[
  {
    "path": ".gitignore",
    "content": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n\n# User-specific files\n*.suo\n*.user\n*.userosscache\n*.sln.docstates\n\n# User-specific files (MonoDevelop/Xamarin Studio)\n*.userprefs\n\n# Build results\n[Dd]ebug/\n[Dd]ebugPublic/\n[Rr]elease/\n[Rr]eleases/\nx64/\nx86/\nbld/\n[Bb]in/\n[Oo]bj/\n[Ll]og/\n\n# Visual Studio 2015 cache/options directory\n.vs/\n# Uncomment if you have tasks that create the project's static files in wwwroot\n#wwwroot/\n\n# MSTest test Results\n[Tt]est[Rr]esult*/\n[Bb]uild[Ll]og.*\n\n# NUNIT\n*.VisualState.xml\nTestResult.xml\n\n# Build Results of an ATL Project\n[Dd]ebugPS/\n[Rr]eleasePS/\ndlldata.c\n\n# DNX\nproject.lock.json\nartifacts/\n\n*_i.c\n*_p.c\n*_i.h\n*.ilk\n*.meta\n*.obj\n*.pch\n*.pdb\n*.pgc\n*.pgd\n*.rsp\n*.sbr\n*.tlb\n*.tli\n*.tlh\n*.tmp\n*.tmp_proj\n*.log\n*.vspscc\n*.vssscc\n.builds\n*.pidb\n*.svclog\n*.scc\n\n# Chutzpah Test files\n_Chutzpah*\n\n# Visual C++ cache files\nipch/\n*.aps\n*.ncb\n*.opendb\n*.opensdf\n*.sdf\n*.cachefile\n*.VC.db\n*.VC.VC.opendb\n\n# Visual Studio profiler\n*.psess\n*.vsp\n*.vspx\n*.sap\n\n# TFS 2012 Local Workspace\n$tf/\n\n# Guidance Automation Toolkit\n*.gpState\n\n# ReSharper is a .NET coding add-in\n_ReSharper*/\n*.[Rr]e[Ss]harper\n*.DotSettings.user\n\n# JustCode is a .NET coding add-in\n.JustCode\n\n# TeamCity is a build add-in\n_TeamCity*\n\n# DotCover is a Code Coverage Tool\n*.dotCover\n\n# NCrunch\n_NCrunch_*\n.*crunch*.local.xml\nnCrunchTemp_*\n\n# MightyMoose\n*.mm.*\nAutoTest.Net/\n\n# Web workbench (sass)\n.sass-cache/\n\n# Installshield output folder\n[Ee]xpress/\n\n# DocProject is a documentation generator add-in\nDocProject/buildhelp/\nDocProject/Help/*.HxT\nDocProject/Help/*.HxC\nDocProject/Help/*.hhc\nDocProject/Help/*.hhk\nDocProject/Help/*.hhp\nDocProject/Help/Html2\nDocProject/Help/html\n\n# Click-Once directory\npublish/\n\n# Publish Web Output\n*.[Pp]ublish.xml\n*.azurePubxml\n# TODO: Comment the next line if you want to checkin your web deploy settings\n# but database connection strings (with potential passwords) will be unencrypted\n*.pubxml\n*.publishproj\n\n# Microsoft Azure Web App publish settings. Comment the next line if you want to\n# checkin your Azure Web App publish settings, but sensitive information contained\n# in these scripts will be unencrypted\nPublishScripts/\n\n# NuGet Packages\n*.nupkg\n# The packages folder can be ignored because of Package Restore\n**/packages/*\n# except build/, which is used as an MSBuild target.\n!**/packages/build/\n# Uncomment if necessary however generally it will be regenerated when needed\n#!**/packages/repositories.config\n# NuGet v3's project.json files produces more ignoreable files\n*.nuget.props\n*.nuget.targets\n\n# Microsoft Azure Build Output\ncsx/\n*.build.csdef\n\n# Microsoft Azure Emulator\necf/\nrcf/\n\n# Windows Store app package directories and files\nAppPackages/\nBundleArtifacts/\nPackage.StoreAssociation.xml\n_pkginfo.txt\n\n# Visual Studio cache files\n# files ending in .cache can be ignored\n*.[Cc]ache\n# but keep track of directories ending in .cache\n!*.[Cc]ache/\n\n# Others\nClientBin/\n~$*\n*~\n*.dbmdl\n*.dbproj.schemaview\n*.pfx\n*.publishsettings\nnode_modules/\norleans.codegen.cs\n\n# Since there are multiple workflows, uncomment next line to ignore bower_components\n# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)\n#bower_components/\n\n# RIA/Silverlight projects\nGenerated_Code/\n\n# Backup & report files from converting an old project file\n# to a newer Visual Studio version. Backup files are not needed,\n# because we have git ;-)\n_UpgradeReport_Files/\nBackup*/\nUpgradeLog*.XML\nUpgradeLog*.htm\n\n# SQL Server files\n*.mdf\n*.ldf\n\n# Business Intelligence projects\n*.rdl.data\n*.bim.layout\n*.bim_*.settings\n\n# Microsoft Fakes\nFakesAssemblies/\n\n# GhostDoc plugin setting file\n*.GhostDoc.xml\n\n# Node.js Tools for Visual Studio\n.ntvs_analysis.dat\n\n# Visual Studio 6 build log\n*.plg\n\n# Visual Studio 6 workspace options file\n*.opt\n\n# Visual Studio LightSwitch build output\n**/*.HTMLClient/GeneratedArtifacts\n**/*.DesktopClient/GeneratedArtifacts\n**/*.DesktopClient/ModelManifest.xml\n**/*.Server/GeneratedArtifacts\n**/*.Server/ModelManifest.xml\n_Pvt_Extensions\n\n# Paket dependency manager\n.paket/paket.exe\npaket-files/\n\n# FAKE - F# Make\n.fake/\n\n# JetBrains Rider\n.idea/\n*.sln.iml\n"
  },
  {
    "path": "Display Controls Starterpack/LocalAccounts/PasswordReset.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_PasswordReset\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_PasswordReset\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"PasswordReset\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "Display Controls Starterpack/LocalAccounts/ProfileEdit.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_ProfileEdit\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEdit\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "Display Controls Starterpack/LocalAccounts/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n    <Endpoints>\n      <!--points to refresh token journey when app makes refresh token request-->\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" />\n    </Endpoints>\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "Display Controls Starterpack/LocalAccounts/TrustFrameworkBase.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_TrustFrameworkBase\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase\">\n\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- The ClaimsSchema is divided into three sections:\n           1. Section I lists the minimum claims that are required for the user journeys to work properly.\n           2. Section II lists the claims required for query string parameters and other special parameters \n              to be passed to other claims providers, esp. login.microsoftonline.com for authentication. \n              Please do not modify these claims.\n           3. Section III lists any additional (optional) claims that can be collected from the user, stored \n              in the directory and sent in tokens during sign in. Add new claims to be collected from the user \n              and/or sent in the token in Section III. -->\n\n      <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames. \n           The trust framework policy treats Azure AD as any other claims provider and all its restrictions \n           are modelled in the policy. A policy could be modified to add more restrictions, or use another \n           claims provider for credential storage which will have its own restrictions. -->\n\n      <!-- SECTION I: Claims required for user journeys to work properly -->\n\n      <ClaimType Id=\"socialIdpUserId\">\n        <DisplayName>Username</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$\" HelpText=\"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <!-- Claims needed for local accounts. -->\n      <ClaimType Id=\"signInName\">\n        <DisplayName>Sign in name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"signInNames.emailAddress\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Email address to use for signing in.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"accountEnabled\">\n        <DisplayName>Account Enabled</DisplayName>\n        <DataType>boolean</DataType>\n        <AdminHelpText>Specifies whether the user's account is enabled.</AdminHelpText>\n        <UserHelpText>Specifies whether your account is enabled.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"password\">\n        <DisplayName>Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n      </ClaimType>\n\n      <!-- The claim types newPassword and reenterPassword are considered special, please do not change the names. \n           The UI validates that the user correctly re-entered their password during account creation based on these \n           claim types.\t  -->\n      <ClaimType Id=\"newPassword\">\n        <DisplayName>New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\"8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ &quot; ( ) ; .\" />\n        </Restriction>\n      </ClaimType>\n      <!-- The password regular expression above is constructed for AAD passwords based on restrictions at https://msdn.microsoft.com/en-us/library/azure/jj943764.aspx\n\n        ^( # one of the following four combinations must appear in the password\n         (?=.*[a-z])(?=.*[A-Z])(?=.*\\d) |            # matches lower case, upper case or digit\n         (?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]) |  # matches lower case, upper case or special character (i.e. non-alpha or digit)\n         (?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9]) |     # matches lower case, digit, or special character\n         (?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9])       # matches upper case, digit, or special character\n        )\n        ( # The password must match the following restrictions\n         [A-Za-z\\d@#$%^&*\\-_+=[\\]{}|\\\\:',?/`~\"();!] |   # The list of all acceptable characters (without .)\n         \\.(?!@)                                        # or . can appear as long as not followed by @\n        ) {8,16}$                                       # the length must be between 8 and 16 chars inclusive\n\n      -->\n\n      <ClaimType Id=\"reenterPassword\">\n        <DisplayName>Confirm New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Confirm new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\" \" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"passwordPolicies\">\n        <DisplayName>Password Policies</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Password policies used by Azure AD to determine password strength, expiry etc.