Merge pull request #555 from azure-ad-b2c/abdeswal/totpSampleUpdate

Update TrustFrameworkExtensions_TOTP
azure-ad-b2c · Jul 19, 2023 · e7d6085 · e7d6085
2 parents 4dd55f6 + 2f91976
commit e7d6085
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 6 deletions.
diff --git a/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml b/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml
@@ -401,7 +401,6 @@
             <OutputClaim ClaimTypeReferenceId="otpCode" Required="true" />
           </OutputClaims>
           <ValidationTechnicalProfiles>
-            <ValidationTechnicalProfile ReferenceId="AzureMfa-BeginVerifyOTP" />
             <ValidationTechnicalProfile ReferenceId="AzureMfa-VerifyOTP" />
           </ValidationTechnicalProfiles>
           <UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA-TOTP" />
@@ -762,8 +761,23 @@
         </OrchestrationStep>
 
         <!-- If the number of available devices isn't zero (user has enrolled before), 
-             render the TOTP verification page -->
+             begin the TOTP verification session -->
         <OrchestrationStep Order="3" Type="ClaimsExchange">
+          <Preconditions>
+            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
+              <Value>numberOfAvailableDevices</Value>
+              <Value>0</Value>
+              <Action>SkipThisOrchestrationStep</Action>
+            </Precondition>
+          </Preconditions>
+          <ClaimsExchanges>
+            <ClaimsExchange Id="AuthenticatorForSignInBeginSession" TechnicalProfileReferenceId="AzureMfa-BeginVerifyOTP" />
+          </ClaimsExchanges>
+        </OrchestrationStep>
+
+        <!-- If the number of available devices isn't zero (user has enrolled before), 
+             render the TOTP verification page -->
+        <OrchestrationStep Order="4" Type="ClaimsExchange">
           <Preconditions>
             <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
               <Value>numberOfAvailableDevices</Value>
@@ -820,8 +834,23 @@
         </OrchestrationStep>
 
         <!-- If the number of available devices is zero (user hasn't enrolled before), 
-             render the TOTP verification page.  -->
+             begin the TOTP verification session.  -->
         <OrchestrationStep Order="4" Type="ClaimsExchange">
+          <Preconditions>
+            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
+              <Value>numberOfAvailableDevices</Value>
+              <Value>0</Value>
+              <Action>SkipThisOrchestrationStep</Action>
+            </Precondition>
+          </Preconditions>
+          <ClaimsExchanges>
+            <ClaimsExchange Id="AuthenticatorForSignInBeginSession" TechnicalProfileReferenceId="AzureMfa-BeginVerifyOTP" />
+          </ClaimsExchanges>
+        </OrchestrationStep>
+
+        <!-- If the number of available devices is zero (user hasn't enrolled before), 
+             render the TOTP verification page.  -->
+        <OrchestrationStep Order="5" Type="ClaimsExchange">
           <Preconditions>
             <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
               <Value>numberOfAvailableDevices</Value>

diff --git a/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml b/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml
@@ -93,7 +93,7 @@
     <SubJourney Id="TotpFactor-Verify" Type="Call">
         <OrchestrationSteps>
             <!-- Additional step to call JIT TOTP Registration -->            
-            <OrchestrationStep Order="4" Type="ClaimsExchange">
+            <OrchestrationStep Order="5" Type="ClaimsExchange">
                 <Preconditions>
                   <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                     <Value>extension_StrongAuthenticationAppSecretKey</Value>
@@ -111,7 +111,7 @@
               </OrchestrationStep>
               <!-- Additional Step to remove the lgacy TOTP Claim. -->
               <!-- Comment out this  Orchestration Step if you would like to retain the old secrets.-->
-              <OrchestrationStep Order="5" Type="ClaimsExchange">
+              <OrchestrationStep Order="6" Type="ClaimsExchange">
                 <Preconditions>
                   <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                     <Value>extension_StrongAuthenticationAppSecretKey</Value>

diff --git a/policies/totp/readme.md b/policies/totp/readme.md
@@ -69,7 +69,7 @@ The below diagram depicts how the Just In Time TOTP migration works:
 
 ### Remove legacy TOTP secret claim
 
-Within the [TOTP Migration Extension](policy/TrustFrameworkExtensions_TOTPMigration.xml) file under the *TotpFactor-Verify* sub journey, orchestration Step 5 will call the delete legacy TOTP Secret technical profile (AAD-DeleteLegacyTOTPClaim). This call by default has 2 conditions.
+Within the [TOTP Migration Extension](policy/TrustFrameworkExtensions_TOTPMigration.xml) file under the *TotpFactor-Verify* sub journey, orchestration Step 6 will call the delete legacy TOTP Secret technical profile (AAD-DeleteLegacyTOTPClaim). This call by default has 2 conditions.
 
 1. The extension attribute used to store the legacy claim needs to exist.
 2. The number of registered devices is not 0