4

I have set up an Azure B2C tenant and used custom policies to add azure ad as an IDP so that users can sign up with their domain accounts. I can build a custom page where ask them for their email and then redirect them to the proper policy(one for work domain accounts and another for personal emails), so that they do not have to make the choice between work and personal emails. The problem is that I do not want to make the user enter the email once again. Is there a way/option to do this? I basically want to achieve something similar to what the common endpoint of Azure AD does for all accounts.

Juxhin
  • 131
  • 8
  • What kind of policy? Sign-in supports `&username=myUsername`. [Source](https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/14786559-pre-populate-username-field-with-value-from-the-qu) – spottedmahn Oct 18 '17 at 15:25
  • There's another option but it takes a lot more work. [See here](https://stackoverflow.com/questions/46380468/azure-ad-b2c-pre-populate-a-custom-attribute-in-the-signup-policy) – spottedmahn Oct 18 '17 at 15:26
  • @spottedmahn Signup/sign in. I tried this notification.ProtocolMessage.IssuerAddress += "&username=example"; in the OnRedirectToIdentityProvider event but it did not work. Still asks me to choose idp and user name – Juxhin Oct 18 '17 at 16:24
  • 1
    Does your Azure AD (Work) claims provider have a "DomainName" element. You can skip the identity provider selection step by redirecting to Azure AD with the "domain_hint" parameter set to this "DomainName" value. – Chris Padgett Oct 19 '17 at 02:28
  • @ChrisPadgett this doesn't work for me because I have non AD users and an AAD IDP( potentially multiple IDPs in the future). I needed SSO. The UI here becomes confusing. The user is forced to select their IDP. I would like to reduce that step through a page on my site by having the user enter their login id. At this point I can redirect them to the right IDP by having multiple sign in policies. At this point this is doable i believe. but the problem remains in the fact that B2C is ignoring my login hint. So it is not prepopulating the login id that I added to the redirect. – Juxhin Oct 19 '17 at 13:53
  • Just curious, but would '&logonIdentifier=theuseremailvalue' work? I've never tried passing parameters like that before myself. – Pytry Oct 19 '17 at 17:11
  • @Juxhun Can you clarify that you are wanting to pass a login hint from your relying party to B2C and, optionally for an AAD sign-in, pass it through from B2C to AAD? – Chris Padgett Oct 19 '17 at 20:55
  • @Pytry I am concerned to use that because it is not documented. loginHint is a documented feature – Juxhin Oct 23 '17 at 13:57
  • @ChrisPadgett that is the ultimate goal but not the current one. The current one is simply getting users that signed up with new accounts in the B2C realm. So a user with email fakeuserrandomname@gmail.com signed up through B2C not google as an IDP. I want him to enter his email in my site and when I redirect it to the policy with the loginhint query string parameter I want the email to be populated. – Juxhin Oct 23 '17 at 14:16

1 Answers1

5

For a custom policy, if you add the "login_hint" query string parameter to the OpenID Connect authentication request, then you can default the login field to this login hint by adding the "DefaultValue" attribute to the "signInName" input claim for the "SelfAsserted-LocalAccountSignin-Email" technical profile as follows:

<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
  <DisplayName>Local Account Signin</DisplayName>
  ...
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="signInName" DefaultValue="{OIDC:LoginHint}" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
    ...
  </OutputClaims>
  ...
</TechnicalProfile>

The "DefaultValue" attribute references a claims resolver that sets the "signInName" claim type to the "login_hint" parameter of the OpenID Connect authentication request.

See the Set up direct sign-in using Azure Active Directory B2C article for more information about passing the "login_hint" query string parameter.

Chris Padgett
  • 14,186
  • 1
  • 15
  • 28