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"client_id\">\n        <DisplayName>client_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"resource_id\">\n        <DisplayName>resource_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"identityProvider\">\n        <DisplayName>Identity Provider</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/identityprovider\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\" HelpText=\"Please enter a valid email address.\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"otherMails\">\n        <DisplayName>Alternate Email Addresses</DisplayName>\n        <DataType>stringCollection</DataType>\n        <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newUser\">\n        <DisplayName>User is new</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"executed-SelfAsserted-Input\">\n        <DisplayName>Executed-SelfAsserted-Input</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"authenticationSource\">\n        <DisplayName>AuthenticationSource</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>\n      </ClaimType>\n\n        <!--claims for refresh token revocation-->\n        <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\n          <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\n          <DataType>string</DataType>\n          <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n          <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n        </ClaimType>\n  \n        <ClaimType Id=\"refreshTokensValidFromDateTime\">\n          <DisplayName>refreshTokensValidFromDateTime</DisplayName>\n          <DataType>string</DataType>\n          <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n          <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n        </ClaimType>\n\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n\n      <ClaimType Id=\"nca\">\n        <DisplayName>nca</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"grant_type\">\n        <DisplayName>grant_type</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"scope\">\n        <DisplayName>scope</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"isActiveMFASession\">\n        <DisplayName>isActiveMFASession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"verificationCode\">\n        <DisplayName>Verification Code</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter your verification code</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateOtherMailsFromEmail\" TransformationMethod=\"AddItemToStringCollection\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"item\" />\n          <InputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"AssertAccountEnabledIsTrue\" TransformationMethod=\"AssertBooleanClaimIsEqualToValue\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"accountEnabled\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"valueToCompareTo\" DataType=\"boolean\" Value=\"true\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n      <!--claims transformation for refresh token revocation -->\n      <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\n          <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\n          <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\n          <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n    </ClaimsTransformations>\n\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n\n    <ContentDefinitions>\n\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections.signup\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign up</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account sign up page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account change password page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n    </ContentDefinitions>\n\n    <DisplayControls>\n      <DisplayControl Id=\"emailVerificationControl\" UserInterfaceControlType=\"VerificationControl\">\n        <DisplayClaims>\n          <DisplayClaim ClaimTypeReferenceId=\"email\" Required=\"true\" />\n          <DisplayClaim ClaimTypeReferenceId=\"verificationCode\" ControlClaimType=\"VerificationCode\" Required=\"true\" />\n        </DisplayClaims>\n        <OutputClaims></OutputClaims>\n        <Actions>\n          <Action Id=\"SendCode\">\n            <ValidationClaimsExchange>\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"AadSspr-SendCode\" />\n            </ValidationClaimsExchange>\n          </Action>\n          <Action Id=\"VerifyCode\">\n            <ValidationClaimsExchange>\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"AadSspr-VerifyCode\" />\n            </ValidationClaimsExchange>\n          </Action>\n        </Actions>\n      </DisplayControl>\n    </DisplayControls>\n  </BuildingBlocks>\n\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <DisplayName>Local Account SignIn</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n            <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n            <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n            <Item Key=\"response_types\">id_token</Item>\n            <Item Key=\"response_mode\">query</Item>\n            <Item Key=\"scope\">email openid</Item>\n\n            <!-- Policy Engine Clients -->\n            <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n            <Item Key=\"HttpBinding\">POST</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" PartnerClaimType=\"username\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n            <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n          </OutputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for local accounts -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration\" />\n\n            <!-- Optional claims. -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingEmailAddress\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"accountEnabled\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"AssertAccountEnabledIsTrue\" />\n          </OutputClaimsTransformations>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserWritePasswordUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for updating user record using objectId -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- The following technical profile is used to read data after user authenticates. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Self Asserted</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted.profileupdate</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <DisplayClaims>\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surname\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n          <DisplayName>Email signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" />\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim DisplayControlReferenceId=\"emailVerificationControl\" />\n            <DisplayClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <DisplayClaim ClaimTypeReferenceId=\"displayName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surName\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile uses a validation technical profile to authenticate the user. -->\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n          <DisplayName>Local Account Signin</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"SignUpTarget\">SignUpWithLogonEmailExchange</Item>\n            <Item Key=\"setting.operatingMode\">Email</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignin</Item>\n            <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile forces the user to verify the email address that they provide on the UI. Only after email is verified, the user account is\n        read from the directory. -->\n        <TechnicalProfile Id=\"LocalAccountDiscoveryUsingEmailAddress\">\n          <DisplayName>Reset password using email address</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <IncludeInSso>false</IncludeInSso>\n          <DisplayClaims>\n            <DisplayClaim DisplayControlReferenceId=\"emailVerificationControl\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserReadUsingEmailAddress\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"LocalAccountWritePasswordUsingObjectId\">\n          <DisplayName>Change password (username)</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" />\n\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWritePasswordUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"signInName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <PersistedClaim ClaimTypeReferenceId=\"identityProvider\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newUser\" />\n            <PersistedClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectIdFromSession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n     <!--claims provider for refresh token revocation-->\n  <ClaimsProvider>\n    <DisplayName>Refresh token journey</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\n        <Protocol Name=\"None\" />\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\n          <!--Requirement: Claims that you return in the relying party technical profile output claims\n            that are not stored in Azure AD B2C, must be added to the output claims collection here-->\n          <!