Added TOTPApproval

Author: mrochon

.gitignore

@@ -334,3 +334,5 @@ ASALocalRun/
 # MFractors (Xamarin productivity tool) working folder 
 .mfractor/
 /Policies/GuestUsers/gen/mrochonb2cprod.onmicrosoft.com
+
+.codegpt

Policies/TOTP/policy/.gitignore

@@ -0,0 +1,2 @@
+
+.codegpt

Policies/TOTPBasedApproval/TOTPExtensions.xml

@@ -2,17 +2,15 @@
     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
     xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
     TenantId="yourtenant.onmicrosoft.com"
-    PolicyId="B2C_1A_TrustFrameworkExtensions_TOTP"
-    PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TOTP">
+    PolicyId="B2C_1A_TOTP_Extensions"
+    PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_TOTP_Extensions">
 
     <BasePolicy>
         <TenantId>yourtenant.onmicrosoft.com</TenantId>
         <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
     </BasePolicy>
     <BuildingBlocks>
         <ClaimsSchema>
-            <!--TOTP
-            claims-->
             <ClaimType Id="emails">
                 <DisplayName>Email Addresses</DisplayName>
                 <DataType>stringCollection</DataType>
@@ -49,7 +47,7 @@
             </ClaimType>
 
             <ClaimType Id="QrCodeVerifyInstruction">
-                <DisplayName>Enter the verification code from your authenticator app.</DisplayName>
+                <DisplayName>Enter the code from District Manager.</DisplayName>
                 <DataType>string</DataType>
                 <UserInputType>Paragraph</UserInputType>
             </ClaimType>
@@ -69,7 +67,7 @@
             </ClaimType>
 
             <ClaimType Id="otpCode">
-                <DisplayName>Enter your code</DisplayName>
+                <DisplayName>Enter the code</DisplayName>
                 <DataType>string</DataType>
                 <UserHelpText>Enter the 6-digit verification code generated by the the Authenticator
                     app in the box</UserHelpText>
@@ -241,6 +239,15 @@
 
             <!-- end of TOTP Claims Transforms-->
 
+        <ClaimsTransformation Id="CreateRandomPassword" TransformationMethod="CreateRandomString">
+            <InputParameters>
+                <InputParameter Id="randomGeneratorType" DataType="string" Value="GUID" />
+            </InputParameters>
+            <OutputClaims>
+                <OutputClaim ClaimTypeReferenceId="password" TransformationClaimType="outputClaim" />
+            </OutputClaims>
+        </ClaimsTransformation>            
+
         </ClaimsTransformations>
 
         <ContentDefinitions>
@@ -296,7 +303,7 @@
                         StringId="DisplayName">Enter the verification code from your authenticator
                         app.</LocalizedString>
                     <LocalizedString ElementType="ClaimType" ElementId="otpCode"
-                        StringId="DisplayName">Enter your code.</LocalizedString>
+                        StringId="DisplayName">Enter the code.</LocalizedString>
                     <!-- <LocalizedString ElementType="UxElement"
                     StringId="button_continue">Verify</LocalizedString> -->
                 </LocalizedStrings>
@@ -573,120 +580,80 @@
                         <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
                     </OutputClaims>
                 </TechnicalProfile>
+            <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
+                <InputClaimsTransformations>
+                    <InputClaimsTransformation ReferenceId="CreateRandomPassword" />
+                </InputClaimsTransformations>
+                <!-- <InputClaims>
+                    <InputClaim ClaimTypeReferenceId="email" Required="true" />
+                </InputClaims> -->
+                <PersistedClaims>
+                    <PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
+                    <PersistedClaim ClaimTypeReferenceId="password" />
+                    <PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration,DisableStrongPassword" />                    
+                </PersistedClaims>
+            </TechnicalProfile>                
             </TechnicalProfiles>
         </ClaimsProvider>
 
-        <ClaimsProvider>
-            <DisplayName>Local Account</DisplayName>
-            <TechnicalProfiles>
-                <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
-                    <OutputClaims>
-                        <!-- The userPrincipalName is required for the AzureMfaProtocolProvider
-                        technical profiles-->
-                        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
-                    </OutputClaims>
-                </TechnicalProfile>
-
-                <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
-                    <OutputClaims>
-                        <!-- The userPrincipalName is required for the AzureMfaProtocolProvider
-                        technical profiles-->
-                        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
-                    </OutputClaims>
-                </TechnicalProfile>
-            </TechnicalProfiles>
-        </ClaimsProvider>
     </ClaimsProviders>
 
