I am attempting to call a RESTful technical profile by using ValidationTechnicalProfile. I have checked application insights and I can see the OutputClaimsTransformations happening, but it skips over the ValidationTechnicalProfile and continues on with the next step. I have tried adding the RESTful technical profile as an Orchestration Step, and that works without any issues.
Can anyone see what I am doing wrong?
SignInWithIdProvider.xml
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="__TenantId__" PolicyId="B2C_1A_SignInWithIdProvider" PublicPolicyUri="http://__TenantId__/B2C_1A_signin_idprovider">
<BasePolicy>
<TenantId>__TenantId__</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignInWithIdProvider"/>
<UserJourneyBehaviors>
<SingleSignOn Scope="Policy"/>
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>1800</SessionExpiryInSeconds>
<JourneyFraming Enabled="true" Sources="__JourneyFramingSource__"/>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
<OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub"/>
</TechnicalProfile>
</RelyingParty>
Snippet from TrustFrameworkExtensions.xml
<ClaimsProvider>
<Domain>Signin</Domain>
<DisplayName>Signin using provider</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="OIDC-SignIn">
<DisplayName>Sign-in</DisplayName>
<Description>Login with provider</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">__WellKnown__</Item>
<Item Key="client_id">__SignInClientId__</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">id profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="SingleLogoutEnabled">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="__SignInSecret__"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="{Culture:RFC5646}"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
<OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-PostNewSession" ContinueOnError="true"/>
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
<ClaimsProvider>
<DisplayName>REST APIs</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="REST-PostNewSession">
<DisplayName>Post new session</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="ServiceUrl">https://some.apim.url/post-method</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">Basic</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_UserName"/>
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Password"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="sessionId"/>
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
<UserJourney Id="SignInWithIdProvider">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="idSignInExchange" TechnicalProfileReferenceId="OIDC-SignIn"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>localAccountAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AlternativeSecurityId" TechnicalProfileReferenceId="AlternativeSecurityId-NoError"/>
</ClaimsExchanges>
</OrchestrationStep>
</UserJourney>
Validation technical profiles only work from selfAsserted technical profiles.
Only self-asserted technical profiles can use validation technical profiles. If you need to validate the output claims from non-self-asserted technical profiles, consider using an additional orchestration step in your user journey to accommodate the technical profile in charge of the validation.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile
Adding it as an orchestration step would work.