Azure-Samples/active-directory-b2c-advanced-policies

Unable to conditionally execute conditional OrchestrationStep

LearnToCodeKM opened this issue · 8 comments

I am trying to introduce new Orchestration Step based on the value of my custom attribute. My requirement is I want to execute the a orchestration step only if the value of myattribute(boolean attribute) is set to true. The value of myattribute is either set to true or false. I am doing something like this.
<OrchestrationStep Order="3" Type="ClaimsExchange"> <ClaimsExchanges> <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /> </ClaimsExchanges> </OrchestrationStep> <OrchestrationStep Order="4" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimEquals" ExecuteActionsIf="false"> <Value>mobile</Value> <Value>extension_myattributee</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges> <ClaimsExchange Id="NewCredentials1" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" /> </ClaimsExchanges> </OrchestrationStep>

But this step is not skipped irrespective of the value of myattribute. I have added the myattribute as part of the OutPutClaims of AAD-UserReadUsingObjectId. I am able see the value of extension_myattribute in the C#.

This should execute the last orchestration step if myattributee is 'True'
I am unable to test this, i'd experiment with the case for 'true' in the precondition.

<OrchestrationStep Order="3" Type="ClaimsExchange">
    <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    </ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="4" Type="ClaimsExchange">
    <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
            <Value>extension_myattributee</Value>
            <Value>true</Value>
            <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
    </Preconditions>
    <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials1" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />
    </ClaimsExchanges>
</OrchestrationStep>¸

I tried it does not work. The behavior remains the same irrespective of the value of my custom attribute.
Below image depicts the value of my custom attribute. I have another user with my custom attribute being set to false.
image

I just tested this in a B2C tenant and it successfully ran with the above snippet. I'd share your AAD-UserReadUsingObjectId profile with the change you made to retrieve this attribute.

Here is my AAD-UserReadUsingObjectId
<TechnicalProfile Id="AAD-UserReadUsingObjectId"> <Metadata> <Item Key="Operation">Read</Item> <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item> </Metadata> <IncludeInSso>false</IncludeInSso> <InputClaims> <InputClaim ClaimTypeReferenceId="objectId" Required="true" /> </InputClaims> <OutputClaims> <!-- Optional claims --> <OutputClaim ClaimTypeReferenceId="objectId" /> <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" /> <OutputClaim ClaimTypeReferenceId="displayName" /> <OutputClaim ClaimTypeReferenceId="otherMails" /> <OutputClaim ClaimTypeReferenceId="givenName" /> <OutputClaim ClaimTypeReferenceId="surname" /> <OutputClaim ClaimTypeReferenceId="city" /> <OutputClaim ClaimTypeReferenceId="postalCode" /> <OutputClaim ClaimTypeReferenceId="jobTitle" /> <OutputClaim ClaimTypeReferenceId="streetAddress" /> <OutputClaim ClaimTypeReferenceId="userPrincipalName" /> <OutputClaim ClaimTypeReferenceId="state" /> <OutputClaim ClaimTypeReferenceId="email" /> <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" /> <OutputClaim ClaimTypeReferenceId="signInNames.username" /> <OutputClaim ClaimTypeReferenceId="newUser" /> <OutputClaim ClaimTypeReferenceId="extension_forcePasswordChange" /> </OutputClaims> <IncludeTechnicalProfile ReferenceId="AAD-Common" /> </TechnicalProfile>

AAD-Common

<TechnicalProfile Id="AAD-Common"> <DisplayName>Azure Active Directory</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata> <Item Key="ApplicationObjectId">appid</Item> <Item Key="ClientId">objectid</Item> </Metadata> <CryptographicKeys> <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" /> </CryptographicKeys> <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. --> <IncludeInSso>false</IncludeInSso> <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> </TechnicalProfile>

I have followed the steps mentioned in the
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-create-custom-attributes-profile-edit-custom to create custom attributes.

In your schema, i'm assuming you're setting your claim type data type to boolean? Try changing that to string and running the first snippit I sent. I tested against a string data type and it was working successfully. - Also post this claim type

Changing my custom attribute to string worked.
Changing just the claim type did not help(it shows up error) , so added a new string custom attribute to and used it.
Thanks for all the help and I really mean it.

@parakhj for the sake of the community, can you comment on the ability to run preconditions against boolean data type claims within the User Journey? It appears 'true' and 'false' are not recognized when checking values.

The possible values for a boolean claim are "True" and "False" (i.e. the string representation of true and false).