Negative Scenario on login

Question

During the login process, on the wrong password attempt, I need to change a few flags and attributes in the user directory before we throw any error in the user journey. How can we implement this as the user journey gets broken as soon as login-nonInteractive throws a password exception?

Answer 1

1. On login-noninteractive technical profile called as Validation Technical profile from your Login Technical profile, set "ContinueOnError"="true"

       <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
         <ValidationTechnicalProfiles>
           <ValidationTechnicalProfile ReferenceId="login-NonInteractive" "ContinueOnError"="true"/>
         </ValidationTechnicalProfiles>
       </TechnicalProfile>
   

2. Inside login-noninteractive technical profile, set a defaultValue for objectId, eg "DefaultValue"="badPassword"

       <TechnicalProfile Id="login-NonInteractive">
         <OutputClaims>
           <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" "DefaultValue"="badPassword"/>
       </TechnicalProfile>
   

3. In your Login Technical profile apply a precondition to the next validation technical profile, such that it only executes if objectId!=badPassword. Here call a technical profile to perform the workload for the bad password scenario.

     <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
         <ValidationTechnicalProfiles>
           <ValidationTechnicalProfile ReferenceId="login-NonInteractive" "ContinueOnError"="true"/>
           <ValidationTechnicalProfile ReferenceId="Run-Custom-BadPwd-Logic">
           <Preconditions>
             <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
               <Value>objectId</Value>
               <Value>badPassword</Value>
               <Action>SkipThisValidationTechnicalProfile</Action>
             </Precondition>
           </Preconditions>
         </ValidationTechnicalProfile>
       </ValidationTechnicalProfiles>
     </TechnicalProfile>
   

4. Now we need to stop the flow for bad password. Call another validation technical profile with a precondition skip if objectId!=badPassword.

     <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
         <ValidationTechnicalProfiles>
           <ValidationTechnicalProfile ReferenceId="login-NonInteractive" "ContinueOnError"="true"/>
           <ValidationTechnicalProfile ReferenceId="Run-Custom-BadPwd-Logic">
           <Preconditions>
             <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
               <Value>objectId</Value>
               <Value>badPassword</Value>
               <Action>SkipThisValidationTechnicalProfile</Action>
             </Precondition>
           </Preconditions>
         </ValidationTechnicalProfile>
           <ValidationTechnicalProfile ReferenceId="Block-BadPwd-User">
           <Preconditions>
             <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
               <Value>objectId</Value>
               <Value>badPassword</Value>
               <Action>SkipThisValidationTechnicalProfile</Action>
             </Precondition>
           </Preconditions>
         </ValidationTechnicalProfile>
       </ValidationTechnicalProfiles>
     </TechnicalProfile>
   

5. This (Block-BadPwd-User) should call a claims transform technical profile, which performs a boolean assertion. First call a claim transform to compare objectId with "badPassword", output a boolean claim (booleanBadPassword=true/false). The a second claim transform to compare booleanBadPassword with a boolean (false). Use an AssertBooleanClaimIsEqualToValue transform here, which will throw an error if the booleanBadPassword is not equal to false.

   <TechnicalProfile Id="Block-BadPwd-User">
     <DisplayName>Block-BadPwd-User</DisplayName>
       <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
       <OutputClaims>
         <OutputClaim ClaimTypeReferenceId="booleanBadPassword" />
       </OutputClaims>
       <OutputClaimsTransformations>
           <OutputClaimsTransformation ReferenceId="compareObjectIdValue" />
           <OutputClaimsTransformation ReferenceId="AssertValueIsFalse" />
       </OutputClaimsTransformations>
   </TechnicalProfile>
   

   <ClaimsTransformation Id="compareObjectIdValue" TransformationMethod="CompareClaimToValue">
     <InputClaims>
       <InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="inputClaim1" />
     </InputClaims>
     <InputParameters>
       <InputParameter Id="compareTo" DataType="string" Value="badPassword" />
       <InputParameter Id="operator" DataType="string" Value="equal" />
       <InputParameter Id="ignoreCase" DataType="string" Value="true" />
     </InputParameters>
     <OutputClaims>
       <OutputClaim ClaimTypeReferenceId="booleanBadPassword" TransformationClaimType="outputClaim" />
     </OutputClaims>
   </ClaimsTransformation>
   
   <ClaimsTransformation Id="AssertValueIsFalse" TransformationMethod="AssertBooleanClaimIsEqualToValue">
     <InputClaims>
       <InputClaim ClaimTypeReferenceId="booleanBadPassword" TransformationClaimType="inputClaim" />
     </InputClaims>
     <InputParameters>
       <InputParameter Id="valueToCompareTo" DataType="boolean" Value="false" />
     </InputParameters>
   </ClaimsTransformation>