I've been trying to follow this: link-local-account-with-federated-account
Basically all I'm looking to do is create (invite) a user from an external tenant as a federated user, and be able to assign custom attributes to that user upon creation.
However there are a few things I just can't figure out from the readme. Would really appreciate if someone could shed some light on these:
- When creating the user object (the local one), a issuerAssignedId is assigned, which is apparently the oid of the federated user. How do you get that before the user has performed a login?
- In the created user object, there is SignInType.oidToLink, yet in the instructions directly below it talks about signInNames.oidToLink. Is there a typo somewhere, or have I missed something here?
- in the readme it talks about oidToLink, but in the TrustFrameworkExtensions xml file, it has objectIdToLink. Is this just a typo or have I missed something?
The application base is DotNet + Angular using Microsoft Authentication Library for Angular.
I've done a lot of reading and just can't figure this out, and can't find any articles which describe the process clearly. Thanks in advance :)
I did the following steps:
- Ran the setup tool as per the instructions
- Created the custom attribute extension_requiresMigrationBool
- Uploaded the custom policies in the repo linked above (edited any keys etc. in the files)
- Created a user via graph in DotNet using the following code (can confirm this user is successfully created with all custom attributes):
var userRequest = new User
{
AccountEnabled = true,
UserPrincipalName = "<some_email_com>#EXT#@<domain>.onmicrosoft.com",
UserType = "Member",
DisplayName = user.Email,
MailNickname = "NewUser",
PasswordProfile = new PasswordProfile
{
ForceChangePasswordNextSignIn = false,
Password = "Test1234"
},
AdditionalData = new Dictionary<string, object>
{
{ ExtensionAttribute("custom0"), false },
{ ExtensionAttribute("custom1"), someValue },
{ ExtensionAttribute("custom2"), someValue },
{ ExtensionAttribute("custom3"), someValue },
{ ExtensionAttribute("requiresMigrationBool"), true }
},
Identities = new List<ObjectIdentity> {
new ObjectIdentity()
{
SignInType = "oidToLink",
Issuer = "<domain>.onmicrosoft.com",
IssuerAssignedId = "<WHERE DO I GET THIS OID?>"
}
}
};
- I run the above SignUpOrSignIn policy, and attempt to login using the same email address used in the newly created user - <some_email_com>
- I get the following message:
Selected user account does not exist in tenant 'xxxxxxxxxxxx' and cannot access the application 'app_id' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
I wrote this up in some detail here.
That's the objectID ("issuerAssignedId") of the user in the "issuer", which is contoso.com i.e. the writer has pre-defined an Identity array. This would normally be added during federation.
Refer to this.
SignInType.oidToLink is an attribute in the identity array.
signInNames.oidToLink is how you search for this identity.
Other posts that may help are here and here.
To answer the second part of your question, they are mappings in the federation technical profile, e.g.
In the sample, you have to get oidToLink outside of the PowerShell e.g. by looking at the Entra ID user attributes (assuming you are federating with Entra ID).
Example of Identity array.