--\n          <OutputClaim ClaimTypeReferenceId=\"RESTAPIclaim1\" />\n          <OutputClaim ClaimTypeReferenceId=\"IDPclaim1\" />\n           -->\n        </OutputClaims>\n      </TechnicalProfile>\n\n\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\n          <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        </OutputClaims>\n        <OutputClaimsTransformations>\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\n        </OutputClaimsTransformations>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>AAD SSPR</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"AadSspr-SendCode\">\n          <DisplayName>Send Code</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AadSsprProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"Operation\">SendCode</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"emailAddress\" />\n          </InputClaims>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"AadSspr-VerifyCode\">\n          <DisplayName>Verify Code</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AadSsprProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"Operation\">VerifyCode</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"verificationCode\" />\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"emailAddress\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n  </ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignIn\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- This step reads any user attributes that we may not have received when in the token. -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"4\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"ProfileEdit\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.idpselections\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"PasswordReset\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PasswordResetUsingEmailAddressExchange\" TechnicalProfileReferenceId=\"LocalAccountDiscoveryUsingEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewCredentials\" TechnicalProfileReferenceId=\"LocalAccountWritePasswordUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"RedeemRefreshToken\">\n      <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Extra steps can be added before or after this step for REST API or claims transformation calls-->\n\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n    </UserJourney>\n    \n  </UserJourneys>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "Display Controls Starterpack/LocalAccounts/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\n  </BasePolicy>\n  <BuildingBlocks></BuildingBlocks>\n\n  <ClaimsProviders>\n\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <Metadata>\n            <Item Key=\"client_id\">ProxyIdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"IdTokenAudience\">IdentityExperienceFrameworkAppId</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"client_id\" DefaultValue=\"ProxyIdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"resource_id\" PartnerClaimType=\"resource\" DefaultValue=\"IdentityExperienceFrameworkAppId\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n  </ClaimsProviders>\n\n  <!--UserJourneys>\n\t\n\t</UserJourneys-->\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "Display Controls Starterpack/LocalAccounts/TrustFrameworkLocalization.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkLocalization\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkLocalization\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n\n  <BuildingBlocks>\n\n    <ContentDefinitions>\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.signuporsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountpasswordreset.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.idpselections.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.profileupdate.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <Localization Enabled=\"true\">\n      <SupportedLanguages DefaultLanguage=\"en\" MergeBehavior=\"Append\">\n        <SupportedLanguage>en</SupportedLanguage>\n      </SupportedLanguages>\n\n      <LocalizedResources Id=\"api.signuporsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"heading\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your {0}</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_password\">Please enter your password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_generic\">Please enter your {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_generic\">Please enter a valid {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_one_link\">Sign up now</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_two_links\">Sign up with {0} or {1}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_three_links\">Sign up with {0}, {1}, or {2}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"forgotpassword_link\">Forgot your password?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_intro\">Don't have an account?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"unknown_error\">We are having trouble signing you in. Please try again later.</LocalizedString>\n          <!-- Uncomment the remember_me only if the keep me signed in is activated. \n          <LocalizedString ElementType=\"UxElement\" StringId=\"remember_me\">Keep me signed in</LocalizedString> -->\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!--Local account sign-up page English-->\n      <LocalizedResources Id=\"api.localaccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_requiredFieldMissing\">A required field is missing. Please fill out all required fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"helplink_text\">What is this?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please provide the following details.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"preloader_alt\">Please wait</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <!-- Display control UI elements-->\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_send_code_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_send_code_msg\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_verify_code_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_verify_code_msg\">We are having trouble verifying your email address. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_code\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_verify_code\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_new_code\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_change_claims\">Change e-mail</LocalizedString>\n          <!-- Display control errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInternalError\">We are having trouble verifying your email address. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfThrottled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfChallengeExpired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedNoRetry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedRetryAllowed\">That code is incorrect. Please try again.</LocalizedString>\n          <!-- Generic errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Self-asserted page English-->\n      <LocalizedResources Id=\"api.selfasserted.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Password reset page English-->\n      <LocalizedResources Id=\"api.localaccountpasswordreset.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">An account could not be found for the provided user ID.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <!-- Display control UI elements-->\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_send_code_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_send_code_msg\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_verify_code_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_verify_code_msg\">We are having trouble verifying your email address. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_code\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_verify_code\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_new_code\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_change_claims\">Change e-mail</LocalizedString>\n          <!-- Display control errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInternalError\">We are having trouble verifying your email address. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfThrottled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfChallengeExpired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedNoRetry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedRetryAllowed\">That code is incorrect. Please try again.</LocalizedString>\n          <!-- Generic errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in page English-->\n      <LocalizedResources Id=\"api.idpselections.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"LocalAccountSigninEmailExchange\">Local Account Signin</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in with local account English-->\n      <LocalizedResources Id=\"api.localaccountsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile page English-->\n      <LocalizedResources Id=\"api.selfasserted.profileupdate.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <!-- Add more languages here -->\n    </Localization>\n  </BuildingBlocks>\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "Display Controls Starterpack/SocialAccounts/ProfileEdit.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_ProfileEdit\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEdit\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAccounts/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n    <Endpoints>\n      <!--points to refresh token journey when app makes refresh token request-->\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" />\n\n    </Endpoints>\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"identityProvider\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAccounts/TrustFrameworkBase.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_TrustFrameworkBase\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase\">\n\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- The ClaimsSchema is divided into three sections:\n           1. Section I lists the minimum claims that are required for the user journeys to work properly.\n           2. Section II lists the claims required for query string parameters and other special parameters \n              to be passed to other claims providers, esp. login.microsoftonline.com for authentication. \n              Please do not modify these claims.\n           3. Section III lists any additional (optional) claims that can be collected from the user, stored \n              in the directory and sent in tokens during sign in. Add new claims to be collected from the user \n              and/or sent in the token in Section III. -->\n\n      <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames. \n           The trust framework policy treats Azure AD as any other claims provider and all its restrictions \n           are modelled in the policy. A policy could be modified to add more restrictions, or use another \n           claims provider for credential storage which will have its own restrictions. -->\n\n      <!