Azure B2C custom policy - Is there a way to display a claim in a ClaimsProviderSelection orchestration step

0
votes

I am currently working with Azure B2C custom policies for my Auth flow.

I have a ClaimsProviderSelection orchestration step which shows the user two options:

  1. Send code to their MFA email saved in authentication methods
  2. Lost Email

What I would like to do is show the users email address through the use of a ClaimProvider in either the display text, or the button itself (see below)

enter image description here

If this is not possible, then I would love to be able to add a 'lost email' button on the verification control page itself - like so:

enter image description here

From what I have seen though, it seems this is only available with 'ForgotPasswordExchange' (as seen here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy) for passwords and not authentication methods.

If anyone has any experience with customizing ClaimsProviderSelection steps, or adding custom links on orchestration steps your help would be greatly appreciated!

See below for code examples:

Orchestration step:

<OrchestrationStep Order="2" Type="ClaimsProviderSelection" ContentDefinitionReferenceId='api.MFAselections' >
  <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
      <Value>strongAuthenticationEmailAddress</Value>
      <Value>strongAuthenticationPhoneNumber</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsProviderSelections>
    <ClaimsProviderSelection TargetClaimsExchangeId="MFAVerifyEmailAddress" />
    <ClaimsProviderSelection TargetClaimsExchangeId="LostEmailExchange" />
  </ClaimsProviderSelections>
</OrchestrationStep>

Technical Profile:

<TechnicalProfile Id="MFA_VerifyEmailAddress">
  <DisplayName>SEND TO {Claim:strongAuthenticationEmailAddress} 
  </DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ContentDefinitionReferenceId">MFAVerifyEmail</Item>
    <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
    <!-- <Item Key="setting.showContinueButton">false</Item> -->
    <Item Key="setting.showCancelButton">false</Item>
    <Item Key="UserMessageIfSessionDoesNotExist">You have exceeded the maximum time allowed.</Item>
    <Item Key="UserMessageIfMaxRetryAttempted">You have exceeded the number of retries allowed.</Item>
    <Item Key="UserMessageIfInvalidCode">You have entered the wrong code.</Item>
    <Item Key="UserMessageIfSessionConflict">Cannot verify the code, please try again later.</Item>
    </Metadata>
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="MFAcomplete" DefaultValue="true" AlwaysUseDefaultValue='true'/>
    </InputClaims>
    <DisplayClaims>
      <DisplayClaim DisplayControlReferenceId="emailVerificationControl" />
    </DisplayClaims>
    <OutputClaims>
     <OutputClaim ClaimTypeReferenceId="MFAcomplete" DefaultValue="email" AlwaysUseDefaultValue='true' />
      <OutputClaim ClaimTypeReferenceId="isLostEmail" DefaultValue="false" AlwaysUseDefaultValue='true' />
    </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
2
azureazure-active-directoryazure-ad-b2cazure-ad-b2c-custom-policy

2 Answers

0
votes

Have you tried to do Output Claims transformation on the email, create a claim of type string, then append the email to it, in a previous step. And display that on the screen.

0
votes

For anyone who is coming across this - this is what I ended up doing:

  1. Add ContentDefinitionParameters with claim to UserJourneyBehaviors in your RelyingParty

<ContentDefinitionParameters> <Parameter Name="email">{Claim:maskedEmail}</Parameter> </ContentDefinitionParameters>

  1. Use JS to grab email claim from source code, and insert to HTML

const parser = new URL(SETTINGS.remoteResource); let email = parser.searchParams.get('email');