Requirement:
• We need to migrate the users from the Legacy B2C tenant to new Azure B2C tenant which we will be using for the SIGNIN.
• When the valid Customer will Sign In the Application using the new Azure B2C tenant Custom Policy with the Valid Credentials .We will check whether customer is present in the existing tenant or not. If not present it will check the user profile in the Legacy B2C tenant and its CustomerType defined as “Extension_UserRole” Custom claim and its credentials. If the User profile is present and the value of the Custom claim “Extension_UserRole” is Customer then only it will create a profile in the New B2C Tenant with the same Credentials.
Approach:
• We are following the below B2C To B2C Migration approach in our custom SIGN Extension Policy.
samples/policies/B2C2B2CMigration/Policy/B2CMigrate_Extensions.xml at master · azure-ad-b2c/samples · GitHub
• We haven’t run any pre migration script for creating the profile of the user in the new B2C Tenant.
• We will be creating the profile of the user when the user will signIn in the new tenant for the first time using the Custom Policy defined in the above link.
Challenge:
- When the user Sign In the New B2c tenant for the first time and while checking the user profile in the Legacy B2C Tenant we are not able to read the custom claim value mapped to the user profile. Please find the below Custom Claim for the reference
“extension_[ExtensionAppRegistratrionID]_UserRole”: “Customer” - When we are trying to read the custom claim value its returning empty.
Could you help us in reading the customclaim value from the legacy tenant when the user signIn in the new tenant
We tried the below approach in checking the userProfile from the legacy tenant and the customer claim as extension_UserRole but the value is null as we are not able to read it
<TechnicalProfiles>
<!-- REMOTE ROPC Call to Legacy B2C Instance -->
<TechnicalProfile Id="login-Remote">
<DisplayName>Remote Account SignIn</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="METADATA">https://login.microsoftonline.com/legacy B2C tenant name/.well-known/openid-configuration</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/legacy B2C tenant name/oauth2/token</Item>
<Item Key="response_types">id_token</Item>
<Item Key="response_mode">query</Item>
<Item Key="scope">email openid</Item>
<!-- Policy Engine Clients -->
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="client_id">RemoteB2CProxyIdentityExperienceFrameworkAppId</Item>
<Item Key="IdTokenAudience">RemoteB2CIdentityExperienceFrameworkAppId</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
<InputClaim ClaimTypeReferenceId="password" Required="true" />
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
<InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="RemoteB2CProxyIdentityExperienceFrameworkAppId" />
<InputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="resource" DefaultValue="RemoteB2CIdentityExperienceFrameworkAppId" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<OutputClaim ClaimTypeReferenceId="isLocalUser" DefaultValue="false"/>
<OutputClaim ClaimTypeReferenceId="extension_UserRole" PartnerClaimType="extension_b2c-extensions-app-guid_UserRole"/>
</OutputClaims>
</TechnicalProfile>
alisha garg is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.