CustomPolicies/TrustFrameworkExtensions.xml

﻿<?xml version="1.0" encoding="utf-8" ?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="identitysamplesb2c.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkExtensions"
  PublicPolicyUri="http://identitysamplesb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions">

  <BasePolicy>
    <TenantId>identitysamplesb2c.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
  </BasePolicy>

  <BuildingBlocks>
    <ClaimsSchema>
      <!-- The following claim type stores the verified email address for a user. -->
      <ClaimType Id="extension_VerifiedEmail">
        <DisplayName>Verified Email</DisplayName>
        <DataType>string</DataType>
        <DefaultPartnerClaimTypes>
          <Protocol Name="OAuth2" PartnerClaimType="verified_email" />
          <Protocol Name="OpenIdConnect" PartnerClaimType="verified_email" />
          <Protocol Name="SAML2" PartnerClaimType="http://schemas.identitysamplesb2c.onmicrosoft.com/identity/claims/verifiedemail" />
        </DefaultPartnerClaimTypes>
        <!-- The claim type is set to read-only so that the user cannot edit it manually. -->
        <UserInputType>Readonly</UserInputType>
      </ClaimType>
    </ClaimsSchema>
    <ClaimsTransformations>
      <!-- The following claims transformation creates the email address for a user as a copy of the verified email address. -->
      <ClaimsTransformation Id="CreateEmailFromVerifiedEmail" TransformationMethod="FormatStringClaim">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="extension_VerifiedEmail" TransformationClaimType="inputClaim" />
        </InputClaims>
        <InputParameters>
          <InputParameter Id="stringFormat" DataType="string" Value="{0}" />
        </InputParameters>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="email" TransformationClaimType="outputClaim" />
        </OutputClaims>
      </ClaimsTransformation>
    </ClaimsTransformations>
  </BuildingBlocks>

  <ClaimsProviders>
    <ClaimsProvider>
      <DisplayName>Facebook</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="Facebook-OAUTH">
          <Metadata>
            <Item Key="client_id">facebook_clientid</Item>
            <Item Key="scope">email public_profile</Item>
            <Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    <ClaimsProvider>
      <DisplayName>Local Account SignIn</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="login-NonInteractive">
          <Metadata>
            <Item Key="client_id">30710d2c-d51f-4bfd-b530-b40608e3fa04</Item>
            <Item Key="IdTokenAudience">5d2382b1-ecbb-4921-863d-cd0ecc10f035</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="30710d2c-d51f-4bfd-b530-b40608e3fa04" />
            <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="5d2382b1-ecbb-4921-863d-cd0ecc10f035" />
          </InputClaims>
        </TechnicalProfile>
        <!-- This profile registers a local account from a verified email as encoded in an incoming client_assertion JWT. -->
        <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail-Verified">
          <DisplayName>Local Account Signup With Verified Email</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
            <Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
            <Item Key="language.button_continue">Create</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
          </CryptographicKeys>
          <InputClaimsTransformations>
            <!-- Copy the verified email from the incoming client_assertion JWT to the email claim. -->
            <InputClaimsTransformation ReferenceId="CreateEmailFromVerifiedEmail" />
          </InputClaimsTransformations>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="extension_VerifiedEmail" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="extension_VerifiedEmail" Required="true" />
            <OutputClaim ClaimTypeReferenceId="objectId" />
            <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
            <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
            <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
            <OutputClaim ClaimTypeReferenceId="authenticationSource" />
            <OutputClaim ClaimTypeReferenceId="newUser" />

            <!-- Optional claims, to be collected from the user. -->
            <OutputClaim ClaimTypeReferenceId="displayName" Required="true" />
          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
          </ValidationTechnicalProfiles>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    <ClaimsProvider>
      <DisplayName>SAML Token Issuer</DisplayName>
      <TechnicalProfiles>
        <!-- SAML Token Issuer technical profile -->
        <TechnicalProfile Id="Saml2AssertionIssuer">
          <DisplayName>SAML Token Issuer</DisplayName>
          <Protocol Name="SAML2" />
          <OutputTokenFormat>SAML2</OutputTokenFormat>
          <Metadata>
            <!-- The issuer contains the policy name; it should be the same name as configured in the relying party application. -->
            <!-- If you don't specify the IssuerUri then you get a default one, e.g. "https://login.microsoftonline.com/te/identitysamplesb2c.onmicrosoft.com/B2C_1A_TrustFrameworkBase" -->
            <Item Key="IssuerUri">https://identitysamplesb2c.b2clogin.com/identitysamplesb2c.onmicrosoft.com/B2C_1A_SignUpOrSignInSaml</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="MetadataSigning" StorageReferenceId="B2C_1A_SamlAppB2C" />
            <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlAppB2C" />
            <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlAppB2C" />
          </CryptographicKeys>
          <InputClaims/>
          <OutputClaims/>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml" />
        </TechnicalProfile>
        <!-- Session management technical profile for SAML based tokens -->
        <TechnicalProfile Id="SM-Saml">
          <DisplayName>Session Management Provider</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>

</TrustFrameworkPolicy>