How can I get a forgot password link on a custom Sign In policy for local accounts?

Question

Using AAD B2C identity experience framework, I am trying to create a custom policy that allows sign-in to a local AADB2C account and includes a "Can’t access your account?" link invoking the built-in self-service functionality. So basically I want the user experience/functionality of the built-in "B2C_1_SignIn_Local" policy, but as part of my suite of custom policies. I do NOT want this userjourney/experience to allow the user to choose a different IdP.

I have been able to create a userjourney that invokes a local sign-in, but the UI doesn't include the "Can’t access your account?" link. The userjourney I have so far looks like this:

 <UserJourney Id="SignInB2CLocal">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="SignInWithLogonNameExchange" />
          </ClaimsProviderSelections>
        </OrchestrationStep>

       <OrchestrationStep Order="2" Type="ClaimsExchange">
        <ClaimsExchanges>
          <ClaimsExchange Id="SignInWithLogonNameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
        </ClaimsExchanges>
       </OrchestrationStep>


        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>socialIdpAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>


        <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
    </UserJourney>

The above is based on a combination of what I found in the built-in policy B2C_1_SignIn_Local (downloaded file) and what I used for other IdPs like AAD. I also tried directly calling the built-in B2C_1_SignIn_Local from my MVC ASP.NET application but got token validation errors.

Is my intended result possible?

thanks!

Martin

Chris Padgett · Accepted Answer · 2018-03-13T09:10:05.917

You can either:

(i) Change from the ClaimsProviderSelection and ClaimsExchange orchestration steps to the CombinedSignInAndSignUp one with the api.signuporsignin content definition, or

(ii) Change from the api.selfasserted content definition to the api.signuporsignin one for the SelfAsserted-LocalAccountSignin-Email technical profile.

What is important is the <DataUri /> value for the content definition is set to:

urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0

which renders the "Forgot your password" and "Sign up now" links.

i) The CombinedSignInAndSignUp orchestration step

<OrchestrationSteps>
  <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signupsignin">
    <ClaimsProviderSelections>
      <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
    </ClaimsProviderSelections>
    <ClaimsExchanges>
      <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="2" Type="ClaimsExchange">
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
        <Value>objectId</Value>
        <Action>SkipThisOrchestrationStep</Action>
      </Precondition>
    </Preconditions>
    <ClaimsExchanges>
      <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="3" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>

ii) The LocalAccountSigninEmailExchange technical profile

<TechnicalProfiles>
  <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
    <Metadata>
      <Item Key="ContentDefinitionReferenceId">api.signuporsignin</Item>
    </Metadata>
  </TechnicalProfile>
</TechnicalProfiles>

<OrchestrationSteps>
  <OrchestrationStep Order="1" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="2" Type="ClaimsExchange">
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
        <Value>objectId</Value>
        <Action>SkipThisOrchestrationStep</Action>
      </Precondition>
    </Preconditions>
    <ClaimsExchanges>
      <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="3" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>

You have to hide it using a CSS style: `div.create { display: none; }` — Chris Padgett, Jan 29 '18 at 20:50
@MHerbener - [this post](https://stackoverflow.com/a/47292962/185123) might help. — spottedmahn, Feb 08 '18 at 18:46
Got this working once I figured out how to make my customization file work in general. I did also choose to hide the "OR" (which introduces the sign-up block) with `div.divider { display: none; }`. Thanks! — M Herbener, Feb 15 '18 at 18:16
@MHerbener better way to hide it is to add Metadata Item to the technical profile: `false` — Nikolai, Apr 03 '19 at 13:54

score 0 · Answer 2 · answered Jan 31 '18 at 00:21

0

This is untested but I am pretty sure you change:

ContentDefinitionReferenceId="api.idpselections"

To:

ContentDefinition Id="api.localaccountsignin"

This should just show the local account sign in page with no registration and the password reset.

answered Jan 31 '18 at 00:21

Glenn Prince

96
1
4

As far as I can tell, the MS-provided set of starter configuration files do not included a contentdefinition for api.localaccountsignin, even though it is listed (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-ui-customization-custom) as a legitimate Content Definition ID. But thanks for responding! – M Herbener Feb 01 '18 at 15:15

How can I get a forgot password link on a custom Sign In policy for local accounts?

2 Answers2