     <UserJourneys>
-        <UserJourney Id="PasswordResetWithTOTP">
-            <OrchestrationSteps>
-                <OrchestrationStep Order="1" Type="ClaimsExchange">
-                    <ClaimsExchanges>
-                        <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange"
-                            TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
-                    </ClaimsExchanges>
-                </OrchestrationStep>
-
-                <!-- Call the TOTP enrollment ub journey. If user already enrolled the sub journey
-                will not ask the user to enroll -->
-                <OrchestrationStep Order="2" Type="InvokeSubJourney">
-                    <JourneyList>
-                        <Candidate SubJourneyReferenceId="TotpFactor-Input" />
-                    </JourneyList>
-                </OrchestrationStep>
-
-                <!-- Call the TOTP validation sub journey-->
-                <OrchestrationStep Order="3" Type="InvokeSubJourney">
-                    <JourneyList>
-                        <Candidate SubJourneyReferenceId="TotpFactor-Verify" />
-                    </JourneyList>
-                </OrchestrationStep>
-
-                <OrchestrationStep Order="4" Type="ClaimsExchange">
-                    <ClaimsExchanges>
-                        <ClaimsExchange Id="NewCredentials"
-                            TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
-                    </ClaimsExchanges>
-                </OrchestrationStep>
-
-                <OrchestrationStep Order="5" Type="SendClaims"
-                    CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
-            </OrchestrationSteps>
-            <ClientDefinition ReferenceId="DefaultWeb" />
-        </UserJourney>
 
         <UserJourney Id="SignUpOrSignInTOTP">
             <OrchestrationSteps>
-
                 <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp"
                     ContentDefinitionReferenceId="api.signuporsignin">
                     <ClaimsProviderSelections>
-                        <ClaimsProviderSelection
-                            ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
+                        <ClaimsProviderSelection TargetClaimsExchangeId="WORKExchange" />
                     </ClaimsProviderSelections>
+                </OrchestrationStep>
+                <OrchestrationStep Order="2" Type="ClaimsExchange">
                     <ClaimsExchanges>
-                        <ClaimsExchange Id="LocalAccountSigninEmailExchange"
-                            TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
+                        <ClaimsExchange Id="WORKExchange" TechnicalProfileReferenceId="WORK-OIDC" />
                     </ClaimsExchanges>
                 </OrchestrationStep>
 
-                <OrchestrationStep Order="2" Type="ClaimsExchange">
+                <!-- For social IDP authentication, attempt to find the user account in the
+                directory. -->
+                <OrchestrationStep Order="3" Type="ClaimsExchange">
+                    <ClaimsExchanges>
+                        <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId"
+                            TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
+                    </ClaimsExchanges>
+                </OrchestrationStep>
+
+                <!-- The previous step (SelfAsserted-Social) could have been skipped if there were
+                no attributes to collect 
+             from the user. So, in that case, create the user in the directory if one does not already exist 
+             (verified using objectId which would be set from the last step if account was created in the
+                directory. -->
+                <OrchestrationStep Order="4" Type="ClaimsExchange">
                     <Preconditions>
                         <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
                             <Value>objectId</Value>
                             <Action>SkipThisOrchestrationStep</Action>
                         </Precondition>
                     </Preconditions>
                     <ClaimsExchanges>
-                        <ClaimsExchange Id="SignUpWithLogonEmailExchange"
-                            TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
+                        <ClaimsExchange Id="AADUserWrite"
+                            TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
                     </ClaimsExchanges>
                 </OrchestrationStep>
 
-                <OrchestrationStep Order="3" Type="ClaimsExchange">
-                    <ClaimsExchanges>
-                        <ClaimsExchange Id="AADUserReadWithObjectId"
-                            TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
-                    </ClaimsExchanges>
-                </OrchestrationStep>
-
-                <!-- Call the TOTP enrollment ub journey. If user already enrolled the sub journey
-                will not ask the user to enroll -->
-                <OrchestrationStep Order="4" Type="InvokeSubJourney">
+                <OrchestrationStep Order="5" Type="InvokeSubJourney">
                     <JourneyList>
                         <Candidate SubJourneyReferenceId="TotpFactor-Input" />
                     </JourneyList>
                 </OrchestrationStep>
 
-                <!-- Call the TOTP validation sub journey-->
-                <OrchestrationStep Order="5" Type="InvokeSubJourney">
+                <OrchestrationStep Order="6" Type="InvokeSubJourney">
                     <JourneyList>
                         <Candidate SubJourneyReferenceId="TotpFactor-Verify" />
                     </JourneyList>
                 </OrchestrationStep>
 
-                <OrchestrationStep Order="6" Type="SendClaims"
+                <OrchestrationStep Order="7" Type="SendClaims"
                     CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
 
             </OrchestrationSteps>

README.md

@@ -99,7 +99,8 @@ section.
 | Jun 2022 | New: batch migration |
 | Nov 2022 | New: user choice of 2nd FA |
 | Mar 2023 | New: call Graph |
-| Jun 2023 | New: embedded pwd reset |
+| Jan 2025 | New: TOTP as approval code |
+
 
 
 ## Tips and tricks