Azure B2C error: A claim could not be found for lookup claim with id \""objectId\"" defined in technical profile

0
votes

We are trying to setup SSO using Organisational AD as IDP using SAML and Azure B2C as Service provider(SP). Org AD is used as IDP(SAML) by many other SP vendors and working just fine.

I am getting an error when tried to setup custom policies. I have followed Salesforce and ADFS sample tutorials. I see the assertion is happening from SAML but the next subsequent step is failing.

The exact error is: A claim could not be found for lookup claim with id \"objectId\" defined in technical profile with id \"AAD-UserReadUsingObjectId\" policy \"B2C_1A_SignUpSignInDaimler\" of tenant \"xxxx.onmicrosoft.com\".

Appreciate your help, Thanks

1
azuresamlazure-ad-b2c
Hi @MB22: Can you include both the sign-up and sign-in user journey and the Organisation AD technical profile in the above question? - Chris Padgett

1 Answers

0
votes

The AAD-UserReadUsingObjectId technical profile will try and read some specified claims from Azure AD using the object ID. I am assuming the user you are signing in with does not exist in Azure, but only exists in the organizational AD, so even if you return the object ID from the org AD, it will still give you an error when it tries to find that user in the Azure AD. I removed that step from my user journey and directly returned the claims from the organizational directory. I also added a default value for the objectId claim if the SAML response does not return it.

<OutputClaim ClaimTypeReferenceId="objectid" PartnerClaimType="objectid" DefaultValue="ad-none"/>

My user journey:

   <UserJourney Id="SignIn-ADFS">
  <OrchestrationSteps>

    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
      <ClaimsProviderSelections>
        <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
        <ClaimsProviderSelection TargetClaimsExchangeId="TestExchange" />
      </ClaimsProviderSelections>
      <ClaimsExchanges>
        <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
      </ClaimsExchanges>
    </OrchestrationStep>

    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
        <ClaimsExchange Id="TestExchange" TechnicalProfileReferenceId="macrohouse-SAML2" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>