Home > Net >  AD B2C compareClaims throws internal server error
AD B2C compareClaims throws internal server error

Time:02-01

I am trying to compare 2 claim (one from id_token_hint and one from AD B2C) . My requirement is to throw an Error Page that the 2 do not match and re-direct to login page.

For the same I have added the following steps :

  1. Added ClaimType (boolean for comparison)

    <ClaimType Id="agencyClaimMatch">
<DisplayName>Verify if input Agency and agency in AD B2C match</DisplayName>
<DataType>boolean</DataType>
<UserHelpText>Verify if input Agency and agency in AD B2C match</UserHelpText>
</ClaimType>

  2. Create a ClaimTransformation (based on post to compare the 2 claims (extension_agency from AD B2C and agency from input claim of id_token_hint)

       <ClaimsTransformation Id="checkSameAgency" TransformationMethod="CompareClaims">
  <InputClaims>
   <InputClaim ClaimTypeReferenceId="extension_agency" TransformationClaimType="inputClaim1"/>
   <InputClaim ClaimTypeReferenceId="agency" TransformationClaimType="inputClaim2"/>
  </InputClaims>
  <InputParameters>
    <InputParameter Id="operator" DataType="string" Value="EQUAL"/>
    <InputParameter Id="ignoreCase" DataType="string" Value="true"/>
  </InputParameters>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="agencyClaimMatch" TransformationClaimType="outputClaim"/>
  </OutputClaims>

3.Added a Technical Profile to invoke the transformation (I am expecting the agencyClaimMatch boolean to get a true or false value based on the transformation, if false bot do not match need to throw the error page else allow access)

        <TechnicalProfile Id="CheckAgencyMatch">
       <DisplayName>Check Agency Match</DisplayName>
       <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
       <Metadata>
          <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
       </Metadata>
       <IncludeInSso>false</IncludeInSso>
       <InputClaims>
         <InputClaim ClaimTypeReferenceId="agency" Required="true" />
         <InputClaim ClaimTypeReferenceId="extension_agency" Required="true" />
       </InputClaims>
       <OutputClaims>
         <OutputClaim ClaimTypeReferenceId="agency"/>
         <OutputClaim ClaimTypeReferenceId="extension_agency" />
         <OutputClaim ClaimTypeReferenceId="agencyClaimMatch"/>
       </OutputClaims>

      <OutputClaimsTransformations>
         <OutputClaimsTransformation ReferenceId="checkSameAgency"/>
      </OutputClaimsTransformations>
    </TechnicalProfile>

  1. In UserJourney I added a ClaimExchange to get the value of checkSameAgency.

         <!--Verify claims match and get the boolean value-->
 <OrchestrationStep Order="6" Type="ClaimsExchange">
   <ClaimsExchanges>
     <ClaimsExchange Id="CheckAgencyMatch" TechnicalProfileReferenceId="CheckAgencyMatch"/>
   </ClaimsExchanges>
 </OrchestrationStep>

  2. If boolean output checkSameAgency is not "True" that is both agencies do not match then throw an error else move to next step to issue jwt token .

     <!-- Check if agencID Match-->
 <OrchestrationStep Order="7" Type="ClaimsExchange">
   <Preconditions>
     <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
       <Value>agencyClaimMatch</Value>
       <Value>True</Value>
       <Action>SkipThisOrchestrationStep</Action>
     </Precondition>
   </Preconditions>
   <ClaimsExchanges>
     <ClaimsExchange Id="SelfAssertedAgencyNotMatched" TechnicalProfileReferenceId="SelfAssertedAgencyNotMatched" />
   </ClaimsExchanges>
 </OrchestrationStep>

But I am getting an error "The page cannot be displayed because an internal server error has occurred." even if the agency matches or if they don't.

Any pointers would be very helpful.

=== Following solution as suggested by rbrayb helped resolve the issue . I noted:

<TechnicalProfile Id="CheckAgencyMatch">
           <DisplayName>Check Agency Match</DisplayName>
           <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
           <Metadata>

A SelfAssertedAttributeProvider is only used to display a screen, but you are only comparing claims. It should be

<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

https://learn.microsoft.com/en-us/azure/active-directory-b2c/claims-transformation-technical-profile

CodePudding user response:

<TechnicalProfile Id="CheckAgencyMatch">
           <DisplayName>Check Agency Match</DisplayName>
           <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
           <Metadata>

A SelfAssertedAttributeProvider is only used to display a screen, but you are only comparing claims. It should be

<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

Refer this.

Page link:https//www.codepudding.com/net/688910.html

Prev:cloud-init with terraform cannot loop users
Next:Backing different prop type in .NET, EF with C#
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding