- Article
- 7 minutes to read
Claim resolvers in Azure Active Directory B2C (Azure AD B2C) custom policies provide context information about an authorization request, such as the policy name, request correlation ID, user interface language, and more.
To use a claim resolver in an input or output claim, you define a string ClaimType, under the ClaimsSchema element, and then you set the DefaultValue to the claim resolver in the input or output claim element. Azure AD B2C reads the value of the claim resolver and uses the value in the technical profile.
In the following example, a claim type named correlationId is defined with a DataType of string.
<ClaimType Id="correlationId"> <DisplayName>correlationId</DisplayName> <DataType>string</DataType> <UserHelpText>Request correlation Id</UserHelpText></ClaimType>In the technical profile, map the claim resolver to the claim type. Azure AD B2C populates the value of the claim resolver {Context:CorrelationId} into the claim correlationId and sends the claim to the technical profile.
<InputClaim ClaimTypeReferenceId="correlationId" DefaultValue="{Context:CorrelationId}" />Culture
The following table lists the claim resolvers with information about the language used in the authorization request:
| Claim | Description | Example |
|---|---|---|
| {Culture:LanguageName} | The two letter ISO code for the language. | en |
| {Culture:LCID} | The LCID of language code. | 1033 |
| {Culture:RegionName} | The two letter ISO code for the region. | US |
| {Culture:RFC5646} | The RFC5646 language code. | en-US |
Check out the Live demo of the culture claim resolvers.
Policy
The following table lists the claim resolvers with information about the policy used in the authorization request:
| Claim | Description | Example |
|---|---|---|
| {Policy:PolicyId} | The relying party policy name. | B2C_1A_signup_signin |
| {Policy:RelyingPartyTenantId} | The tenant ID of the relying party policy. | your-tenant.onmicrosoft.com |
| {Policy:TenantObjectId} | The tenant object ID of the relying party policy. | 00000000-0000-0000-0000-000000000000 |
| {Policy:TrustFrameworkTenantId} | The tenant ID of the trust framework. | your-tenant.onmicrosoft.com |
Check out the Live demo of the policy claim resolvers.
Context
The following table lists the contextual claim resolvers of the authorization request:
| Claim | Description | Example |
|---|---|---|
| {Context:BuildNumber} | The Identity Experience Framework version (build number). | 1.0.507.0 |
| {Context:CorrelationId} | The correlation ID. | 00000000-0000-0000-0000-000000000000 |
| {Context:DateTimeInUtc} | The date time in UTC. | 10/10/2021 12:00:00 PM |
| {Context:DeploymentMode} | The policy deployment mode. | Production |
| {Context:HostName} | The host name of the current request. | contoso.b2clogin.com |
| {Context:IPAddress} | The user IP address. | 11.111.111.11 |
| {Context:KMSI} | Indicates whether Keep me signed in checkbox is selected. | true |
Check out the Live demo of the context claim resolvers.
Claims
This section describes how to get a claim value as a claim resolver.
| Claim | Description | Example |
|---|---|---|
| {Claim:claim type} | An identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file. For example: {Claim:displayName}, or {Claim:objectId}. | A claim type value. |
OpenID Connect
The following table lists the claim resolvers with information about the OpenID Connect authorization request:
| Claim | Description | Example |
|---|---|---|
| {OIDC:AuthenticationContextReferences} | The acr_values query string parameter. | N/A |
| {OIDC:ClientId} | The client_id query string parameter. | 00000000-0000-0000-0000-000000000000 |
| {OIDC:DomainHint} | The domain_hint query string parameter. | facebook.com |
| {OIDC:LoginHint} | The login_hint query string parameter. | someone@contoso.com |
| {OIDC:MaxAge} | The max_age. | N/A |
| {OIDC:Nonce} | The Nonce query string parameter. | defaultNonce |
| {OIDC:Password} | The resource owner password credentials flow user's password. | password1 |
| {OIDC:Prompt} | The prompt query string parameter. | login |
| {OIDC:RedirectUri} | The redirect_uri query string parameter. | https://jwt.ms |
| {OIDC:Resource} | The resource query string parameter. | N/A |
| {OIDC:Scope} | The scope query string parameter. | openid |
| {OIDC:Username} | The resource owner password credentials flow user's username. | emily@contoso.com |
Check out the Live demo of the OpenID Connect claim resolvers.
