From cd33264d3f0aec9357ee5441dd0fb5ef6fa1b962 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Greve=20J=C3=B8rgensen?= Date: Fri, 17 Jun 2022 10:56:44 +0200 Subject: [PATCH 01/16] Update DisplayControl_TrustFrameworkExtensions.xml "template_id" is "templateId" in the SendInBlue API: https://developers.sendinblue.com/docs/send-a-transactional-email#1-generate-a-code-snippet-to-quickly-test-your-request. Using "template_id" will return a misleading error message saying that the "sender" parameter is missing, even though "sender" is not required. --- .../Sendinblue/DisplayControl_TrustFrameworkExtensions.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/policies/custom-email-verifcation-displaycontrol/policy/Sendinblue/DisplayControl_TrustFrameworkExtensions.xml b/policies/custom-email-verifcation-displaycontrol/policy/Sendinblue/DisplayControl_TrustFrameworkExtensions.xml index 78a3d165..1d046046 100644 --- a/policies/custom-email-verifcation-displaycontrol/policy/Sendinblue/DisplayControl_TrustFrameworkExtensions.xml +++ b/policies/custom-email-verifcation-displaycontrol/policy/Sendinblue/DisplayControl_TrustFrameworkExtensions.xml @@ -58,8 +58,8 @@ - - + + @@ -297,4 +297,4 @@ - \ No newline at end of file + From e11ebb167abd19f5c539f0b2b2f256c36b129108 Mon Sep 17 00:00:00 2001 From: Daryl Date: Tue, 19 Jul 2022 06:38:52 +0800 Subject: [PATCH 02/16] Update install instructions and scripts --- policies/devops-pipeline/README.md | 40 +++++++++++++------- policies/devops-pipeline/azure-pipelines.yml | 16 ++++---- 2 files changed, 35 insertions(+), 21 deletions(-) diff --git a/policies/devops-pipeline/README.md b/policies/devops-pipeline/README.md index 27ede046..ab7955c2 100644 --- a/policies/devops-pipeline/README.md +++ b/policies/devops-pipeline/README.md @@ -41,7 +41,7 @@ These policies are then batched by their hierarchy in the tree, as well as their 1. 1A_Base 2. 1A_EXT -3. 1A_LBASE, 1A_LSBASE +3. 1A_LBASE, 1A_SBASE 4. 1A_LSS, 1A_LPR 5. 1A_LSSS @@ -52,29 +52,43 @@ These policies are then batched by their hierarchy in the tree, as well as their To deploy locally, you need to install the cli tool. -### Via npm +### Via curl ```sh -npm install -g ieftool +curl https://raw.githubusercontent.com/judedaryl/go-ieftool/main/install.sh | bash ``` -### Via yarn -```sh -yarn global add ieftool -``` +### Download the binary + +The binaries are available in github [go-ieftool](https://github.com/judedaryl/go-ieftool/releases/latest) + +Select the binary for your system. Available binaries: +* darwin-amd64 ( macOS intel chip ) +* darwin-arm64 ( macOS m1 chip ) +* linux-amd64 ( linux x64 ) +* windows-amd64 ( windows x64 ) Then deploy ```sh -ieftool deploy -t { tenant } -c { client_id } -s { client_secret } -p ./src +export B2C_TENANT_ID=__TENANT_ID__ +export B2C_CLIENT_ID=__CLIENT_ID__ +export B2C_CLIENT_SECRET=__CLIENT_SECRET__ +ieftool deploy ./policy ``` -| option | description | +``` +Usage: + ieftool deploy [path to policies] +``` + +### Required Environment Variables + +| variable | description | |--|--| -| tenant | The B2C tenant, this can either be the **tenantId** or the **tenant name** (mytenant.onmicrosoft.com)| -| client_id | The client id of an app registration in B2C that has permissions for TrustFrameworkPolicies | -| client_secret | The client secret of an app registration in B2C that has permissions for TrustFrameworkPolicies | -| source_path | The path to your b2c policies. In the tree structure above it would be ``./src`` +| B2C_TENANT_ID | The B2C tenant, this can either be the **tenantId** (guid) or the **tenant name** (mytenant.onmicrosoft.com)| +| B2C_CLIENT_ID | The client id of an app registration in B2C that has permissions for TrustFrameworkPolicies | +| B2C_CLIENT_SECRET | The client secret of an app registration in B2C that has permissions for TrustFrameworkPolicies |
diff --git a/policies/devops-pipeline/azure-pipelines.yml b/policies/devops-pipeline/azure-pipelines.yml index 8db12745..a6854029 100644 --- a/policies/devops-pipeline/azure-pipelines.yml +++ b/policies/devops-pipeline/azure-pipelines.yml @@ -8,13 +8,13 @@ pool: vmImage: 'ubuntu-latest' steps: - - task: NodeTool@0 - inputs: - versionSpec: '10.x' - displayName: 'Install Node' - - - script: npm install -g ieftool + - script: | + curl https://raw.githubusercontent.com/judedaryl/go-ieftool/main/install.sh | bash displayName: 'Install IEF Tool' - - script: ieftool deploy -t TENANT_ID -c CLIENT_ID -s CLIENT_SECRET -p ./policy - displayName: 'Uploading IEF policies' \ No newline at end of file + - script: ieftool deploy ./policy + displayName: 'Uploading IEF policies' + env: + B2C_TENANT_ID: __TENANT_ID__ + B2C_CLIENT_ID: __CLIENT_ID__ + B2C_CLIENT_SECRET: __CLIENT_SECRET__ \ No newline at end of file From 1c035ef81412f0551642615c1bf10962b6daf24e Mon Sep 