Do not require auth when editing the profile

[kstro21]

I have the following user journey

<UserJourney Id="ProfileEdit">
  <OrchestrationSteps>

    <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
      <ClaimsProviderSelections>
        <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" />
        <ClaimsProviderSelection TargetClaimsExchangeId="GoogleExchange" />
        <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninEmailExchange" />
      </ClaimsProviderSelections>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" />
        <ClaimsExchange Id="GoogleExchange" TechnicalProfileReferenceId="Google-OAUTH" />
        <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
          <Value>authenticationSource</Value>
          <Value>localAccountAuthentication</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserRead" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
          <Value>authenticationSource</Value>
          <Value>socialIdpAuthentication</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>

    <OrchestrationStep Order="5" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="B2CUserProfileUpdateExchange" TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

It works, but it first asks the user to authenticate then the user can edit their profile.

What I'm trying to do now is to remove the authentication step so the user goes directly to the edit profile form. I'm playing removing the firsts OrchestrationStep but it is not working. I've also checked all the examples in this repository but none is about editing the profile. So, I have a question:

Is it possible to remove the authentication step when editing the profile? If yes, can someone provide an example?

[marcelodiiorio]

Hi! You have to configure SSO settings accordingly. If you are using user flows, it's in the session behavior settings. In case of custom policies, see my sample use case https://github.com/marcelodiiorio/My-Azure-AD-B2C-use-cases/tree/master/Configuring%20B2C%20as%20JWT%20issuer%20using%20OAUTH-OIDC

[JasSuri]

You do not need to do anything. The default SSO already applies without reconfiguring the custom policy. Try this, use the Sign In/Up policy in one browser tab. Then use the Profile Edit journey in another tab in the same browser - make sure to remove prompt=login query parameter if it exists. Youll see the user can directly edit the profile without providing credentials.

[kstro21]

@JasSuri the user can directly edit the profile without providing credentials when it is a local account, but when the user registered with a provider(Google or Facebook) it is asking for the provider credentials again.

Is it how it works or can we change that? I mean, not asking for credentials when the user is from a provider.

[JasSuri]

@kstro21 This would be because the session management technical profile for the social account logon is different to that of the local account sign in. If you set the same session management technical profile for both, it should give SSO.

[kstro21]

@JasSuri that would be a configuration on the provider side or it is something a need to change in my custom policies(the XML files)? An example would be great or just a link pointing the right direction.

Thanks

[ylulloa]

@kstro21 / @JasSuri: Same happens to me. The scenario is when I'm using multiple accounts on my browser. Let's say I have my personal google account and my work google account. However, If I open an incognito instance of the browser, I can't replicate it because I end up with only one account there.

How can we tell b2c... this app is using this account on the URL that redirects to b2c user profile?

[JasSuri]

The proper way to solve this with the default starter pack would be to send the domain_hint. This way the user gets SSO via their social IdP too.