OAuth2 key-value parameters
Any parameter name included as part of an OIDC or OAuth2 request can be mapped to a claim in the user journey. For example, the request from the application might include a query string parameter with a name of app_session, loyalty_number, or any custom query string.
| Claim | Description | Example |
|---|---|---|
| {OAUTH-KV:campaignId} | A query string parameter. | Hawaii |
| {OAUTH-KV:app_session} | A query string parameter. | A3C5R |
| {OAUTH-KV:loyalty_number} | A query string parameter. | 1234 |
| {OAUTH-KV:any custom query string} | A query string parameter. | N/A |
SAML
The following table lists the claim resolvers with information about the SAML authorization request:
| Claim | Description | Example |
|---|---|---|
| {SAML:AuthnContextClassReferences} | The AuthnContextClassRef element value, from the SAML request. | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport |
| {SAML:NameIdPolicyFormat} | The Format attribute, from the NameIDPolicy element of the SAML request. | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| {SAML:Issuer} | The SAML Issuer element value of the SAML request. | https://contoso.com |
| {SAML:AllowCreate} | The AllowCreate attribute value, from the NameIDPolicy element of the SAML request. | True |
| {SAML:ForceAuthn} | The ForceAuthN attribute value, from the AuthnRequest element of the SAML request. | True |
| {SAML:ProviderName} | The ProviderName attribute value, from the AuthnRequest element of the SAML request. | Contoso.com |
| {SAML:RelayState} | The RelayState query string parameter. | |
| {SAML:Subject} | The Subject from the NameId element of the SAML AuthN request. | |
| {SAML:Binding} | The ProtocolBinding attribute value, from the AuthnRequest element of the SAML request. | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
Check out the Live demo of the SAML claim resolvers.
OAuth2 identity provider
The following table lists the OAuth2 identity provider claim resolvers:
| Claim | Description | Example |
|---|---|---|
| {oauth2:access_token} | The OAuth2 identity provider access token. The access_token attribute. | eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni... |
| {oauth2:token_type} | The type of the access token. The token_type attribute. | Bearer |
| {oauth2:expires_in} | The length of time that the access token is valid in seconds. The expires_in attribute. The output claim DataType must be int or long. | 960000 |
| {oauth2:refresh_token} | The OAuth2 identity provider refresh token. The refresh_token attribute. | eyJraWQiOiJacW9pQlp2TW5pYVc2MUY... |
To use the OAuth2 identity provider claim resolvers, set the output claim's PartnerClaimType attribute to the claim resolver. The following example demonstrates how the get the external identity provider claims:
<ClaimsProvider> <DisplayName>Contoso</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="Contoso-OAUTH"> <OutputClaims> <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" /> <OutputClaim ClaimTypeReferenceId="identityProviderAccessTokenType" PartnerClaimType="{oauth2:token_type}" /> <OutputClaim ClaimTypeReferenceId="identityProviderAccessTokenExpiresIn" PartnerClaimType="{oauth2:expires_in}" /> <OutputClaim ClaimTypeReferenceId="identityProviderRefreshToken" PartnerClaimType="{oauth2:refresh_token}" /> </OutputClaims> ... </TechnicalProfile> </TechnicalProfiles></ClaimsProvider>Using claim resolvers
You can use claims resolvers with the following elements:
| Item | Element | Settings |
|---|---|---|
| Application Insights technical profile | InputClaim | |
| Azure Active Directory technical profile | InputClaim, OutputClaim | 1, 2 |
| OAuth2 technical profile | InputClaim, OutputClaim | 1, 2 |
| OpenID Connect technical profile | InputClaim, OutputClaim | 1, 2 |
| Claims transformation technical profile | InputClaim, OutputClaim | 1, 2 |
| RESTful provider technical profile | InputClaim | 1, 2 |
| SAML identity provider technical profile | OutputClaim | 1, 2 |
| Self-Asserted technical profile | InputClaim, OutputClaim | 1, 2 |
| ContentDefinition | LoadUri | |
| ContentDefinitionParameters | Parameter | |
| RelyingParty technical profile | OutputClaim | 2 |
Settings:
- The
IncludeClaimResolvingInClaimsHandlingmetadata must be set totrue. - The input or output claims attribute
AlwaysUseDefaultValuemust be set totrue.
