Add a terms of use consent page to Azure AD B2C user journey with custom policies


Azure Active Directory_COLOR

In those modern times of compliance getting important, when providing a service to customer and consumer we need to agree them to our terms of use/service.

When using Azure AD B2C (Business to Consumer) you can easily do that with custom policies from the Identity Experience Framework.

The described solution is based on the LocalAccount templates from the Custom Policies Starter Pack GitHub repository.

Beside editing your policy with the steps below, you can download the complete files from my GitHub repository: B2C-custom-policy-with-consent

What it does:

  • Present a page in the sign-up user journey with terms of use required to consent to.
  • When accepted the current version (date or number) of the terms of use are stored in an extension attribute of the users profile.
  • If you create a new version of your terms of use and modify the version (date or number) in the custom policy users are required, on the next login, to agree to those new terms of use again.

What do I need to prepare:

How to implement:

First of all we create the required custom attribute, because I decided not to use my own extension app, I will use the default “b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.” app with my custom policy.

Attributes for the build in policies are also stored here.


Create the needed attribute

Go to the Azure Portal (https://portal.azure.com) switch to your B2C tenant and create the following custom attribute from the B2C management blade:

  • Name: TermsOfUseConsented
  • Type: String
  • Description:

Now let’s catch up that attribute in our custom policy. Edit TrustFrameworkBase.xml and add the following ClaimType to the SECTION III of the ClaimsSchema block.


Add the additional consent page

Let’s create the additional page to present the consent screen in the user’s journey:

In the TrustFrameworkBase.xml add the following content definition to the ContentDefinitions block:


Tell the policy where extension attributes are located
Locate the TechnicalProfile Id=”AAD-Common” and add the following after the Protocol tag:
You need to enter the GUID’s of your b2c-extension-app here, you can find them in your B2C tenant from Azure Active Directory -> App Registrations

Read the stored consent attribute from the directory

Locate the TechnicalProfile Id=”AAD-UserReadUsingEmailAddress” and add an additional output claim:

So if the user is searched and read by email address the attribute is added to the output claim.
In addition locate the TechnicalProfile Id=”AAD-UserReadUsingObjectId” and add the following output claim:
This reads the attribute every time the user is searched and read from the directory and stores it in the output claim.

Create Technical Profile to write the consent attribute to AAD
Add the following technical profile in the TechnicalProfiles block of the the ClaimsProvider block with DisplayName “Azure Active Directory” in the  TrustFrameworkBase.xml file:
This profile will be used later as an validation technical profile to store the consent attribute if the user agrees to the terms of use.
Locate the ClaimsProvider block with the DisplayName “Self Asserted” and add the following new technical profile within the TechnicalProfiles block in the TrustFrameworkBase.xml file:
This technical profile stores the attribute to the identity store of AAD and uses the validation technical profile above.

Create the custom user journey
Switch to the TrustFrameworkExtension.xml file and add the following user journey to the UserJourneys block:
This is a copy of the default user journey from the TrustFrameworkBase.xml file with the added consent page in the 2nd last step (Order=”4″)

Active the new journey as the default user journey
Switch to the SignUpOrSignIn.xml file and modify the following line to set the custom user journey as the default journey:
<DefaultUserJourneyReferenceId="SignUpOrSignIn-withConsent"/>

That’s it, you can now load all policies into your B2C tenant and give them a try. Don’t forget you need to upload them in the following order:

  • TrustFrameworkBase.xml
  • TrustFrameworkExtension.xml
  • SignUpOrSignOn.xml
  • <additional files>

If you create new version of your terms of use you need to edit both date values, first in the ClaimType of the TrustFrameworkBase and second in the Preconditions of the UserJourney in the TrustFrameWorkExtension.

Since the custom consent page did not show the consent text itself you should put this into the UI customization HTML file and reference it the custom policy.

You can do that by modify the parameter LoadUri of the ContentDefinition Id=”api.selfasserted.consent”

 

Advertisements

Author: Peter Stapf

Senior Consultant Identity and Access

7 thoughts on “Add a terms of use consent page to Azure AD B2C user journey with custom policies”

  1. This article was incredibly helpful. Thank you!

    I got this to work with the local accounts but I also tried setting this up with the SocialAndLocalAccounts, however I kept getting this error.

    Unable to upload policy. Reason : Validation failed: 1 validation error(s) found in policy “B2C_1A_SIGNUP_SIGNIN” of tenant “meddevapib2c.onmicrosoft.com”.Claim type “identityProvider” is the output claim of the relying party’s technical profile, but it is not an output claim in any of the steps of user journey “SignUpOrSignIn-withConsent”.

    1. Its just like the message states, you have an outputClaim in your signupsign policy but that claim is missing in one or more of the technical profiles that are called by your user journey.

  2. Hi this article was very useful. Can you please let me know how to include hyperlink in terms and agreement and also i would like to display termsofconstent custom attribute in signup page instead of redirection to new page.

    1. Hi, I only implemented a simple solution here, which only display the Radio control to accept the terms.
      The tems of use content itself is a seperate HTML page (custom UI)

  3. Very helpful article! i have a similar requirement with slight variation, Instead of consent i would like to add a custom user name.as a custom attribute. Up on successful login if user does not have user name in AD then redirect to self asserted page where use will have to select the username.
    Now at this time i would like to put validation on the username field. He should not be able to choose something which is already taken, Also i would like to make exception for few reserved words which can not be chosen as user name.

    1. Why not put that scenario into the registration screen instead of a custom page and mark that custom attribute as required ?
      Or is it for a solution where users are already present and should add their new “username”

      1. It is when users are already present and later they are coming to choose their username for additional functionality on website.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.