-- SECTION I: Claims required for user journeys to work properly -->\n      <!-- The claim socialIdpUserId has been renamed to issuerUserId -->\n      <ClaimType Id=\"issuerUserId\">\n        <DisplayName>Username</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$\" HelpText=\"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"alternativeSecurityId\">\n        <DisplayName>AlternativeSecurityId</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"mailNickName\">\n        <DisplayName>MailNickName</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Your mail nick name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"identityProvider\">\n        <DisplayName>Identity Provider</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/identityprovider\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\" HelpText=\"Please enter a valid email address.\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"otherMails\">\n        <DisplayName>Alternate Email Addresses</DisplayName>\n        <DataType>stringCollection</DataType>\n        <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newUser\">\n        <DisplayName>User is new</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"executed-SelfAsserted-Input\">\n        <DisplayName>Executed-SelfAsserted-Input</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"authenticationSource\">\n        <DisplayName>AuthenticationSource</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>\n      </ClaimType>\n\n\n       <!--claims for refresh token revocation-->\n       <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\n        <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"refreshTokensValidFromDateTime\">\n        <DisplayName>refreshTokensValidFromDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"isActiveMFASession\">\n        <DisplayName>isActiveMFASession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateOtherMailsFromEmail\" TransformationMethod=\"AddItemToStringCollection\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"item\" />\n          <InputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateRandomUPNUserName\" TransformationMethod=\"CreateRandomString\">\n        <InputParameters>\n          <InputParameter Id=\"randomGeneratorType\" DataType=\"string\" Value=\"GUID\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateUserPrincipalName\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"cpim_{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateAlternativeSecurityId\" TransformationMethod=\"CreateAlternativeSecurityId\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"issuerUserId\" TransformationClaimType=\"key\" />\n          <InputClaim ClaimTypeReferenceId=\"identityProvider\" TransformationClaimType=\"identityProvider\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" TransformationClaimType=\"alternativeSecurityId\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateSubjectClaimFromAlternativeSecurityId\" TransformationMethod=\"CreateStringClaim\">\n        <InputParameters>\n          <InputParameter Id=\"value\" DataType=\"string\" Value=\"Not supported currently. Use oid claim.\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"sub\" TransformationClaimType=\"createdClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      \n\n      <!--claims transformation for refresh token revocation -->\n      <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\n          <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\n          <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\n          <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n    </ClaimsTransformations>\n\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n\n    <ContentDefinitions>\n\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections.signup\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign up</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n    </ContentDefinitions>\n  </BuildingBlocks>\n\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <!-- The following Domain element allows this profile to be used if the request comes with domain_hint \n           query string parameter, e.g. domain_hint=facebook.com  -->\n      <Domain>facebook.com</Domain>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <!-- The text in the following DisplayName element is shown to the user on the claims provider \n               selection screen. -->\n          <DisplayName>Facebook</DisplayName>\n          <Protocol Name=\"OAuth2\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">facebook</Item>\n            <Item Key=\"authorization_endpoint\">https://www.facebook.com/dialog/oauth</Item>\n            <Item Key=\"AccessTokenEndpoint\">https://graph.facebook.com/oauth/access_token</Item>\n            <Item Key=\"HttpBinding\">GET</Item>\n            <Item Key=\"UsePolicyInRedirectUri\">0</Item>\n\n            <!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->\n            <Item Key=\"AccessTokenResponseFormat\">json</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"client_secret\" StorageReferenceId=\"B2C_1A_FacebookSecret\" />\n          </CryptographicKeys>\n          <InputClaims />\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"issuerUserId\" PartnerClaimType=\"id\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"first_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" PartnerClaimType=\"last_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"identityProvider\" DefaultValue=\"facebook.com\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"socialIdpAuthentication\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateAlternativeSecurityId\" />\n          </OutputClaimsTransformations>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialLogin\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for social logins -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateOtherMailsFromEmail\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"mailNickName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"otherMails\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <!-- The following other mails claim is needed for the case when a user is created, we get otherMails from directory. Self-asserted provider also has an\n                 OutputClaims, and if this is absent, Self-Asserted provider will prompt the user for otherMails. -->\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId-NoError\">\n          <Metadata>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for updating user record using objectId -->\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- The following technical profile is used to read data after user authenticates. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Self Asserted</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"SelfAsserted-Social\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.socialccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <!-- These claims ensure that any values retrieved in the previous steps (e.g. from an external IDP) are prefilled. \n                 Note that some of these claims may not have any value, for example, if the external IDP did not provide any of\n                 these values, or if the claim did not appear in the OutputClaims section of the IDP.\n                 In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its\n                 value will not be prefilled, but the user will still be prompted for it (with an empty value). -->\n            <InputClaim ClaimTypeReferenceId=\"displayName\" />\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <DisplayClaims>\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <DisplayClaim ClaimTypeReferenceId=\"displayName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surname\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <!-- These claims are not shown to the user because their value is obtained through the \"ValidationTechnicalProfiles\"\n                 referenced below, or a default value is assigned to the claim. A claim is only shown to the user to provide a \n                 value if its value cannot be obtained through any other means. -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialSignup\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted.profileupdate</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <DisplayClaims>\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surname\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <PersistedClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <PersistedClaim ClaimTypeReferenceId=\"identityProvider\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newUser\" />\n            <PersistedClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectIdFromSession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Profile name is being used to disambiguate AAD session between sign up and sign in -->\n        <TechnicalProfile Id=\"SM-SocialSignup\">\n          <IncludeTechnicalProfile ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-SocialLogin\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.ExternalLoginSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"AlwaysFetchClaimsFromProvider\">true</Item>\n          </Metadata>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n          </PersistedClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    \n  <!--claims provider for refresh token revocation-->\n  <ClaimsProvider>\n    <DisplayName>Refresh token journey</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\n        <Protocol Name=\"None\" />\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\n           <!