Claim resolvers samples
RESTful technical profile
In a RESTful technical profile, you may want to send the user language, policy name, scope, and client ID. Based on the claims the REST API can run custom business logic, and if necessary raise a localized error message.
The following example shows a RESTful technical profile with this scenario:
<TechnicalProfile Id="REST"> <DisplayName>Validate user input data and return loyaltyNumber claim</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata> <Item Key="ServiceUrl">https://your-app.azurewebsites.net/api/identity</Item> <Item Key="AuthenticationType">None</Item> <Item Key="SendClaimsIn">Body</Item> <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item> </Metadata> <InputClaims> <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" AlwaysUseDefaultValue="true" /> <InputClaim ClaimTypeReferenceId="policyName" DefaultValue="{Policy:PolicyId}" AlwaysUseDefaultValue="true" /> <InputClaim ClaimTypeReferenceId="scope" DefaultValue="{OIDC:Scope}" AlwaysUseDefaultValue="true" /> <InputClaim ClaimTypeReferenceId="clientId" DefaultValue="{OIDC:ClientId}" AlwaysUseDefaultValue="true" /> </InputClaims> <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /></TechnicalProfile>Direct sign-in
Using claim resolvers, you can prepopulate the sign-in name or direct sign-in to a specific social identity provider, such as Facebook, LinkedIn, or a Microsoft account. For more information, see Set up direct sign-in using Azure Active Directory B2C.
Dynamic UI customization
Azure AD B2C enables you to pass query string parameters to your HTML content definition endpoints to dynamically render the page content. For example, this feature allows the ability to modify the background image on the Azure AD B2C sign-up or sign-in page based on a custom parameter that you pass from your web or mobile application. For more information, see Dynamically configure the UI by using custom policies in Azure Active Directory B2C. You can also localize your HTML page based on a language parameter, or you can change the content based on the client ID.
The following example passes in the query string parameter named campaignId with a value of Hawaii, a language code of en-US, and app representing the client ID:
<UserJourneyBehaviors> <ContentDefinitionParameters> <Parameter Name="campaignId">{OAUTH-KV:campaignId}</Parameter> <Parameter Name="language">{Culture:RFC5646}</Parameter> <Parameter Name="app">{OIDC:ClientId}</Parameter> </ContentDefinitionParameters></UserJourneyBehaviors>As a result, Azure AD B2C sends the above parameters to the HTML content page:
/selfAsserted.aspx?campaignId=hawaii&language=en-US&app=0239a9cc-309c-4d41-87f1-31288feb2e82Content definition
In a ContentDefinition LoadUri, you can send claim resolvers to pull content from different places, based on the parameters used.
<ContentDefinition Id="api.signuporsignin"> <LoadUri>https://contoso.blob.core.windows.net/{Culture:LanguageName}/myHTML/unified.html</LoadUri> ...</ContentDefinition>Application Insights technical profile
With Azure Application Insights and claim resolvers you can gain insights on user behavior. In the Application Insights technical profile, you send input claims that are persisted to Azure Application Insights. For more information, see Track user behavior in Azure AD B2C journeys by using Application Insights. The following example sends the policy ID, correlation ID, language, and the client ID to Azure Application Insights.
<TechnicalProfile Id="AzureInsights-Common"> <DisplayName>Alternate Email</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.Insights.AzureApplicationInsightsProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> ... <InputClaims> <InputClaim ClaimTypeReferenceId="PolicyId" PartnerClaimType="{property:Policy}" DefaultValue="{Policy:PolicyId}" /> <InputClaim ClaimTypeReferenceId="CorrelationId" PartnerClaimType="{property:CorrelationId}" DefaultValue="{Context:CorrelationId}" /> <InputClaim ClaimTypeReferenceId="language" PartnerClaimType="{property:language}" DefaultValue="{Culture:RFC5646}" /> <InputClaim ClaimTypeReferenceId="AppId" PartnerClaimType="{property:App}" DefaultValue="{OIDC:ClientId}" /> </InputClaims></TechnicalProfile>Relying party policy
In a Relying party policy technical profile, you may want to send the tenant ID, or correlation ID to the relying party application within the JWT.
<RelyingParty> <DefaultUserJourney ReferenceId="SignUpOrSignIn" /> <TechnicalProfile Id="PolicyProfile"> <DisplayName>PolicyProfile</DisplayName> <Protocol Name="OpenIdConnect" /> <OutputClaims> <OutputClaim ClaimTypeReferenceId="displayName" /> <OutputClaim ClaimTypeReferenceId="givenName" /> <OutputClaim ClaimTypeReferenceId="surname" /> <OutputClaim ClaimTypeReferenceId="email" /> <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> <OutputClaim ClaimTypeReferenceId="identityProvider" /> <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /> <OutputClaim ClaimTypeReferenceId="correlationId" AlwaysUseDefaultValue="true" DefaultValue="{Context:CorrelationId}" /> </OutputClaims> <SubjectNamingInfo ClaimType="sub" /> </TechnicalProfile> </RelyingParty>Next steps
- Find more claims resolvers samples on the Azure AD B2C community GitHub repo
FAQs
What are claims in Azure AD B2C? ›
Claims configured by “Token configuration” or through “Manifest” is supported by Azure AD only as of now and not by Azure AD B2C. In order to get these claims, you need to configure user flow and custom policies to send certain sets of data in claims that are required for your application.
How do I create a custom policy in Azure B2C? ›In the Azure portal, search for and select Azure AD B2C. On the overview page, under Policies, select Identity Experience Framework. Select Policy Keys and then select Add. For Options, choose Manual .
What are Azure custom policies? ›Custom policies are configuration files that define the behavior of your Azure Active Directory B2C (Azure AD B2C) tenant. While user flows are predefined in the Azure AD B2C portal for the most common identity tasks, custom policies can be fully edited by an identity developer to complete many different tasks.
Where are custom attributes in Azure AD? ›Sign in to the Azure portal as an Azure AD administrator. Under Azure services, select Azure Active Directory. In the left menu, select External Identities. Select Custom user attributes.
What are the 3 types of claims *? ›There are three types of claims: claims of fact, claims of value, and claims of policy. Each type of claim focuses on a different aspect of a topic. To best participate in an argument, it is beneficial to understand the type of claim that is being argued.
How many types of claims are there? ›The six most common types of claim are: fact, definition, value, cause, comparison, and policy.
What is difference between Azure AD and Azure AD B2C? ›Azure AD is Microsoft's solution for managing employee access to SaaS apps and it has features designed for this purpose such as licensing and Conditional Access. Azure AD B2C provides an identity and access management platform for building web and mobile applications.
What is the difference between a policy and an initiative in Azure? ›A policy enforces various rules and effects over resources. Policies are defined and then assigned to a certain scope, such as subscriptions. A group of related policies joined logically to accomplish a common goal is called an Azure initiative.
How do you manage policies in Azure? ›Go to the Azure portal to assign policies. Search for and select Policy. Select Assignments on the left side of the Azure Policy page. An assignment is a policy that has been assigned to take place within a specific scope.
What are the five kinds of custom attributes that can be created? ›The data type of the value of the custom attribute can be text, predefined values, date, number, or relationship.
What types of policies are Claims made? ›
Claims-Made Policy — a policy providing coverage that is triggered when a claim is made against the insured during the policy period, regardless of when the wrongful act that gave rise to the claim took place. (The one exception is when a retroactive date is applicable to a claims-made policy.
What are the types of policy Claims? ›Health, Life, Homeowner, and car insurance are the most popular types of claims.
What is the main element of claim of policy? ›c. Claim of Policy: argues that something SHOULD/SHOULD not be done, believed, banned...;argues for a course of action. Also called the Problem-Solution technique. To support--you must first convince the audience that a problem exists and then prove that your policy will fix it.
What is the most common claim? ›Wind and hail are the most common reasons for homeowners insurance claims, accounting for 45.5% of claims filed in 2020. Other common claims include fire, water damage, theft and injury.
What are some claims examples? ›claim - If you open by stating, "Every middle school student should have their own cell phone," this is a claim. This is not something that everyone agrees upon. Your paper will need to focus on supporting this claim with evidence.
Can custom permission be assigned to profiles? ›Custom permissions give you a way to provide access to custom processes or apps. After you've created a custom permission and associated it with a process or app, you can enable the permission in profiles.
Can we assign custom permission to user? ›Custom Permission cannot be assigned to the user directly. That could be done by means of assigning Permission Set to the user. Custom Permission should already be assigned to the Permission Set : PermissionSetAssignment assignment = new PermissionSetAssignment(); assignment.
