0
votes

I'm using the guide here to perform Just-In-Time migration of a user from a legacy Idp to azure ad b2c: https://github.com/azure-ad-b2c/user-migration/tree/master/jit-migration-v2. I have this working properly on its own with a service I am using to query the legacy IdP and returning expected claims.

However, I would like to modify the above to first check if the user exists in AD before trying to migrate. I have tried declaring a ValidationTechnicalProfile, but it doesn't really seem to be working:

<TechnicalProfile Id="AAD-UserCheckUsingEmailAddress">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
      </InputClaims>
      <OutputClaims>
        <!-- Required claims -->
        <OutputClaim ClaimTypeReferenceId="objectId" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

Below, I use the above defined profile to check if the objectId exists in the claim before migration:

<!-- SIGN-IN -->
    <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
      <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="needToMigrate" />
      </OutputClaims>  
      <ValidationTechnicalProfiles>
      <!--First check if user exists in AD-->
      <ValidationTechnicalProfile ReferenceId="AAD-UserCheckUsingEmailAddress" />

        <!--Demo: Add user migration validation technical profile before login-NonInteractive. 
        Only execute migration if user does not exist in AD-->
        <ValidationTechnicalProfile ReferenceId="REST-UserMigration-LocalAccount-SignIn" ContinueOnError="false" >
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>                  
              <Action>SkipThisValidationTechnicalProfile</Action>
            </Precondition>
          </Preconditions>          
        </ValidationTechnicalProfile>
1

1 Answers

0
votes

Change this

<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />

To

<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.emailAddress" Required="true" />

And this

<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>

To

<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>

This assumes that the user enters their email into a textbox (or otherwise acquired) with claim name signInName, and the users identifier is stored in signInNames.emailAddress.

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#inputclaims

PartnerClaimType username Is not valid. There is no attribute on the user called username.

This sample does something similar https://github.com/azure-ad-b2c/user-migration/tree/master/seamless-account-migration

https://github.com/azure-ad-b2c/user-migration/blob/master/seamless-account-migration/policy/TrustFrameworkExtensionsSeamlessMigration.xml#L52