--Requirement: Claims that you return in the relying party technical profile output claims\n            that are not stored in Azure AD B2C, must be added to the output claims collection here-->\n          <!--\n          \n          <OutputClaim ClaimTypeReferenceId=\"RESTAPIclaim1\" />\n          <OutputClaim ClaimTypeReferenceId=\"IDPclaim1\" />\n           -->\n        </OutputClaims>\n      </TechnicalProfile>\n\n\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\n          <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        </OutputClaims>\n        <OutputClaimsTransformations>\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\n        </OutputClaimsTransformations>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n\n  </ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignIn\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- For social IDP authentication, attempt to find the user account in the directory. -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadUsingAlternativeSecurityId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId-NoError\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).  -->\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SelfAsserted-Social\" TechnicalProfileReferenceId=\"SelfAsserted-Social\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect \n             from the user. So, in that case, create the user in the directory if one does not already exist \n             (verified using objectId which would be set from the last step if account was created in the directory. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWrite\" TechnicalProfileReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"6\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"ProfileEdit\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.idpselections\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserRead\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    \n    <UserJourney Id=\"RedeemRefreshToken\">\n      <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        \n        <!-- Extra steps can be added before or after this step for REST API or claims transformation calls-->\n\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n    </UserJourney>\n  </UserJourneys>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "Display Controls Starterpack/SocialAccounts/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  \n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\n  </BasePolicy>\n  <BuildingBlocks>\n\n  </BuildingBlocks>\n\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <Metadata>\n            <Item Key=\"client_id\">facebook_clientid</Item>\n            <Item Key=\"scope\">email public_profile</Item>\n            <Item Key=\"ClaimsEndpoint\">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n\n  </ClaimsProviders>\n\n    <!--UserJourneys>\n\t\n\t</UserJourneys-->\n\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAccounts/TrustFrameworkLocalization.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkLocalization\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkLocalization\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n\n  <BuildingBlocks>\n\n    <ContentDefinitions>\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.signuporsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.socialccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.idpselections.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.profileupdate.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <Localization Enabled=\"true\">\n      <SupportedLanguages DefaultLanguage=\"en\" MergeBehavior=\"Append\">\n        <SupportedLanguage>en</SupportedLanguage>\n      </SupportedLanguages>\n\n      <LocalizedResources Id=\"api.signuporsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"heading\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"social_intro\">Sign in with your social account</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your {0}</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_password\">Please enter your password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_generic\">Please enter your {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_generic\">Please enter a valid {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_one_link\">Sign up now</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_two_links\">Sign up with {0} or {1}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_three_links\">Sign up with {0}, {1}, or {2}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"forgotpassword_link\">Forgot your password?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"divider_title\">OR</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_intro\">Don't have an account?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"unknown_error\">We are having trouble signing you in. Please try again later.</LocalizedString>\n          <!-- Uncomment the remember_me only if the keep me signed in is activated. \n          <LocalizedString ElementType=\"UxElement\" StringId=\"remember_me\">Keep me signed in</LocalizedString> -->\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Social account sign-up page English-->\n      <LocalizedResources Id=\"api.socialccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in page English-->\n      <LocalizedResources Id=\"api.idpselections.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"LocalAccountSigninEmailExchange\">Local Account Signin</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile page English-->\n      <LocalizedResources Id=\"api.selfasserted.profileupdate.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Add more languages here -->\n    </Localization>\n  </BuildingBlocks>\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccounts/PasswordReset.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_PasswordReset\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_PasswordReset\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"PasswordReset\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccounts/ProfileEdit.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_ProfileEdit\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEdit\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccounts/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n    <Endpoints>\n      <!--points to refresh token journey when app makes refresh token request-->\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" />\n    </Endpoints>\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"identityProvider\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccounts/TrustFrameworkBase.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_TrustFrameworkBase\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase\">\n\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- The ClaimsSchema is divided into three sections:\n           1. Section I lists the minimum claims that are required for the user journeys to work properly.\n           2. Section II lists the claims required for query string parameters and other special parameters \n              to be passed to other claims providers, esp. login.microsoftonline.com for authentication. \n              Please do not modify these claims.\n           3. Section III lists any additional (optional) claims that can be collected from the user, stored \n              in the directory and sent in tokens during sign in. Add new claims to be collected from the user \n              and/or sent in the token in Section III. -->\n\n      <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames. \n           The trust framework policy treats Azure AD as any other claims provider and all its restrictions \n           are modelled in the policy. A policy could be modified to add more restrictions, or use another \n           claims provider for credential storage which will have its own restrictions. -->\n\n      <!-- SECTION I: Claims required for user journeys to work properly -->\n\n      <!-- The claim socialIdpUserId has been renamed to issuerUserId -->\n      <ClaimType Id=\"issuerUserId\">\n        <DisplayName>Username</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$\" HelpText=\"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <!-- Claims needed for local accounts. -->\n      <ClaimType Id=\"signInName\">\n        <DisplayName>Sign in name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"signInNames.emailAddress\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Email address to use for signing in.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"accountEnabled\">\n        <DisplayName>Account Enabled</DisplayName>\n        <DataType>boolean</DataType>\n        <AdminHelpText>Specifies whether the user's account is enabled.</AdminHelpText>\n        <UserHelpText>Specifies whether your account is enabled.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"password\">\n        <DisplayName>Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n      </ClaimType>\n\n      <!-- The claim types newPassword and reenterPassword are considered special, please do not change the names. \n           The UI validates that the user correctly re-entered their password during account creation based on these \n           claim types.\t  -->\n      <ClaimType Id=\"newPassword\">\n        <DisplayName>New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\"8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ &quot; ( ) ; .\" />\n        </Restriction>\n      </ClaimType>\n      <!-- The password regular expression above is constructed for AAD passwords based on restrictions at https://msdn.microsoft.com/en-us/library/azure/jj943764.aspx\n\n        ^( # one of the following four combinations must appear in the password\n         (?=.*[a-z])(?=.*[A-Z])(?=.*\\d) |            # matches lower case, upper case or digit\n         (?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]) |  # matches lower case, upper case or special character (i.e. non-alpha or digit)\n         (?