17 00:00:00 2001 From: Daryl Date: Wed, 20 Jul 2022 02:11:10 +0800 Subject: [PATCH 03/16] github actions --- .../ieftool-github-actions/.github/deploy.yml | 17 + policies/ieftool-github-actions/README.md | 114 +++ .../policy/PasswordReset.xml | 31 + .../policy/ProfileEdit.xml | 30 + .../policy/SignUpOrSignin.xml | 36 + .../policy/TrustFrameworkBase.xml | 892 ++++++++++++++++++ .../policy/TrustFrameworkExtensions.xml | 44 + 7 files changed, 1164 insertions(+) create mode 100644 policies/ieftool-github-actions/.github/deploy.yml create mode 100644 policies/ieftool-github-actions/README.md create mode 100644 policies/ieftool-github-actions/policy/PasswordReset.xml create mode 100644 policies/ieftool-github-actions/policy/ProfileEdit.xml create mode 100644 policies/ieftool-github-actions/policy/SignUpOrSignin.xml create mode 100644 policies/ieftool-github-actions/policy/TrustFrameworkBase.xml create mode 100644 policies/ieftool-github-actions/policy/TrustFrameworkExtensions.xml diff --git a/policies/ieftool-github-actions/.github/deploy.yml b/policies/ieftool-github-actions/.github/deploy.yml new file mode 100644 index 00000000..b96bce8b --- /dev/null +++ b/policies/ieftool-github-actions/.github/deploy.yml @@ -0,0 +1,17 @@ +name: 'deploy' +on: + push: + branches: + - main + +jobs: + deploy: + runs-on: ubuntu-latest + name: Deploy + steps: + - uses: judedaryl/ief-upload-policies@v1 + with: + folder: policy + client-id: ${{ secrets.B2C_CLIENT_ID }} + client-secret: ${{ secrets.B2C_CLIENT_SECRET }} + tenant-id: ${{ secrets.B2C_TENANT_ID }} \ No newline at end of file diff --git a/policies/ieftool-github-actions/README.md b/policies/ieftool-github-actions/README.md new file mode 100644 index 00000000..6e9fca13 --- /dev/null +++ b/policies/ieftool-github-actions/README.md @@ -0,0 +1,114 @@ +# IEFTOOL Github Actions + +This example shows how to create a CI/CD pipeline for IEF policies using Github Actions. + +## Scenario + +The folder structure of the B2C policies normally doesn't follow a dependency tree and is mainly based on the name of the file. This makes it hard to create a simple bash or pwsh script to upload the policies in the correct order. + +This tool makes it easier for B2C policies to be uploaded in-order based on the inheritance of a policy. Uploads are also faster because policies are uploaded by batch depending on its position on the inheritance tree. + + +```pre +src/ +├─ social/ +│ ├─ base.xml (1A_SBASE) +│ ├─ signupsignin.xml (1A_SSS) +├─ local/ +│ ├─ base.xml (1A_LBASE) +│ ├─ signupsignin.xml (1A_LSS) +│ ├─ passwordreset.xml (1A_LPR) +├─ base.xml (1A_BASE) +├─ extension.xml (1A_EXT) + +``` + +The example folder structure above has the following inheritance tree. + +```pre + 1A_BASE + | + 1A_EXT + / \ + 1A_LBASE 1A_SBASE + / \ \ + 1A_LSS 1A_LPR 1A_SSS +``` + +These policies are then batched by their hierarchy in the tree, as well as their parent policy. The order of upload would then be. + +1. 1A_Base +2. 1A_EXT +3. 1A_LBASE, 1A_SBASE +4. 1A_LSS, 1A_LPR +5. 1A_LSSS + +
+
+ +## Credentials + +Create an ``Application Registration`` in your Azure B2C tenant, follow [this guide](https://docs.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga). + +Make sure to grant **Microsoft Graph > Policy > Policy.ReadWrite.TrustFramework** in **API Permissions** + +## Setting up Github + +To ensure your ``secrets`` stay ``secrets``. The following values should be stored as ``secrets`` in your github repository/organization + +|Secret|Description| +|-|-| +|B2C_TENANT_ID|Azure B2C tenant ID| +|B2C_CLIENT_ID|Azure B2C application client ID| +|B2C_CLIENT_SECRET|Azure B2C application client secret| + +You can find an example workflow in .github/workflows/deploy.yml + +## Local Deployment + +To deploy locally, you need to install the cli tool. + +### Via curl +```sh +curl https://raw.githubusercontent.com/judedaryl/go-ieftool/main/install.sh | bash +``` + +### Download the binary + +The binaries are available in github [go-ieftool](https://github.com/judedaryl/go-ieftool/releases/latest) + +Select the binary for your system. Available binaries: +* darwin-amd64 ( macOS intel chip ) +* darwin-arm64 ( macOS m1 chip ) +* linux-amd64 ( linux x64 ) +* windows-amd64 ( windows x64 ) + +Then deploy + +```sh +export B2C_TENANT_ID=__TENANT_ID__ +export B2C_CLIENT_ID=__CLIENT_ID__ +export B2C_CLIENT_SECRET=__CLIENT_SECRET__ + +ieftool deploy ./policy +``` + +``` +Usage: + ieftool deploy [path to policies] +``` + +### Required Environment Variables + +| variable | description | +|--|--| +| B2C_TENANT_ID | The B2C tenant, this can either be the **tenantId** (guid) or the **tenant name** (mytenant.onmicrosoft.com)| +| B2C_CLIENT_ID | The client id of an app registration in B2C that has permissions for TrustFrameworkPolicies | +| B2C_CLIENT_SECRET | The client secret of an app registration in B2C that has permissions for TrustFrameworkPolicies | + + +
