POST</Item>
  1028. <Item Key="UsePolicyInRedirectUri">0</Item>
  1029. <Item Key="client_id">Your Google+ application ID</Item>
  1030. </Metadata>
  1031. <CryptographicKeys>
  1032. <Key Id="client_secret" StorageReferenceId="B2C_1A_GoogleSecret" />
  1033. </CryptographicKeys>
  1034. <OutputClaims>
  1035. <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="id" />
  1036. <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
  1037. <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
  1038. <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
  1039. <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
  1040. <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="google.com" />
  1041. <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
  1042. </OutputClaims>
  1043. <OutputClaimsTransformations>
  1044. <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
  1045. <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
  1046. <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
  1047. <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
  1048. </OutputClaimsTransformations>
  1049. <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
  1050. <ErrorHandlers>
  1051. <ErrorHandler>
  1052. <ErrorResponseFormat>json</ErrorResponseFormat>
  1053. <ResponseMatch>$[?(@@.error == 'invalid_grant')]</ResponseMatch>
  1054. <Action>Reauthenticate</Action>
  1055. <!--In case of authorization code used error, we don't want the user to select his account again.-->
  1056. <!--AdditionalRequestParameters Key="prompt">select_account</AdditionalRequestParameters-->
  1057. </ErrorHandler>
  1058. </ErrorHandlers>
  1059. </TechnicalProfile>
  1060. </TechnicalProfiles>
  1061. </ClaimsProvider>
  1062. </ClaimsProviders>
  1063.  
  1064. <UserJourneys>
  1065.  
  1066. <UserJourney Id="SignUpOrSignIn">
  1067. <OrchestrationSteps>
  1068.  
  1069. <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
  1070. <ClaimsProviderSelections>
  1071. <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" />
  1072. <ClaimsProviderSelection TargetClaimsExchangeId="GoogleExchange" /> -->
  1073. <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
  1074. </ClaimsProviderSelections>
  1075. <ClaimsExchanges>
  1076. <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
  1077. </ClaimsExchanges>
  1078. </OrchestrationStep>
  1079.  
  1080. <!-- Check if the user has selected to sign in using one of the social providers -->
  1081. <OrchestrationStep Order="2" Type="ClaimsExchange">
  1082. <Preconditions>
  1083. <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
  1084. <Value>objectId</Value>
  1085. <Action>SkipThisOrchestrationStep</Action>
  1086. </Precondition>
  1087. </Preconditions>
  1088. <ClaimsExchanges>
  1089. <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" />
  1090. <ClaimsExchange Id="GoogleExchange" TechnicalProfileReferenceId="Google-OAUTH" />
  1091. <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
  1092. </ClaimsExchanges>
  1093. </OrchestrationStep>
  1094.  
  1095. <!-- For social IDP authentication, attempt to find the user account in the directory. -->
  1096. <OrchestrationStep Order="3" Type="ClaimsExchange">
  1097. <Preconditions>
  1098. <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
  1099. <Value>authenticationSource</Value>
  1100. <Value>localAccountAuthentication</Value>
  1101. <Action>SkipThisOrchestrationStep</Action>
  1102. </Precondition>
  1103. </Preconditions>
  1104. <ClaimsExchanges>
  1105. <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
  1106. </ClaimsExchanges>
  1107. </OrchestrationStep>
  1108.  
  1109. <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).
  1110. This can only happen when authentication happened using a social IDP. If local account was created or authentication done
  1111. using ESTS in step 2, then an user account must exist in the directory by this time. -->
  1112. <OrchestrationStep Order="4" Type="ClaimsExchange">
  1113. <Preconditions>
  1114. <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
  1115. <Value>objectId</Value>
  1116. <Action>SkipThisOrchestrationStep</Action>
  1117. </Precondition>
  1118. </Preconditions>
  1119. <ClaimsExchanges>
  1120. <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
  1121. </ClaimsExchanges>
  1122. </OrchestrationStep>
  1123.  