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9]) |     # matches lower case, digit, or special character\n         (?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9])       # matches upper case, digit, or special character\n        )\n        ( # The password must match the following restrictions\n         [A-Za-z\\d@#$%^&*\\-_+=[\\]{}|\\\\:',?/`~\"();!] |   # The list of all acceptable characters (without .)\n         \\.(?!@)                                        # or . can appear as long as not followed by @\n        ) {8,16}$                                       # the length must be between 8 and 16 chars inclusive\n\n      -->\n\n      <ClaimType Id=\"reenterPassword\">\n        <DisplayName>Confirm New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Confirm new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\" \" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"passwordPolicies\">\n        <DisplayName>Password Policies</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Password policies used by Azure AD to determine password strength, expiry etc.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"client_id\">\n        <DisplayName>client_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"resource_id\">\n        <DisplayName>resource_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"alternativeSecurityId\">\n        <DisplayName>AlternativeSecurityId</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"mailNickName\">\n        <DisplayName>MailNickName</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Your mail nick name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"identityProvider\">\n        <DisplayName>Identity Provider</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/identityprovider\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\" HelpText=\"Please enter a valid email address.\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"otherMails\">\n        <DisplayName>Alternate Email Addresses</DisplayName>\n        <DataType>stringCollection</DataType>\n        <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newUser\">\n        <DisplayName>User is new</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"executed-SelfAsserted-Input\">\n        <DisplayName>Executed-SelfAsserted-Input</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"authenticationSource\">\n        <DisplayName>AuthenticationSource</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>\n      </ClaimType>\n\n        <!--claims for refresh token revocation-->\n        <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\n          <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\n          <DataType>string</DataType>\n          <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n          <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n        </ClaimType>\n  \n        <ClaimType Id=\"refreshTokensValidFromDateTime\">\n          <DisplayName>refreshTokensValidFromDateTime</DisplayName>\n          <DataType>string</DataType>\n          <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n          <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n        </ClaimType>\n\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n\n      <ClaimType Id=\"nca\">\n        <DisplayName>nca</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"grant_type\">\n        <DisplayName>grant_type</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"scope\">\n        <DisplayName>scope</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"isActiveMFASession\">\n        <DisplayName>isActiveMFASession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"verificationCode\">\n        <DisplayName>Verification Code</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter your verification code</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateOtherMailsFromEmail\" TransformationMethod=\"AddItemToStringCollection\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"item\" />\n          <InputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateRandomUPNUserName\" TransformationMethod=\"CreateRandomString\">\n        <InputParameters>\n          <InputParameter Id=\"randomGeneratorType\" DataType=\"string\" Value=\"GUID\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateUserPrincipalName\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"cpim_{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateAlternativeSecurityId\" TransformationMethod=\"CreateAlternativeSecurityId\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"issuerUserId\" TransformationClaimType=\"key\" />\n          <InputClaim ClaimTypeReferenceId=\"identityProvider\" TransformationClaimType=\"identityProvider\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" TransformationClaimType=\"alternativeSecurityId\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateSubjectClaimFromAlternativeSecurityId\" TransformationMethod=\"CreateStringClaim\">\n        <InputParameters>\n          <InputParameter Id=\"value\" DataType=\"string\" Value=\"Not supported currently. Use oid claim.\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"sub\" TransformationClaimType=\"createdClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"AssertAccountEnabledIsTrue\" TransformationMethod=\"AssertBooleanClaimIsEqualToValue\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"accountEnabled\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"valueToCompareTo\" DataType=\"boolean\" Value=\"true\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n        <!--claims transformation for refresh token revocation -->\n        <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\n            <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\n          </InputClaims>\n          <InputParameters>\n            <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\n            <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\n            <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\n          </InputParameters>\n        </ClaimsTransformation>\n  \n    </ClaimsTransformations>\n\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n\n    <ContentDefinitions>\n\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections.signup\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign up</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account sign up page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account change password page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <DisplayControls>\n      <DisplayControl Id=\"emailVerificationControl\" UserInterfaceControlType=\"VerificationControl\">\n        <DisplayClaims>\n          <DisplayClaim ClaimTypeReferenceId=\"email\" Required=\"true\" />\n          <DisplayClaim ClaimTypeReferenceId=\"verificationCode\" ControlClaimType=\"VerificationCode\" Required=\"true\" />\n        </DisplayClaims>\n        <OutputClaims></OutputClaims>\n        <Actions>\n          <Action Id=\"SendCode\">\n            <ValidationClaimsExchange>\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"AadSspr-SendCode\" />\n            </ValidationClaimsExchange>\n          </Action>\n          <Action Id=\"VerifyCode\">\n            <ValidationClaimsExchange>\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"AadSspr-VerifyCode\" />\n            </ValidationClaimsExchange>\n          </Action>\n        </Actions>\n      </DisplayControl>\n    </DisplayControls>\n  </BuildingBlocks>\n\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <!-- The following Domain element allows this profile to be used if the request comes with domain_hint \n           query string parameter, e.g. domain_hint=facebook.com  -->\n      <Domain>facebook.com</Domain>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <!-- The text in the following DisplayName element is shown to the user on the claims provider \n               selection screen. -->\n          <DisplayName>Facebook</DisplayName>\n          <Protocol Name=\"OAuth2\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">facebook</Item>\n            <Item Key=\"authorization_endpoint\">https://www.facebook.com/dialog/oauth</Item>\n            <Item Key=\"AccessTokenEndpoint\">https://graph.facebook.com/oauth/access_token</Item>\n            <Item Key=\"HttpBinding\">GET</Item>\n            <Item Key=\"UsePolicyInRedirectUri\">0</Item>\n\n            <!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->\n            <Item Key=\"AccessTokenResponseFormat\">json</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"client_secret\" StorageReferenceId=\"B2C_1A_FacebookSecret\" />\n          </CryptographicKeys>\n          <InputClaims />\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"issuerUserId\" PartnerClaimType=\"id\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"first_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" PartnerClaimType=\"last_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"identityProvider\" DefaultValue=\"facebook.com\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"socialIdpAuthentication\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateAlternativeSecurityId\" />\n          </OutputClaimsTransformations>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialLogin\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <DisplayName>Local Account SignIn</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n            <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n            <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n            <Item Key=\"response_types\">id_token</Item>\n            <Item Key=\"response_mode\">query</Item>\n            <Item Key=\"scope\">email openid</Item>\n\n            <!