+
+ +## Notes +This sample policy is based on [LocalAccounts starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/LocalAccounts). \ No newline at end of file diff --git a/policies/ieftool-github-actions/policy/PasswordReset.xml b/policies/ieftool-github-actions/policy/PasswordReset.xml new file mode 100644 index 00000000..a93a37e0 --- /dev/null +++ b/policies/ieftool-github-actions/policy/PasswordReset.xml @@ -0,0 +1,31 @@ + + + + + yourtenant.onmicrosoft.com + B2C_1A_TrustFrameworkExtensions + + + + + + PolicyProfile + + + + + + + + + + + + diff --git a/policies/ieftool-github-actions/policy/ProfileEdit.xml b/policies/ieftool-github-actions/policy/ProfileEdit.xml new file mode 100644 index 00000000..4d2f96cc --- /dev/null +++ b/policies/ieftool-github-actions/policy/ProfileEdit.xml @@ -0,0 +1,30 @@ + + + + + yourtenant.onmicrosoft.com + B2C_1A_TrustFrameworkExtensions + + + + + + PolicyProfile + + + + + + + + + + + diff --git a/policies/ieftool-github-actions/policy/SignUpOrSignin.xml b/policies/ieftool-github-actions/policy/SignUpOrSignin.xml new file mode 100644 index 00000000..22c4a578 --- /dev/null +++ b/policies/ieftool-github-actions/policy/SignUpOrSignin.xml @@ -0,0 +1,36 @@ + + + + + yourtenant.onmicrosoft.com + B2C_1A_TrustFrameworkExtensions + + + + + + PolicyProfile + + + + + + + + + + + + + + + + + diff --git a/policies/ieftool-github-actions/policy/TrustFrameworkBase.xml b/policies/ieftool-github-actions/policy/TrustFrameworkBase.xml new file mode 100644 index 00000000..8ae9137e --- /dev/null +++ b/policies/ieftool-github-actions/policy/TrustFrameworkBase.xml @@ -0,0 +1,892 @@ + + + + + + + + + + + + + Username + string + + TextBox + + + + + + + User's Object's Tenant ID + string + + + + + + Tenant identifier (ID) of the user object in Azure AD. + + + + User's Object ID + string + + + + + + Object identifier (ID) of the user object in Azure AD. + + + + + Sign in name + string + + TextBox + + + + Email Address + string + Email address to use for signing in. + TextBox + + + + Account Enabled + boolean + Specifies whether the user's account is enabled. + Specifies whether your account is enabled. + + + + Password + string + Enter password + Password + + + + + New Password + string + Enter new password + Password + + + + + + + + Confirm New Password + string + Confirm new password + Password + + + + + + + Password Policies + string + Password policies used by Azure AD to determine password strength, expiry etc. + + + + client_id + string + Special parameter passed to EvoSTS. + Special parameter passed to EvoSTS. + + + + resource_id + string + Special parameter passed to EvoSTS. + Special parameter passed to EvoSTS. + + + + Subject + string + + + + + + + + Identity Provider + string + + + + + + + + + + Display Name + string + + + + + + Your display name. + TextBox + + + + Email Address + string + + + + Email address that can be used to contact you. + TextBox + + + + + + + Alternate Email Addresses + stringCollection + Email addresses that can be used to contact the user. + + + + UserPrincipalName + string + + + + + + Your user name as stored in the Azure Active Directory. + + + + UPN User Name + string + The user name for creating user principal name. + + + + User is new + boolean + + + + + Executed-SelfAsserted-Input + string + A claim that specifies whether attributes were collected from the user. + + + + AuthenticationSource + string + Specifies whether the user was authenticated at Social IDP or local account. + + + + + + nca + string + Special parameter passed for local account authentication to login.microsoftonline.com. + + + + grant_type + string + Special parameter passed for local account authentication to login.microsoftonline.com. + + + + scope + string + Special parameter passed for local account authentication to login.microsoftonline.com. + + + + objectIdFromSession + boolean + Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session. + + + + isActiveMFASession + boolean + Parameter provided by the MFA session management to indicate that the user has an active MFA session. + + + + + + Given Name + string + + + + + + Your given name (also known as first name). + TextBox + + + + Surname + string + + + + + + Your surname (also known as family name or last name). + TextBox + + + + + + + + + + + + + + + + + + + + + + + + + + + + LineMarkers, MetaRefresh + + + + + + + + ~/tenant/templates/AzureBlue/exception.cshtml + ~/common/default_page_error.html + urn:com:microsoft:aad:b2c:elements:globalexception:1.1.0 + + Error page + + + + + ~/tenant/templates/AzureBlue/idpSelector.cshtml + ~/common/default_page_error.html + urn:com:microsoft:aad:b2c:elements:idpselection:1.0.0 + + Idp selection page + Sign in + + + + + ~/tenant/templates/AzureBlue/idpSelector.cshtml + ~/common/default_page_error.html + urn:com:microsoft:aad:b2c:elements:idpselection:1.0.0 + + Idp selection page + Sign up + + + + + ~/tenant/templates/AzureBlue/unified.cshtml + ~/common/default_page_error.html + urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0 + + Signin and Signup + + + + + ~/tenant/templates/AzureBlue/selfAsserted.cshtml + ~/common/default_page_error.html + urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0 + + Collect information from user page + + + + + ~/tenant/templates/AzureBlue/selfAsserted.cshtml + ~/common/default_page_error.html + urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0 + + Collect information from user page + + + + + ~/tenant/templates/AzureBlue/selfAsserted.cshtml + ~/common/default_page_error.html + urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0 + + Local account sign up page + + + + + ~/tenant/templates/AzureBlue/selfAsserted.cshtml + ~/common/default_page_error.html + urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0 + + Local account change password page + + + + + + + + + + + Local Account SignIn + + + Local Account SignIn + + + We can't seem to find your account + Your password is incorrect + Looks like you used an old password + + https://sts.windows.net/ + https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration + https://login.microsoftonline.com/{tenant}/oauth2/token + id_token + query + email openid + password + + + false + POST + + + + + + + + + + + + + + + + + + + + + + + Azure Active Directory + + + + Azure Active Directory + + + + + + + + false + + + + + + + + Write + true + + false + + + + + + + + + + + + + + + + + + + + + + + + + + + + Read + true + An account could not be found for the provided user ID. + + false + + + + + + + + + + + + + + + + + + + + + + + + Write + true + + false + + + + + + + + + + + + + + + + Write + false + true + + false + + + + + + + + + + + + + + + + + + Read + true + + false + + + + + + + + + + + + + + + + + + + + Self Asserted + + + + User ID signup + + + api.selfasserted.profileupdate + + false + + + + + + + + + + + + + + + + + + + + + + + + + Local Account + + + + Email signup + + + IpAddress + api.localaccountsignup + Create + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Local Account Signin + + + SignUpWithLogonEmailExchange + Email + api.selfasserted + + false + + + + + + + + + + + + + + + + + + Reset password using email address + + + IpAddress + api.localaccountpasswordreset + Your account has been locked. Contact your support person to unlock it, then try again. + + + + + false + + + + + + + + + + + + + + Change password (username) + + + api.localaccountpasswordreset + + + + + + + + + + + + + + + + + + + + + + Session Management + + + Noop Session Management Provider + + + + + Session Mananagement Provider + + + + + + + + + + + + + + + + + + + Trustframework Policy Engine TechnicalProfiles + + + Trustframework Policy Engine Default Technical Profile + + + {service:te} + + + + + + + Token Issuer + + + JWT Issuer + + JWT + + {service:te} + objectId + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + objectId + SkipThisOrchestrationStep + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/policies/ieftool-github-actions/policy/TrustFrameworkExtensions.xml b/policies/ieftool-github-actions/policy/TrustFrameworkExtensions.xml new file mode 100644 index 00000000..51c921b9 --- /dev/null +++ b/policies/ieftool-github-actions/policy/TrustFrameworkExtensions.xml @@ -0,0 +1,44 @@ + + + + + yourtenant.onmicrosoft.com + B2C_1A_TrustFrameworkBase + + + + + + + + + + Local Account SignIn + + + + ProxyIdentityExperienceFrameworkAppId + IdentityExperienceFrameworkAppId + + + + + + + + + + + + + + From 786c2c49dfb3fcc0267464ee850f2736258a9e36 Mon Sep 17 00:00:00 2001 From: Daryl Date: Wed, 20 Jul 2022 02:41:49 +0800 Subject: [PATCH 04/16] Add build step --- .../ieftool-github-actions/.github/deploy.yml | 11 ++++- policies/ieftool-github-actions/README.md | 47 ++++++++++++++++++- .../ieftool-github-actions/ieftool.config | 1 + .../{policy => src}/PasswordReset.xml | 8 ++-- .../{policy => src}/ProfileEdit.xml | 8 ++-- .../{policy => src}/SignUpOrSignin.xml | 9 ++-- .../{policy => src}/TrustFrameworkBase.xml | 4 +- .../TrustFrameworkExtensions.xml | 6 +-- 8 files changed, 69 insertions(+), 25 deletions(-) create mode 100644 policies/ieftool-github-actions/ieftool.config rename policies/ieftool-github-actions/{policy => src}/PasswordReset.xml (85%) rename policies/ieftool-github-actions/{policy => src}/ProfileEdit.xml (85%) rename policies/ieftool-github-actions/{policy => src}/SignUpOrSignin.xml (87%) rename policies/ieftool-github-actions/{policy => src}/TrustFrameworkBase.xml (99%) rename policies/ieftool-github-actions/{policy => src}/TrustFrameworkExtensions.xml (87%) diff --git a/policies/ieftool-github-actions/.github/deploy.yml b/policies/ieftool-github-actions/.github/deploy.yml index b96bce8b..efca501a 100644 --- a/policies/ieftool-github-actions/.github/deploy.yml +++ b/policies/ieftool-github-actions/.github/deploy.yml @@ -9,9 +9,16 @@ jobs: runs-on: ubuntu-latest name: Deploy steps: - - uses: judedaryl/ief-upload-policies@v1 + - uses: actions/checkout@v3 + - uses: judedaryl/ieftool-action/setup@v1 + - uses: judedaryl/ieftool-action/build@v1 with: - folder: policy + source: src + output: build + config: ieftool.config + - uses: judedaryl/ieftool-action/deploy@v1 + with: + folder: build client-id: ${{ secrets.B2C_CLIENT_ID }} client-secret: ${{ secrets.B2C_CLIENT_SECRET }} tenant-id: ${{ secrets.B2C_TENANT_ID }} \ No newline at end of file diff --git a/policies/ieftool-github-actions/README.md b/policies/ieftool-github-actions/README.md index 6e9fca13..8b83e721 100644 --- a/policies/ieftool-github-actions/README.md +++ b/policies/ieftool-github-actions/README.md @@ -1,8 +1,51 @@ # IEFTOOL Github Actions -This example shows how to create a CI/CD pipeline for IEF policies using Github Actions. +This example shows how to create a CI/CD pipeline for IEF policies using Github Actions which covers two main scenarios. ``Configuration`` and ``Deployment`` -## Scenario +## Scenario - Configuration + +Azure B2C IEF policies are mainly written in xml and acts like an instruction set for your user flows in Azure B2C. This presents quite a challenge though when you are maintaining multiple tenants representing multiple environments a ``non-prod`` and ``prod`` for example. + +The ieftool helps with this scenario by providing a way for you to inject variables into your xml policies using a ``yaml configuration file`` + + +``ieftool.config`` +```yaml +tenantId: mynonprodtenant.onmicrosoft.com +deploymentMode: Development +``` + +``src/BasePolicy.xml`` +```xml + + + ... + +``` +Run the build command + +```sh +# ieftool build [source dir] [target dir] -c [config path] +ieftool build src output -c ieftool.config +``` + +The policies are then compiled into + +``output/BasePolicy.xml`` +```xml + + + ... + +``` + +## Scenario - Deployments The folder structure of the B2C policies normally doesn't follow a dependency tree and is mainly based on the name of the file. This makes it hard to create a simple bash or pwsh script to upload the policies in the correct order. diff --git a/policies/ieftool-github-actions/ieftool.config b/policies/ieftool-github-actions/ieftool.config new file mode 100644 index 00000000..41df95ff --- /dev/null +++ b/policies/ieftool-github-actions/ieftool.config @@ -0,0 +1 @@ +tenantId: mytenant.onmicrosoft.com \ No newline at end of file diff --git a/policies/ieftool-github-actions/policy/PasswordReset.xml b/policies/ieftool-github-actions/src/PasswordReset.xml similarity index 85% rename from policies/ieftool-github-actions/policy/PasswordReset.xml rename to policies/ieftool-github-actions/src/PasswordReset.xml index a93a37e0..a90eb7f3 100644 --- a/policies/ieftool-github-actions/policy/PasswordReset.xml +++ b/policies/ieftool-github-actions/src/PasswordReset.xml @@ -4,12 +4,12 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" - TenantId="yourtenant.onmicrosoft.com" + TenantId="{{ tenantId }}" PolicyId="B2C_1A_PasswordReset" - PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_PasswordReset"> + PublicPolicyUri="http://{{ tenantId }}/B2C_1A_PasswordReset"> - yourtenant.onmicrosoft.com + {{ tenantId }} B2C_1A_TrustFrameworkExtensions @@ -27,5 +27,3 @@ - - diff --git a/policies/ieftool-github-actions/policy/ProfileEdit.xml b/policies/ieftool-github-actions/src/ProfileEdit.xml similarity index 85% rename from policies/ieftool-github-actions/policy/ProfileEdit.xml rename to policies/ieftool-github-actions/src/ProfileEdit.xml index 4d2f96cc..fe69022c 100644 --- a/policies/ieftool-github-actions/policy/ProfileEdit.xml +++ b/policies/ieftool-github-actions/src/ProfileEdit.xml @@ -4,12 +4,12 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" - TenantId="yourtenant.onmicrosoft.com" + TenantId="{{ tenantId }}" PolicyId="B2C_1A_ProfileEdit" - PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit"> + PublicPolicyUri="http://{{ tenantId }}/B2C_1A_ProfileEdit"> - yourtenant.onmicrosoft.com + {{ tenantId }} B2C_1A_TrustFrameworkExtensions @@ -26,5 +26,3 @@ - - diff --git a/policies/ieftool-github-actions/policy/SignUpOrSignin.xml b/policies/ieftool-github-actions/src/SignUpOrSignin.xml similarity index 87% rename from policies/ieftool-github-actions/policy/SignUpOrSignin.xml rename to policies/ieftool-github-actions/src/SignUpOrSignin.xml index 22c4a578..6d81c31f 100644 --- a/policies/ieftool-github-actions/policy/SignUpOrSignin.xml +++ b/policies/ieftool-github-actions/src/SignUpOrSignin.xml @@ -4,12 +4,12 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" - TenantId="yourtenant.onmicrosoft.com" + TenantId="{{ tenantId }}" PolicyId="B2C_1A_signup_signin" - PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin"> + PublicPolicyUri="http://{{ tenantId }}/B2C_1A_signup_signin"> - yourtenant.onmicrosoft.com + {{ tenantId }} B2C_1A_TrustFrameworkExtensions @@ -31,6 +31,3 @@ - - - diff --git a/policies/ieftool-github-actions/policy/TrustFrameworkBase.xml b/policies/ieftool-github-actions/src/TrustFrameworkBase.xml similarity index 99% rename from policies/ieftool-github-actions/policy/TrustFrameworkBase.xml rename to policies/ieftool-github-actions/src/TrustFrameworkBase.xml index 8ae9137e..b28aed5b 100644 --- a/policies/ieftool-github-actions/policy/TrustFrameworkBase.xml +++ b/policies/ieftool-github-actions/src/TrustFrameworkBase.xml @@ -4,9 +4,9 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" - TenantId="yourtenant.onmicrosoft.com" + TenantId="{{ tenantId }}" PolicyId="B2C_1A_TrustFrameworkBase" - PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase"> + PublicPolicyUri="http://{{ tenantId }}/B2C_1A_TrustFrameworkBase"> diff --git a/policies/ieftool-github-actions/policy/TrustFrameworkExtensions.xml b/policies/ieftool-github-actions/src/TrustFrameworkExtensions.xml similarity index 87% rename from policies/ieftool-github-actions/policy/TrustFrameworkExtensions.xml rename to policies/ieftool-github-actions/src/TrustFrameworkExtensions.xml index 51c921b9..7cf4a410 100644 --- a/policies/ieftool-github-actions/policy/TrustFrameworkExtensions.xml +++ b/policies/ieftool-github-actions/src/TrustFrameworkExtensions.xml @@ -4,12 +4,12 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" - TenantId="yourtenant.onmicrosoft.com" + TenantId="{{ tenantId }}" PolicyId="B2C_1A_TrustFrameworkExtensions" - PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions"> + PublicPolicyUri="http://{{ tenantId }}/B2C_1A_TrustFrameworkExtensions"> - yourtenant.onmicrosoft.com + {{ tenantId }} B2C_1A_TrustFrameworkBase From 6da15e17a7d93518b1ac7607b348097bc7441ef9 Mon Sep 17 00:00:00 2001 From: Daryl Date: Wed, 20 Jul 2022 03:10:19 +0800 Subject: [PATCH 05/16] Include action in readme ci/cd section --- readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/readme.md b/readme.md index 19a291ba..99ad61bf 100644 --- a/readme.md +++ b/readme.md @@ -191,6 +191,7 @@ Samples are available for the following categories |Sample name |Description |Quick deploy| |---|---|---| |[Azure DevOps pipeline for Azure AD B2C](policies/devops-pipeline) | Uploads policies regardless of naming convention Azure DevOps automated pipeline.| NA| +|[Github Action for Azure AD B2C using ieftool](policies/ieftool-github-actions) | A fully featured github action that provides a way for you to inject variables into your b2c policies and upload them regardless of order.| NA| ## Community Help and Support From cc06093db645586386708243b25cb649a4f2b82c Mon Sep 17 00:00:00 2001 From: bolt-io Date: Thu, 28 Jul 2022 10:21:14 +0100 Subject: [PATCH 06/16] Fixed PublicPolicyUri on policy --- .../policy/B2C_1A_SignUpOrSignin_AADRest.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/AAD-SignIn-with-REST/policy/B2C_1A_SignUpOrSignin_AADRest.xml b/policies/AAD-SignIn-with-REST/policy/B2C_1A_SignUpOrSignin_AADRest.xml index 7fd052cb..c5093d60 100644 --- a/policies/AAD-SignIn-with-REST/policy/B2C_1A_SignUpOrSignin_AADRest.xml +++ b/policies/AAD-SignIn-with-REST/policy/B2C_1A_SignUpOrSignin_AADRest.xml @@ -1,7 +1,7 @@  + xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="yourtenant.onmicrosoft.com" PolicyId="B2C_1A_SignUpOrSignin_AADRest" PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_SignUpOrSignin_AADRest" DeploymentMode="Development"> yourtenant.onmicrosoft.com From b3570e8abcea5f37e2b7a400bd21742f37623de5 Mon Sep 17 00:00:00 2001 From: letusfly85 Date: Tue, 27 Sep 2022 08:01:53 +0900 Subject: [PATCH 07/16] :hammer: fix SupportedLanguage MergeBehaviour to upload SendGrid custom policy --- .../policy/SendGrid/DisplayControl_TrustFrameworkExtensions.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/custom-email-verifcation-displaycontrol/policy/SendGrid/DisplayControl_TrustFrameworkExtensions.xml b/policies/custom-email-verifcation-displaycontrol/policy/SendGrid/DisplayControl_TrustFrameworkExtensions.xml index 04d898e8..0308f396 100644 --- a/policies/custom-email-verifcation-displaycontrol/policy/SendGrid/DisplayControl_TrustFrameworkExtensions.xml +++ b/policies/custom-email-verifcation-displaycontrol/policy/SendGrid/DisplayControl_TrustFrameworkExtensions.xml @@ -84,7 +84,7 @@ - + en es From 7bafb94e8e9169f3fd85854ceda1d02e5999e476 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Silski?