I am looking to meet a password complexity requirement using a claims transformation. When a user goes through the password reset journey, I want to prvent passwords similar to the username by comparing the newPassword claim to an extension attribute that contains the user's email prefix e.g. jdoe in [email protected]. I don't want to use a REST technical profile.
Claims Transformation
<ClaimsTransformation Id="CheckUserSuppliedPassword" TransformationMethod="CompareClaims">
<InputClaims>
<InputClaim ClaimTypeReferenceId="newPassword" TransformationClaimType="inputClaim1" />
<InputClaim ClaimTypeReferenceId="userEmailPrefix" TransformationClaimType="inputClaim2" />
</InputClaims>
<InputParameters>
<InputParameter Id="operator" DataType="string" Value="NOT EQUAL" />
<InputParameter Id="ignoreCase" DataType="string" Value="true" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="SameAsEmailPrefix" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
I added another technical profile (MyLocalAccountCheckUserPassword) that calls the transformation. This technical profile is used as a validation technical profile that is referenced in the "LocalAccountWritePasswordUsingObjectId" technical profile of the Local Account claims provider. Below are both technical profiles.
<TechnicalProfile Id="MyLocalAccountCheckUserPassword">
<DisplayName>Check User Password</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="newPassword" Required="true" />
<InputClaim ClaimTypeReferenceId="reenterPassword" Required="false" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="newPassword"/>
<OutputClaim ClaimTypeReferenceId="reenterPassword" />
<OutputClaim ClaimTypeReferenceId="SameAsEmailPrefix"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CheckUserSuppliedPassword"/>
</OutputClaimsTransformations>
</TechnicalProfile>
<TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">
<DisplayName>Change password (username)</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" />
<InputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="sameAsEmailPrefix" Required="true" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" />
<ValidationTechnicalProfile ReferenceId="MyLocalAccountCheckUserPassword" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
For now, all I want to is to validate what's in the SameAsEmailMessage claim (true/false) to see if the comparison happaned as expected. So, I have added it as an output claim in the Relying party technical profile. But it doesn't show up as a claim after the password reset journey completes. Ultimately, I want to show an error message to the user on the local account sign in screen.
Please help.
Add SameAsEmailPrefix as an output claim in the relyingparty section of your custom policy file.