-- Policy Engine Clients -->\n            <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n            <Item Key=\"HttpBinding\">POST</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" PartnerClaimType=\"username\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n            <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n          </OutputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for social logins -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateOtherMailsFromEmail\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"mailNickName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"otherMails\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <!-- The following other mails claim is needed for the case when a user is created, we get otherMails from directory. Self-asserted provider also has an\n                 OutputClaims, and if this is absent, Self-Asserted provider will prompt the user for otherMails. -->\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId-NoError\">\n          <Metadata>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for local accounts -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration\" />\n\n            <!-- Optional claims. -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingEmailAddress\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"accountEnabled\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"AssertAccountEnabledIsTrue\" />\n          </OutputClaimsTransformations>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserWritePasswordUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for updating user record using objectId -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- The following technical profile is used to read data after user authenticates. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Self Asserted</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"SelfAsserted-Social\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.socialccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <!-- These claims ensure that any values retrieved in the previous steps (e.g. from an external IDP) are prefilled. \n                 Note that some of these claims may not have any value, for example, if the external IDP did not provide any of\n                 these values, or if the claim did not appear in the OutputClaims section of the IDP.\n                 In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its\n                 value will not be prefilled, but the user will still be prompted for it (with an empty value). -->\n            <InputClaim ClaimTypeReferenceId=\"displayName\" />\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <DisplayClaims>\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <DisplayClaim ClaimTypeReferenceId=\"displayName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surname\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <!-- These claims are not shown to the user because their value is obtained through the \"ValidationTechnicalProfiles\"\n                 referenced below, or a default value is assigned to the claim. A claim is only shown to the user to provide a \n                 value if its value cannot be obtained through any other means. -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialSignup\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted.profileupdate</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <DisplayClaims>\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surname\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n          <DisplayName>Email signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" />\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim DisplayControlReferenceId=\"emailVerificationControl\" />\n            <DisplayClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <DisplayClaim ClaimTypeReferenceId=\"displayName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surName\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile uses a validation technical profile to authenticate the user. -->\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n          <DisplayName>Local Account Signin</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"SignUpTarget\">SignUpWithLogonEmailExchange</Item>\n            <Item Key=\"setting.operatingMode\">Email</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignin</Item>\n            <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile forces the user to verify the email address that they provide on the UI. Only after email is verified, the user account is\n        read from the directory. -->\n        <TechnicalProfile Id=\"LocalAccountDiscoveryUsingEmailAddress\">\n          <DisplayName>Reset password using email address</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <IncludeInSso>false</IncludeInSso>\n          <DisplayClaims>\n            <DisplayClaim DisplayControlReferenceId=\"emailVerificationControl\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserReadUsingEmailAddress\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"LocalAccountWritePasswordUsingObjectId\">\n          <DisplayName>Change password (username)</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" />\n\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWritePasswordUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"signInName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <PersistedClaim ClaimTypeReferenceId=\"identityProvider\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newUser\" />\n            <PersistedClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectIdFromSession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Profile name is being used to disambiguate AAD session between sign up and sign in -->\n        <TechnicalProfile Id=\"SM-SocialSignup\">\n          <IncludeTechnicalProfile ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-SocialLogin\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.ExternalLoginSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"AlwaysFetchClaimsFromProvider\">true</Item>\n          </Metadata>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n          </PersistedClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n     <!--claims provider for refresh token revocation-->\n  <ClaimsProvider>\n    <DisplayName>Refresh token journey</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\n        <Protocol Name=\"None\" />\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\n           <!--Requirement: Claims that you return in the relying party technical profile output claims\n            that are not stored in Azure AD B2C, must be added to the output claims collection here-->\n          <!--\n          \n          <OutputClaim ClaimTypeReferenceId=\"RESTAPIclaim1\" />\n          <OutputClaim ClaimTypeReferenceId=\"IDPclaim1\" />\n           -->\n        </OutputClaims>\n      </TechnicalProfile>\n\n\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\n          <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        </OutputClaims>\n        <OutputClaimsTransformations>\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\n        </OutputClaimsTransformations>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>AAD SSPR</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"AadSspr-SendCode\">\n          <DisplayName>Send Code</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AadSsprProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"Operation\">SendCode</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"emailAddress\" />\n          </InputClaims>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"AadSspr-VerifyCode\">\n          <DisplayName>Verify Code</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AadSsprProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"Operation\">VerifyCode</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"verificationCode\" />\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"emailAddress\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n  </ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignIn\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Check if the user has selected to sign in using one of the social providers -->\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n            <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- For social IDP authentication, attempt to find the user account in the directory. -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadUsingAlternativeSecurityId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId-NoError\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). \n          This can only happen when authentication happened using a social IDP. If local account was created or authentication done\n          using ESTS in step 2, then an user account must exist in the directory by this time. -->\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SelfAsserted-Social\" TechnicalProfileReferenceId=\"SelfAsserted-Social\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent \n          in the token. