How to output group claims in B2C from ADFS as an identity provider

Question

I'm using ADFS as an IdP for Azure B2C through OpenID Connect. Login works and B2C sends UPN from ADFS as socialIdpUserId claim in JWT token.

But group claims from ADFS do not work. How to receive group claims in JWT?

Here is the setup: ADFS claim rule: domain security groups and upn c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/claims/Group"), query = ";userPrincipalName,tokenGroups(longDomainQualifiedName);{0}", param = c.Value);

Client permissions are set to openid and allatclaims

New group claim type definition in TrustFrameworkBase policy in ClaimsSchema:

<ClaimsSchema><ClaimType Id="group">
    <DisplayName>group</DisplayName>
    <DataType>string</DataType>
    <DefaultPartnerClaimTypes>
      <Protocol Name="OAuth2" PartnerClaimType="group" />
      <Protocol Name="OpenIdConnect" PartnerClaimType="group" />
      <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/claims/Group" />
    </DefaultPartnerClaimTypes>
  </ClaimType></ClaimsSchema>

Output group claim definition in TechnicalProfile in TrustFrameworkExtensions policy:

<OutputTokenFormat>JWT</OutputTokenFormat><OutputClaims>
          <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="UPN" />
          <OutputClaim ClaimTypeReferenceId="group" PartnerClaimType="group" />              
        </OutputClaims>

Output group claim definition in TechnicalProfile in SignUpOrSignIn policy file

<TechnicalProfile Id="PolicyProfile">
  <DisplayName>PolicyProfile</DisplayName>
  <Protocol Name="OpenIdConnect" />
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" />
    <OutputClaim ClaimTypeReferenceId="group" />
    <OutputClaim ClaimTypeReferenceId="authmethod" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
    <OutputClaim ClaimTypeReferenceId="identityProvider" />
  </OutputClaims>
  <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>

But there is no group claim comes with JWT token! Why?

change the DataType of your gorup claim definition form string to stringCollection and try again. If still does not work, you can at least look at the ADFS logs (and Fiddler) to see what is ADFS sending. — astaykov
ADFS sends each security group as a separate string claim. Not as a collection. But I tried a stringCollection anyway. No it does not help. It is something wrong with B2C setup I think. I'm digging now in B2C logs. — Michael Chudinov

Michael Chudinov Michael Chudinov · Accepted Answer · 2018-09-27T11:30:28

Here is how to issue group claims out of B2C: 1. Define a new claim type in for groups in the Base policy file. This definition should be at the end of < ClaimsSchema > element (yes, the man who wrote about stringCollection was write!)

      <ClaimType Id="IdpUserGroups">
    <DisplayName>Security groups</DisplayName>
    <DataType>stringCollection</DataType>
    <DefaultPartnerClaimTypes>
      <Protocol Name="OAuth2" PartnerClaimType="groups" />
      <Protocol Name="OpenIdConnect" PartnerClaimType="groups" />
      <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/claims/Group" />
    </DefaultPartnerClaimTypes>
  </ClaimType>

Use this new defined claim in the < OutputClaims > in the extenstion policy in < ClaimsProvider > definition for ADFS

          <OutputClaims>                
        <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" />                
        <OutputClaim ClaimTypeReferenceId="IdpUserGroups" PartnerClaimType="http://schemas.xmlsoap.org/claims/Group" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="SAML fmdadfs4.local"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="SAML ADFS4 fmdadfs4.local" />
      </OutputClaims>

Use the same claim in the < OutputClaims > dfinition in relyng party definition under < RelyngParty > elemnt in your SignIn policy file

  <OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" />
<OutputClaim ClaimTypeReferenceId="IdpUserGroups" />     
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />

Issue group claims from ADFS as it is shown here

How to output group claims in B2C from ADFS as an identity provider

2 Answers