Mapping user claims from an external IDP to Azure AD B2C

In this case, we will use Azure AD as our external IDP and there’s a really good article here on how to do this.

I mapped these claims in the Azure AD token configuration:

In the Azure AD technical profile, I have the following mappings.

OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name"/>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
</OutputClaims>

The right-hand side (RHS) mapping is for Azure AD. The left-hand side (LHS) mapping is for B2C.

So e.g.

<OutputClaim ClaimTypeReferenceId=”surName” PartnerClaimType=”family_name”/>

Azure AD “family_name” maps to B2C “surName”.

Then in the RP, I have:

<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="Name"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="FirstName"/>
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="LastName"/>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Mail"/>
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="UPN"/>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="identityProvider"/>
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/>
</OutputClaims>

So e.g.

<OutputClaim ClaimTypeReferenceId=”surname” PartnerClaimType=”LastName”/>

Here the LHS is the B2C name and the RHS in the name we want to call the claim in the JWT.

The mapping is then:

“family_name” → “surName” → “LastName”.

When I log in using the Azure AD button:

I get the following JWT:

“FirstName”: “User”,
“LastName”: “One”,
“Name”: “UserOne”,
“Mail”: “user1@AADtenant.onmicrosoft.com”,
“UPN”: “cpim_d76…e53@B2Ctenant.onmicrosoft.com

If you want to add other claims that are not in the “Token Configuration” list, you can add optional claims.

These claims will not show up in the “Token Configuration” list once added.

Also, they need to be extension attributes in B2C e.g.

you need to map “employeeID” to “extension_employeeID”.

All good!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rory Braybrook

Rory Braybrook

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5