active-directory-b2c-advanced-policies icon indicating copy to clipboard operation
active-directory-b2c-advanced-policies copied to clipboard

Published 20 hours ago verified publisher icon Azure-Samples

Custom policies getting mixed together

Open ghost opened this issue 5 years ago • 2 comments

I have two custom policies (six total files) that are very similar. They both allow signin through two of three ADFS servers I have set up. One server is shared by each policy and each policy also has its own server. For the unique ADFS servers, they each have a different technical profile policy1-SAML and policy2-SAML. For the shared server, each policy has its own technical profile but both technical profiles have the same name e.g. SharedProfile although the ClaimsExchange referencing the technical profile has a different name e.g.

Policy 1: <ClaimsExchange Id="policy1Exchange" TechnicalProfileReferenceId="SharedProfile"/>

Policy 2: <ClaimsExchange Id="policy2Exchange" TechnicalProfileReferenceId="SharedProfile"/>

If I sign in to policy 1 using the policy1Exchange, then open policy 2 and sign in using the policy2Exchange, policy 2 crashes after being unable to find the claims exchange from the other policy.

{
    "Kind": "FatalException",
    "Content": {
      "Time": "4:22 PM",
      "Exception": {
        "Kind": "Handled",
        "HResult": "80131509",
        "Message": "Claims exchange with id 'policy1Exchange' could not be found in orchestration step '2' and the step contains more than one claims exchange.",
        "Data": {}
      }
    }
  }

I was able to fix this by renaming the technical profile inside policy 2 which now has

<ClaimsExchange Id="policy2Exchange" TechnicalProfileReferenceId="Policy2SharedProfile"/>

I wouldn't expect two policies that aren't related to get their technical profiles mixed together like this.

ghost avatar May 22 '19 18:05 ghost

This might be related to SSO which tries to select the claims exchange previously successfully logs you in.

xinaxu avatar May 29 '19 20:05 xinaxu

Any update on this? I'm still experiencing the same issue when combining a HRD policy with an embedded password reset one. I've tried renaming TechnicalProfile ids to there won't be name collisions, moving the order of OrchestrationSteps as suggested on https://stackoverflow.com/a/67890379 but nothing seems to make it work.

cranarma avatar Jan 27 '22 12:01 cranarma