IefPolicies

3.1.21

strings/aadmultiHRD.xml

                                <ClaimsProvider xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06">

    <Domain>organizations</Domain>

    <DisplayName>Work and school accounts</DisplayName>

    <TechnicalProfiles>

      <TechnicalProfile Id="{0}-OIDC">

        <DisplayName>Work or school account</DisplayName>

        <Description>Login with your work or school account</Description>

        <Protocol Name="OpenIdConnect"/>

        <Metadata>

          <Item Key="METADATA">https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration</Item>

          <!-- Update the Client ID below to the Application ID -->

          <Item Key="client_id">{{{0}:clientId}}</Item>

          <Item Key="response_types">code</Item>

          <Item Key="scope">openid profile email</Item>

          <Item Key="response_mode">form_post</Item>

          <Item Key="HttpBinding">POST</Item>

          <Item Key="UsePolicyInRedirectUri">false</Item>

          <Item Key="DiscoverMetadataByTokenIssuer">true</Item>

          <!-- The key below allows you to specify each of the Azure AD tenants that can be used to sign in. Update the GUIDs below for each tenant. -->

          <!--Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item-->

          <!-- The commented key below specifies that users from any tenant can sign-in. Uncomment if you would like anyone with an Azure AD account to be able to sign in. -->

          <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>

          <Item Key="ClaimTypeOnWhichToEnable">idp</Item>

          <Item Key="ClaimValueOnWhichToEnable">aad</Item>

        </Metadata>

        <CryptographicKeys>

          <Key Id="client_secret" StorageReferenceId="B2C_1A_{0}AppSecret"/>

        </CryptographicKeys>

        <!-- Add optional token request parameters (prompt, logi-/domain-hint, etc.) /-->

        <!--InputClaims>

          <InputClaim ClaimTypeReferenceId="prompt" DefaultValue="select_account" />

        </InputClaims-->

        <OutputClaims>

          <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>

          <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>

          <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />

          <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />

          <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />

          <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />

          <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />

          <OutputClaim ClaimTypeReferenceId="email" />          

        </OutputClaims>

        <OutputClaimsTransformations>

          <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>

          <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>

          <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>

          <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>

        </OutputClaimsTransformations>

        <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>

        <EnabledForUserJourneys>OnClaimsExistence</EnabledForUserJourneys>

      </TechnicalProfile>

    </TechnicalProfiles>

  </ClaimsProvider>