Is Azure AD B2C deprecated? ›The deprecation of login.microsoftonline.com will go into effect for all Azure AD B2C tenants on 04 December 2020.
Is Azure B2C a separate tenant? ›Azure AD B2C is a separate service from Azure Active Directory (Azure AD). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign-up and into those applications with no restrictions on user account.
Does Azure B2C use SAML? ›Azure Active Directory B2C (Azure AD B2C) supports federation with SAML 2.0 identity providers. This article shows you how to enable sign-in with a SAML identity provider user account, allowing users to sign in with their existing social or enterprise identities, such as ADFS and Salesforce.
What is user flow in Azure AD B2C? ›
There are two types of B2C policies
Built in default policies. Built-in policies/user flows are predefined for the most common identity tasks, such as sign-up, sign-in, and profile editing. Built in policies are for the common simple tasks required when authenticating users.
Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.
What are Azure custom roles created in? ›The role can be assigned either at the directory-level scope or an app registration resource scope only. Custom roles can be created in the Roles and administrators tab on the Azure AD overview page.
What are the 3 deployment modes that can be used for Azure? ›Azure supports three approaches to deploying cloud resources - public, private, and the hybrid cloud.
What is NSG and ASG in Azure? ›NSG's (Network Security Group) & ASG's (Application Security Group) are the main Azure Resources that are used to administrate and control network traffic within a virtual network (vNET).
What is the difference between Azure policy and blueprints? ›An azure policy is an access system that provided default allow or deny on new or existing resources to which the policy applied. But azure blueprint is a backage to create govern the implementation of Azure services, security and design.
Are policies inherited in Azure? ›Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the resources in that resource group. Azure Policy built-ins and patterns are at Azure Policy samples.
How do I view Azure policies? ›Sign in to the Azure portal. Navigate to Subscriptions. Manage Policies is shown on the command bar. Select Manage Policies to view details about the current subscription policies set for the directory.
Do Azure policies apply to existing resources? ›Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource.
What is remediation in Azure policy? ›Remediation is accomplished through remediation tasks that deploy the deployIfNotExists template or the modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is on a management group, subscription, resource group, or individual resource.
How do I add custom attributes in Active Directory? ›
To create a new Attribute:
Choose File > Add or Remove Snap-ins then select the Active Directory Schema option. Double-click or click Add then click OK to load the Snap-in. Once the Snap-in has been loaded, expand this out, right-click on the Attributes entry then select Create Attribute... to continue.
Go to: Product > Add Product. Select the Attributes tab. Select Custom product attribute in the dropdown and follow the above steps.
What is a claim in Azure AD? ›When a user signs in, Azure AD sends an ID token that contains a set of claims about the user. A claim is simply a piece of information, expressed as a key/value pair. For example, email = bob@contoso.com .
What are claims in Active Directory? ›In its simplest form, claims are simply statements (for example, name, identity, group), made about users, that are used primarily for authorizing access to claims-based applications located anywhere on the Internet. Each statement corresponds to a value that is stored in the claim.
What are the 6 types of attributes? ›There are six such types of attributes: Simple, Composite, Single-valued, Multi-valued, and Derived attribute. One more attribute is their, i.e. Complex Attribute, this is the rarely used attribute.
What are the three standard attribute types? ›Type of attributes :
Qualitative (Nominal (N), Ordinal (O), Binary(B)).
An advertising claim is a direct or implied promise of a benefit or value of a product or service that can be objectively measured, evaluated, and proven.
What is a claim in authentication? ›The identity provider authenticates the user and issues a security token provided by a Security Token Service (STS). This token carries information about the authenticated user (the user's identity), which is referred to as claims.
What are claims in SAML? ›A claim is information that an identity provider states about a user inside the token they issue for that user. In a SAML token, claims data is typically contained in the SAML Attribute Statement. The user's unique ID is typically represented in the SAML Subject also referred to as the name identifier (nameID).
What are the types of policy claims? ›Health, Life, Homeowner, and car insurance are the most popular types of claims.
What is claim in policy? ›
What is an insurance claim? An insurance claim is a formal request to your insurance provider for reimbursement against losses covered under your insurance policy. Insurance is a financial agreement between you and your insurer.
What are the four main functions recognized in processing a claim? ›In essence, claims processing refers to the insurance company's procedure to check the claim requests for adequate information, validation, justification and authenticity.