-
Notifications
You must be signed in to change notification settings - Fork 597
/
TrustFrameworkExtensions_TOTPMigration.xml
136 lines (129 loc) · 6.17 KB
/
TrustFrameworkExtensions_TOTPMigration.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
TenantId="yourtenant.onmicrosoft.com"
PolicyId="B2C_1A_TrustFrameworkExtensionsTOTP_JIT"
PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensionsTOTP">
<BasePolicy>
<TenantId>yourtenant.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_Demo_TrustFrameworkExtensions_TOTP</PolicyId>
</BasePolicy>
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="extension_StrongAuthenticationAppSecretKey">
<DisplayName>Secret Key Extenstion</DisplayName>
<DataType>string</DataType>
<UserHelpText>Code secret Extension</UserHelpText>
</ClaimType>
</ClaimsSchema>
<ClaimsTransformations>
<ClaimsTransformation Id="CopyLegacySecret" TransformationMethod="CopyClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_StrongAuthenticationAppSecretKey" TransformationClaimType="inputClaim" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="secretKey" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
</ClaimsTransformations>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>TOTP</DisplayName>
<TechnicalProfiles>
<!-- Copies the legacy TOTP Claim value and passes it to secretKey for reistration.-->
<TechnicalProfile Id="OTPVerification-JIT">
<DisplayName>Sign in with Authenticator app - JIt</DisplayName>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="CopyLegacySecret" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="secretKey" />
</InputClaims>
<IncludeTechnicalProfile ReferenceId="OTPVerification" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-Common">
<DisplayName>Azure Active Directory</DisplayName>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_StrongAuthenticationAppSecretKey" />
</OutputClaims>
</TechnicalProfile>
<!-- Delete the Legacy TOTP Claim when registered with the new method.-->
<TechnicalProfile Id="AAD-DeleteLegacyTOTPClaim">
<Metadata>
<Item Key="Operation">DeleteClaims</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" Required="true" />
</InputClaims>
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="objectId" />
<PersistedClaim ClaimTypeReferenceId="extension_StrongAuthenticationAppSecretKey" />
</PersistedClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<!-- Skip Enrollment of TOTP if a legacy TOTP secret is stored.-->
<UserJourney Id="SignUpOrSignInTOTP">
<OrchestrationSteps>
<OrchestrationStep Order="4" Type="InvokeSubJourney">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>extension_StrongAuthenticationAppSecretKey</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
</OrchestrationStep>
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
<SubJourneys>
<SubJourney Id="TotpFactor-Verify" Type="Call">
<OrchestrationSteps>
<!-- Additional step to call JIT TOTP Registration -->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>extension_StrongAuthenticationAppSecretKey</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>numberOfAvailableDevices</Value>
<Value>0</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="OTPVerification-JIT" TechnicalProfileReferenceId="OTPVerification-JIT" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Additional Step to remove the lgacy TOTP Claim. -->
<!-- Comment out this Orchestration Step if you would like to retain the old secrets.-->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>extension_StrongAuthenticationAppSecretKey</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<!-- Comment out the below pre-condition to Delete the Legacy claim when user is JIT Registered.-->
<!-- Oterwise it will be removed on next login. -->
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>numberOfAvailableDevices</Value>
<Value>0</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-DeleteLegacyTOTPClaim" TechnicalProfileReferenceId="AAD-DeleteLegacyTOTPClaim" />
</ClaimsExchanges>
</OrchestrationStep>
</OrchestrationSteps>
</SubJourney>
</SubJourneys>
</TrustFrameworkPolicy>