In those modern times of compliance getting important, when providing a service to customer and consumer we need to agree them to our terms of use/service.
When using Azure AD B2C (Business to Consumer) you can easily do that with custom policies from the Identity Experience Framework.
The described solution is based on the LocalAccount templates from the Custom Policies Starter Pack GitHub repository.
Beside editing your policy with the steps below, you can download the complete files from my GitHub repository: B2C-custom-policy-with-consent
What it does:
- Present a page in the sign-up user journey with terms of use required to consent to.
- When accepted the current version (date or number) of the terms of use are stored in an extension attribute of the users profile.
- If you create a new version of your terms of use and modify the version (date or number) in the custom policy users are required, on the next login, to agree to those new terms of use again.
What do I need to prepare:
How to implement:
First of all we create the required custom attribute, because I decided not to use my own extension app, I will use the default “b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.” app with my custom policy.
Attributes for the build in policies are also stored here.
Create the needed attribute
Go to the Azure Portal (https://portal.azure.com) switch to your B2C tenant and create the following custom attribute from the B2C management blade:
- Name: TermsOfUseConsented
- Type: String
- Description:
Now let’s catch up that attribute in our custom policy. Edit TrustFrameworkBase.xml and add the following ClaimType to the SECTION III of the ClaimsSchema block.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |
|
| |
|
| |
|
| |
|
| |
|
Add the additional consent page
Let’s create the additional page to present the consent screen in the user’s journey:
In the TrustFrameworkBase.xml add the following content definition to the ContentDefinitions block:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |
|
| |
|
| |
|
| |
|
| |
|
Tell the policy where extension attributes are located
Locate the TechnicalProfile Id=”AAD-Common” and add the following after the Protocol tag:
You need to enter the GUID’s of your b2c-extension-app here, you can find them in your B2C tenant from Azure Active Directory -> App Registrations
Read the stored consent attribute from the directory
Locate the TechnicalProfile Id=”AAD-UserReadUsingEmailAddress” and add an additional output claim:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
So if the user is searched and read by email address the attribute is added to the output claim.
In addition locate the TechnicalProfile Id=”AAD-UserReadUsingObjectId” and add the following output claim:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reads the attribute every time the user is searched and read from the directory and stores it in the output claim.
Create Technical Profile to write the consent attribute to AAD
Add the following technical profile in the TechnicalProfiles block of the the ClaimsProvider block with DisplayName “Azure Active Directory” in the TrustFrameworkBase.xml file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This profile will be used later as an validation technical profile to store the consent attribute if the user agrees to the terms of use.
Locate the ClaimsProvider block with the DisplayName “Self Asserted” and add the following new technical profile within the TechnicalProfiles block in the TrustFrameworkBase.xml file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
This technical profile stores the attribute to the identity store of AAD and uses the validation technical profile above.
Create the custom user journey
Switch to the TrustFrameworkExtension.xml file and add the following user journey to the UserJourneys block:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
This is a copy of the default user journey from the TrustFrameworkBase.xml file with the added consent page in the 2nd last step (Order=”4″)
Active the new journey as the default user journey
Switch to the SignUpOrSignIn.xml file and modify the following line to set the custom user journey as the default journey:
That’s it, you can now load all policies into your B2C tenant and give them a try. Don’t forget you need to upload them in the following order:
- TrustFrameworkBase.xml
- TrustFrameworkExtension.xml
- SignUpOrSignOn.xml
If you create new version of your terms of use you need to edit both date values, first in the ClaimType of the TrustFrameworkBase and second in the Preconditions of the UserJourney in the TrustFrameWorkExtension.
Since the custom consent page did not show the consent text itself you should put this into the UI customization HTML file and reference it the custom policy.
You can do that by modify the parameter LoadUri of the ContentDefinition Id=”api.selfasserted.consent”