= Date: Wed, 2 Nov 2022 20:52:54 +0100 Subject: [PATCH 08/16] fix SelfAsserted ClaimsProvider for progressive profile --- ...ressiveProfileTrustFrameworkExtensions.xml | 23 +++++++++++++++---- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/policies/progressive-profile/policy/ProgressiveProfileTrustFrameworkExtensions.xml b/policies/progressive-profile/policy/ProgressiveProfileTrustFrameworkExtensions.xml index 73d08ef3..6cb5a460 100644 --- a/policies/progressive-profile/policy/ProgressiveProfileTrustFrameworkExtensions.xml +++ b/policies/progressive-profile/policy/ProgressiveProfileTrustFrameworkExtensions.xml @@ -25,12 +25,25 @@ - Self Asserted + Self Asserted Progressive Profiling - - - + + User ID signup + + + api.selfasserted.profileupdate + + false + + + + + + + + + @@ -102,7 +115,7 @@ - + From 09759b60faab3c26b79ccb60d92e717f983963dc Mon Sep 17 00:00:00 2001 From: Bailey Lissington <54869395+llamington@users.noreply.github.com> Date: Fri, 6 Jan 2023 23:38:06 +1300 Subject: [PATCH 09/16] Fixed a spelling mistake Changed 'intruduced' to 'introduced' --- policies/invite-via-email/policy/GenerateInviteToken.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/invite-via-email/policy/GenerateInviteToken.xml b/policies/invite-via-email/policy/GenerateInviteToken.xml index 883c7382..e223e1c7 100644 --- a/policies/invite-via-email/policy/GenerateInviteToken.xml +++ b/policies/invite-via-email/policy/GenerateInviteToken.xml @@ -33,7 +33,7 @@ @@ -62,4 +62,4 @@ - \ No newline at end of file + From 2f93c8b2cb9705792c498524909323010db5c44b Mon Sep 17 00:00:00 2001 From: Yoel Horvitz Date: Tue, 14 Mar 2023 17:24:20 +0200 Subject: [PATCH 10/16] Update TrustFrameworkExtensionsCustomSMS.xml --- .../policy/TrustFrameworkExtensionsCustomSMS.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/custom-sms-displaycontrol/policy/TrustFrameworkExtensionsCustomSMS.xml b/policies/custom-sms-displaycontrol/policy/TrustFrameworkExtensionsCustomSMS.xml index 93340bbf..9df612de 100644 --- a/policies/custom-sms-displaycontrol/policy/TrustFrameworkExtensionsCustomSMS.xml +++ b/policies/custom-sms-displaycontrol/policy/TrustFrameworkExtensionsCustomSMS.xml @@ -112,7 +112,7 @@ - + @@ -169,7 +169,7 @@ Custom REST API - + Validate user input data and return loyaltyNumber claim From 0b9e66053f7dd7336c12d90d43743b030f29607f Mon Sep 17 00:00:00 2001 From: Edward Date: Fri, 16 Jun 2023 16:12:40 -0700 Subject: [PATCH 11/16] Update readme.md link to mailjet sample was wrong leading to a 404 page not found error. Fixed the link --- policies/custom-email-verifcation-displaycontrol/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/custom-email-verifcation-displaycontrol/readme.md b/policies/custom-email-verifcation-displaycontrol/readme.md index 56266aa4..19361a67 100644 --- a/policies/custom-email-verifcation-displaycontrol/readme.md +++ b/policies/custom-email-verifcation-displaycontrol/readme.md @@ -14,7 +14,7 @@ This sample is detailed on the Microsoft B2C documentation site: | Policy | Documentation | |----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------| -| [Mailjet policy](policy/Mailjet) | [Custom email verification with Mailjet](https://docs.microsoft.com/azure/active-directory-b2c/custom-email-mailet) | +| [Mailjet policy](policy/Mailjet) | [Custom email verification with Mailjet](https://docs.microsoft.com/azure/active-directory-b2c/custom-email-mailjet) | | [SendGrid policy](policy/SendGrid) | [Custom email verification with SendGrid](https://docs.microsoft.com/azure/active-directory-b2c/custom-email-sendgrid) | | [SSPR policy](policy/SSPR) | [Azure AD B2C email verification with SSPR technical profile](https://docs.microsoft.com/azure/active-directory-b2c/aad-sspr-technical-profile) | | [Sendinblue policy](policy/Sendinblue) | [Custom email verification with Sendinblue](Sendinblue.md) From f529a5ab6acbbd84bdb0f795fde113cd1ddfb2a1 Mon Sep 17 00:00:00 2001 From: shmiki <74346899+shmiki-microsoft@users.noreply.github.com> Date: Tue, 4 Jul 2023 19:10:13 +0900 Subject: [PATCH 12/16] Update TrustframeworkExtensions_RevokeSessions.xml I renamed refreshTokenValidFromDateTime to avoid conflicts with the starter pack. https://github.com/azure-ad-b2c/samples/issues/524 --- .../policy/TrustframeworkExtensions_RevokeSessions.