azure-ad-b2cazure-ad-b2c-custom-policy

AADB2C90304: User journey went into a bad state. Claims exchange with id 'LocalAccountSigninEmailExchange' could not be found in orchestration step


I have a custom policy based on SocialAndLocal sample.

It adds 2 ClaimsTransformation steps in front. This are steps 3 and 4:


        <OrchestrationStep Order="3" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections> 
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
            <ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" />
            <ClaimsProviderSelection TargetClaimsExchangeId="Social1Exchange" /> 
            <ClaimsProviderSelection TargetClaimsExchangeId="Social2Exchange" />
            <ClaimsProviderSelection TargetClaimsExchangeId="AdTesttenantExchange" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="Social1Exchange" TechnicalProfileReferenceId="Social1Exchange-OpenIdConnect" />
            <ClaimsExchange Id="Social2Exchange" TechnicalProfileReferenceId="Social2Exchange-OpenIdConnect" />
            <ClaimsExchange Id="AdTesttenantExchange" TechnicalProfileReferenceId="AdTesttenantExchange-OpenIdConnect" />
            <ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" /> 
          </ClaimsExchanges>
        </OrchestrationStep>

Fresh logon scenario works fine. But on subsequent logons, if the user used one of the social IDPs they get an error like this: enter image description here

It makes no sense. Why is B2C looking for LocalAccountSigninEmailExchange in step 4 when it's defined in step 3?

I tried asking MSFT support but so far they were no help (as usual). Maybe I can have more luck here..

I can provide an Application Insights trace if it's useful.


Solution

  • After over 4 months MSFT support finally came up with a solution.

    The error goes away if ValidationClaimsExchangeId element is placed as last element like this:

            <OrchestrationStep Order="3" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
              <ClaimsProviderSelections> 
                <ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" />
                <ClaimsProviderSelection TargetClaimsExchangeId="Social1Exchange" /> 
                <ClaimsProviderSelection TargetClaimsExchangeId="Social2Exchange" />
                <ClaimsProviderSelection TargetClaimsExchangeId="AdTesttenantExchange" />
                <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
              </ClaimsProviderSelections>