Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides examples for using general claims transformations of the Azure Active Directory B2C (Azure AD B2C) custom policy. For more information, see claims transformations.
Copy value of a claim to another. Both claims must be from the same type. Check out the Live demo of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes |
|---|---|---|---|
| InputClaim | inputClaim | string, int | The claim type, which is to be copied. |
| OutputClaim | outputClaim | string, int | The claim that is produced after this claims transformation has been invoked. |
Use this claims transformation to copy a value from a string or numeric claim, to another claim. The following example copies the externalEmail claim value to email claim.
<ClaimsTransformation Id="CopyEmailAddress" TransformationMethod="CopyClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="externalEmail" TransformationClaimType="inputClaim"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" TransformationClaimType="outputClaim"/>
</OutputClaims>
</ClaimsTransformation>
- Input claims:
- inputClaim: bob@contoso.com
- Output claims:
- outputClaim: bob@contoso.com
Checks if the input claim exists, and sets output claim to true or false accordingly. Check out the Live demo of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes |
|---|---|---|---|
| InputClaim | inputClaim | Any | The input claim whose existence needs to be verified. |
| OutputClaim | outputClaim | boolean | The claim that is produced after this claims transformation has been invoked. |
Use this claims transformation to check if a claim exists or contains any value. The return value is a boolean that indicates whether the claim exists. Following example checks if the email address exists.
<ClaimsTransformation Id="CheckIfEmailPresent" TransformationMethod="DoesClaimExist">
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isEmailPresent" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
- Input claims:
- inputClaim: someone@contoso.com
- Output claims:
- outputClaim: true
Hash the provided plain text using the salt and a secret. The hashing algorithm used is SHA-256. Check out the Live demo of this claims transformation.
| Element | TransformationClaimType | Data Type | Notes |
|---|---|---|---|
| InputClaim | plaintext | string | The input claim to be encrypted |
| InputClaim | salt | string | The salt parameter. You can create a random value, using CreateRandomString claims transformation. |
| InputParameter | randomizerSecret | string | Points to an existing Azure AD B2C policy key. To create a new policy key: In your Azure AD B2C tenant, under Manage, select Identity Experience Framework. Select Policy keys to view the keys that are available in your tenant. Select Add. For Options, select Manual. Provide a name (the prefix B2C_1A_ might be added automatically.). In the Secret text box, enter any secret you want to use, such as 1234567890. For Key usage, select Signature. Select Create. |
| OutputClaim | hash | string | The claim that is produced after this claims transformation has been invoked. The claim configured in the plaintext inputClaim. |
The following example demonstrates how to hash an email address. The claims transformation adds the salt to the email address before hashing the value. To call this claims transformation, set a value to the mySalt claim.
<ClaimsTransformation Id="HashPasswordWithEmail" TransformationMethod="Hash">
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="plaintext" />
<InputClaim ClaimTypeReferenceId="mySalt" TransformationClaimType="salt" />
</InputClaims>
<InputParameters>
<InputParameter Id="randomizerSecret" DataType="string" Value="B2C_1A_AccountTransformSecret" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="hashedEmail" TransformationClaimType="hash" />
</OutputClaims>
</ClaimsTransformation>
- Input claims:
- plaintext: someone@contoso.com
- salt: 487624568
- randomizerSecret: B2C_1A_AccountTransformSecret
- Output claims:
- outputClaim: CdMNb/KTEfsWzh9MR1kQGRZCKjuxGMWhA5YQNihzV6U=
- Find more claims transformation samples on the Azure AD B2C community GitHub repo