Federating with Azure AD B2C without creating a shadow account
This is a question that has popped up on stackoverflow a number of times recently.
People want to federate with another IDP but they don’t want to create another user record in B2C.
This would normally be created by calling “AAD-UserWriteUsingAlternativeSecurityId” which writes the user entry using “AlternativeSecurityId” ( the federated version of the local account “objectId”).
We need to remove this call and the call to ”SelfAsserted-Social” that also calls the write.
I wrote a custom policy to do this.
As usual, the gist is here.
I used Entra ID to federate with but the same principle would apply to any federation.
The Entra ID federation docs. are here.
The only problem is that the write would normally create an objectId and this is used to generate the “sub” attribute in the relying party JWT.
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>When you federate, you get the issuerUserId of the federated user account:
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>so we need to copy the “issuerUserId” to “objectId”
<ClaimsTransformation Id="CopyObjectID" TransformationMethod="CopyClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="inputClaim"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="outputClaim"/>
</OutputClaims>
</ClaimsTransformation>
We now have an objectId to populate the “sub” which is a mandatory attribute in the JWT.
All good!