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/policies/revoke-sso-sessions/policy/TrustframeworkExtensions_RevokeSessions.xml b/policies/revoke-sso-sessions/policy/TrustframeworkExtensions_RevokeSessions.xml index 0e5fb2a8..3dec82fa 100644 --- a/policies/revoke-sso-sessions/policy/TrustframeworkExtensions_RevokeSessions.xml +++ b/policies/revoke-sso-sessions/policy/TrustframeworkExtensions_RevokeSessions.xml @@ -26,7 +26,7 @@ lastLogonTime lastLogonTime - + refreshTokensValidFromDateTime dateTime Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token. @@ -49,7 +49,7 @@ - + @@ -90,7 +90,7 @@ - + From 93ee7794ca184c13f56719d0991de227b2252584 Mon Sep 17 00:00:00 2001 From: Abhishek Deswal Date: Thu, 13 Jul 2023 14:42:52 -0700 Subject: [PATCH 13/16] Update TrustFrameworkExtensions_TOTP to start totp session separately --- .../policy/TrustFrameworkExtensions_TOTP.xml | 35 +++++++++++++++++-- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml b/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml index 4c9e4447..a1b58a9d 100644 --- a/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml +++ b/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml @@ -401,7 +401,6 @@ - @@ -762,8 +761,23 @@ + begin the TOTP verification session --> + + + numberOfAvailableDevices + 0 + SkipThisOrchestrationStep + + + + + + + + + numberOfAvailableDevices @@ -820,8 +834,23 @@ + begin the TOTP verification session. --> + + + numberOfAvailableDevices + 0 + SkipThisOrchestrationStep + + + + + + + + + numberOfAvailableDevices From a6a99fe55300e72e91fc73fe6eac7b913bdecff1 Mon Sep 17 00:00:00 2001 From: Abhishek Deswal Date: Thu, 13 Jul 2023 14:51:26 -0700 Subject: [PATCH 14/16] update migration policy --- .../totp/policy/TrustFrameworkExtensions_TOTPMigration.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml b/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml index a20b26f2..9e13cdb9 100644 --- a/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml +++ b/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml @@ -93,7 +93,7 @@ - + extension_StrongAuthenticationAppSecretKey @@ -111,7 +111,7 @@ - + extension_StrongAuthenticationAppSecretKey From 2f91976f81337b109dc1cd64a67bc421ea060845 Mon Sep 17 00:00:00 2001 From: Abhishek Deswal Date: Thu, 13 Jul 2023 15:01:30 -0700 Subject: [PATCH 15/16] update readme --- policies/totp/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/totp/readme.md b/policies/totp/readme.md index 7ee61e73..246213f4 100644 --- a/policies/totp/readme.md +++ b/policies/totp/readme.md @@ -69,7 +69,7 @@ The below diagram depicts how the Just In Time TOTP migration works: ### Remove legacy TOTP secret claim -Within the [TOTP Migration Extension](policy/TrustFrameworkExtensions_TOTPMigration.xml) file under the *TotpFactor-Verify* sub journey, orchestration Step 5 will call the delete legacy TOTP Secret technical profile (AAD-DeleteLegacyTOTPClaim). This call by default has 2 conditions. +Within the [TOTP Migration Extension](policy/TrustFrameworkExtensions_TOTPMigration.xml) file under the *TotpFactor-Verify* sub journey, orchestration Step 6 will call the delete legacy TOTP Secret technical profile (AAD-DeleteLegacyTOTPClaim). This call by default has 2 conditions. 1. The extension attribute used to store the legacy claim needs to exist. 2. The number of registered devices is not 0 From 95fd7a96cbf89208552291beddf7c467035a372f Mon Sep 17 00:00:00 2001 From: Jas Suri <38688240+JasSuri@users.noreply.github.com> Date: Mon, 24 Jul 2023 09:42:04 +0100 Subject: [PATCH 16/16] Update readme.md --- policies/revoke-sso-sessions/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/revoke-sso-sessions/readme.md b/policies/revoke-sso-sessions/readme.md index da7e9fe9..8d604b02 100644 --- a/policies/revoke-sso-sessions/readme.md +++ b/policies/revoke-sso-sessions/readme.md @@ -6,7 +6,7 @@ If you find a bug in the sample, please raise the issue on [GitHub Issues](https To provide product feedback, visit the Azure Active Directory B2C [Feedback page](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=160596). ## Scenario -A users refresh token maybe revoked to prevent continued long term access to an application, across devices. In addition to refresh token revocation, the single sign on cookies can be revoked. This prevents a user on another device to be able to obtain a new set of tokens using the [Azure AD B2C web session cookies](https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior). +A users refresh token maybe revoked to prevent continued long term access to an application, across devices. In addition to refresh token revocation, the single sign on cookies can be revoked. This prevents a currently logged in user via any device to be able to obtain a new set of tokens using the [Azure AD B2C web session cookies](https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior). Common scenarios include when a user uses a "change password" or "forgot password" journey. In these cases, both the refresh tokens and the session cookies should be invalidated, forcing all other devices to have to re-authenticate. The user on the device which made the operation, will also lose their web session SSO cookies. To allow the active device to maintain a session, you can bootstrap a new authentication journey using an [id_token_hint](https://docs.microsoft.com/azure/active-directory-b2c/id-token-hint).