My company has to federate with several external IdPs (using industry-standard solutions such as AD FS, F5, etc) which issue group claims.
When a user has multiple groups, these IdPs issue a response with the claim in the following format:
"groups": ["Domain Users", "US Users", "Administrators"]
But when a user has only a single group:
"groups": "Domain Users"
Here is the b2cGroups ClaimType as defined in TrustFrameworkExtensions:
<ClaimType Id="b2cGroups">
<DisplayName>Groups</DisplayName>
<DataType>stringCollection</DataType>
<AdminHelpText>User's groups.</AdminHelpText>
</ClaimType>
And the OutputClaim in the external IdP TechnicalProfile:
<OutputClaim ClaimTypeReferenceId="b2cGroups" PartnerClaimType="groups" />
In the current configuration, B2C throws a fatal exception when a user has only a single group:
The data type 'String' of the claim with id 'groups' does not match the DataType 'StringCollection' of ClaimType with id 'b2cGroups' specified in the policy.
I can alter the claim definition from stringCollection to string:
<ClaimType Id="b2cGroups">
<DisplayName>Groups</DisplayName>
<DataType>string</DataType>
<AdminHelpText>User's groups.</AdminHelpText>
</ClaimType>
But now when a user has multiple groups:
The data type 'StringCollection' of the claim with id 'groups' does not match the DataType 'String' of ClaimType with id 'b2cGroups' specified in the policy.
The exception happens during execution of the OIDC or SAML2 technical profile itself, so I can't use a claims transformation to manipulate the data. It seems B2C has no leniency for this potential inconsistency in data types, which is right in theory, but in practice, the major federated identity solutions (such as AD FS, which is also a MS product) don't adhere to this standard.
This has become a major issue that, left unresolved, will force us to tear up our existing B2C infrastructure and migrate to another CIAM solution. Is there a fix, or hack that I can apply to mitigate this issue?