  1124. <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent
  1125. in the token. -->
  1126. <OrchestrationStep Order="5" Type="ClaimsExchange">
  1127. <Preconditions>
  1128. <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
  1129. <Value>authenticationSource</Value>
  1130. <Value>socialIdpAuthentication</Value>
  1131. <Action>SkipThisOrchestrationStep</Action>
  1132. </Precondition>
  1133. </Preconditions>
  1134. <ClaimsExchanges>
  1135. <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
  1136. </ClaimsExchanges>
  1137. </OrchestrationStep>
  1138. <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect
  1139. from the user. So, in that case, create the user in the directory if one does not already exist
  1140. (verified using objectId which would be set from the last step if account was created in the directory. -->
  1141. <OrchestrationStep Order="6" Type="ClaimsExchange">
  1142. <Preconditions>
  1143. <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
  1144. <Value>objectId</Value>
  1145. <Action>SkipThisOrchestrationStep</Action>
  1146. </Precondition>
  1147. </Preconditions>
  1148. <ClaimsExchanges>
  1149. <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
  1150. </ClaimsExchanges>
  1151. </OrchestrationStep>
  1152.  
  1153. <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  1154.  
  1155. </OrchestrationSteps>
  1156. <ClientDefinition ReferenceId="DefaultWeb" />
  1157. </UserJourney>
  1158.  
  1159. <UserJourney Id="ProfileEdit">
  1160. <OrchestrationSteps>
  1161.  
  1162. <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
  1163. <ClaimsProviderSelections>
  1164. <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" />
  1165. <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />
  1166. </ClaimsProviderSelections>
  1167. </OrchestrationStep>
  1168. <OrchestrationStep Order="2" Type="ClaimsExchange">
  1169. <ClaimsExchanges>
  1170. <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" />
  1171. <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
  1172. </ClaimsExchanges>
  1173. </OrchestrationStep>
  1174. <OrchestrationStep Order="3" Type="ClaimsExchange">
  1175. <Preconditions>
  1176. <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
  1177. <Value>authenticationSource</Value>
  1178. <Value>localAccountAuthentication</Value>
  1179. <Action>SkipThisOrchestrationStep</Action>
  1180. </Precondition>
  1181. </Preconditions>
  1182. <ClaimsExchanges>
  1183. <ClaimsExchange Id="AADUserRead" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId" />
  1184. </ClaimsExchanges>
  1185. </OrchestrationStep>
  1186. <OrchestrationStep Order="4" Type="ClaimsExchange">
  1187. <Preconditions>
  1188. <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
  1189. <Value>authenticationSource</Value>
  1190. <Value>socialIdpAuthentication</Value>
  1191. <Action>SkipThisOrchestrationStep</Action>
  1192. </Precondition>
  1193. </Preconditions>
  1194. <ClaimsExchanges>
  1195. <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
  1196. </ClaimsExchanges>
  1197. </OrchestrationStep>
  1198.  
  1199. <OrchestrationStep Order="5" Type="ClaimsExchange">
  1200. <ClaimsExchanges>
  1201. <ClaimsExchange Id="B2CUserProfileUpdateExchange" TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate" />
  1202. </ClaimsExchanges>
  1203. </OrchestrationStep>
  1204. <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  1205.  
  1206. </OrchestrationSteps>
  1207. <ClientDefinition ReferenceId="DefaultWeb" />
  1208. </UserJourney>
  1209.  
  1210. <UserJourney Id="PasswordReset">
  1211. <OrchestrationSteps>
  1212. <OrchestrationStep Order="1" Type="ClaimsExchange">
  1213. <ClaimsExchanges>
  1214. <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
  1215. </ClaimsExchanges>
  1216. </OrchestrationStep>
  1217. <OrchestrationStep Order="2" Type="ClaimsExchange">
  1218. <ClaimsExchanges>
  1219. <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
  1220. </ClaimsExchanges>
  1221. </OrchestrationStep>
  1222. <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  1223. </OrchestrationSteps>
  1224. <ClientDefinition ReferenceId="DefaultWeb" />
  1225. </UserJourney>
  1226.  
  1227. </UserJourneys>
  1228. </TrustFrameworkPolicy>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!