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect \n             from the user. So, in that case, create the user in the directory if one does not already exist \n             (verified using objectId which would be set from the last step if account was created in the directory. -->\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWrite\" TechnicalProfileReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"ProfileEdit\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.idpselections\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserRead\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"6\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"PasswordReset\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PasswordResetUsingEmailAddressExchange\" TechnicalProfileReferenceId=\"LocalAccountDiscoveryUsingEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewCredentials\" TechnicalProfileReferenceId=\"LocalAccountWritePasswordUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"RedeemRefreshToken\">\n      <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Extra steps can be added before or after this step for REST API or claims transformation calls-->\n        \n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n    </UserJourney>\n    \n  </UserJourneys>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccounts/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  \n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\n  </BasePolicy>\n <BuildingBlocks>\n\n  </BuildingBlocks>\n\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <Metadata>\n            <Item Key=\"client_id\">facebook_clientid</Item>\n            <Item Key=\"scope\">email public_profile</Item>\n            <Item Key=\"ClaimsEndpoint\">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <Metadata>\n            <Item Key=\"client_id\">ProxyIdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"IdTokenAudience\">IdentityExperienceFrameworkAppId</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"client_id\" DefaultValue=\"ProxyIdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"resource_id\" PartnerClaimType=\"resource\" DefaultValue=\"IdentityExperienceFrameworkAppId\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n  </ClaimsProviders>\n\n    <!--UserJourneys>\n\t\n\t</UserJourneys-->\n\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccounts/TrustFrameworkLocalization.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkLocalization\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkLocalization\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n\n  <BuildingBlocks>\n\n    <ContentDefinitions>\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.signuporsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.socialccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountpasswordreset.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.idpselections.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.profileupdate.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <Localization Enabled=\"true\">\n      <SupportedLanguages DefaultLanguage=\"en\" MergeBehavior=\"Append\">\n        <SupportedLanguage>en</SupportedLanguage>\n      </SupportedLanguages>\n\n      <LocalizedResources Id=\"api.signuporsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"heading\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"social_intro\">Sign in with your social account</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your {0}</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_password\">Please enter your password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_generic\">Please enter your {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_generic\">Please enter a valid {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_one_link\">Sign up now</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_two_links\">Sign up with {0} or {1}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_three_links\">Sign up with {0}, {1}, or {2}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"forgotpassword_link\">Forgot your password?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"divider_title\">OR</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_intro\">Don't have an account?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"unknown_error\">We are having trouble signing you in. Please try again later.</LocalizedString>\n          <!-- Uncomment the remember_me only if the keep me signed in is activated. \n          <LocalizedString ElementType=\"UxElement\" StringId=\"remember_me\">Keep me signed in</LocalizedString> -->\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!--Local account sign-up page English-->\n      <LocalizedResources Id=\"api.localaccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_requiredFieldMissing\">A required field is missing. Please fill out all required fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"helplink_text\">What is this?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please provide the following details.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"preloader_alt\">Please wait</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <!-- Display control UI elements-->\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_send_code_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_send_code_msg\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_verify_code_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_verify_code_msg\">We are having trouble verifying your email address. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_code\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_verify_code\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_new_code\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_change_claims\">Change e-mail</LocalizedString>\n          <!-- Display control errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInternalError\">We are having trouble verifying your email address. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfThrottled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfChallengeExpired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedNoRetry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedRetryAllowed\">That code is incorrect. Please try again.</LocalizedString>\n          <!-- Generic errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Social account sign-up page English-->\n      <LocalizedResources Id=\"api.socialccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Password reset page English-->\n      <LocalizedResources Id=\"api.localaccountpasswordreset.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">An account could not be found for the provided user ID.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <!-- Display control UI elements-->\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_send_code_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_send_code_msg\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_verify_code_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_verify_code_msg\">We are having trouble verifying your email address. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_code\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_verify_code\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_new_code\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_change_claims\">Change e-mail</LocalizedString>\n          <!-- Display control errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInternalError\">We are having trouble verifying your email address. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfThrottled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfChallengeExpired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedNoRetry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedRetryAllowed\">That code is incorrect. Please try again.</LocalizedString>\n          <!-- Generic errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in page English-->\n      <LocalizedResources Id=\"api.idpselections.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"LocalAccountSigninEmailExchange\">Local Account Signin</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in with local account English-->\n      <LocalizedResources Id=\"api.localaccountsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile page English-->\n      <LocalizedResources Id=\"api.selfasserted.profileupdate.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <!-- Add more languages here -->\n    </Localization>\n  </BuildingBlocks>\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccountsWithMfa/PasswordReset.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_PasswordReset\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_PasswordReset\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"PasswordReset\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccountsWithMfa/ProfileEdit.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_ProfileEdit\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEdit\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccountsWithMfa/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n    <Endpoints>\n      <!--points to refresh token journey when app makes refresh token request-->\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" />\n    </Endpoints>\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"identityProvider\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccountsWithMfa/TrustFrameworkBase.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_TrustFrameworkBase\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase\">\n\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- The ClaimsSchema is divided into three sections:\n           1. Section I lists the minimum claims that are required for the user journeys to work properly.\n           2. Section II lists the claims required for query string parameters and other special parameters \n              to be passed to other claims providers, esp. login.microsoftonline.com for authentication. \n              Please do not modify these claims.\n           3. Section III lists any additional (optional) claims that can be collected from the user, stored \n              in the directory and sent in tokens during sign in. Add new claims to be collected from the user \n              and/or sent in the token in Section III. -->\n\n      <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames. \n           The trust framework policy treats Azure AD as any other claims provider and all its restrictions \n           are modelled in the policy. A policy could be modified to add more restrictions, or use another \n           claims provider for credential storage which will have its own restrictions. -->\n\n      <!-- SECTION I: Claims required for user journeys to work properly -->\n\n      <!-- The claim socialIdpUserId has been renamed to issuerUserId -->\n      <ClaimType Id=\"issuerUserId\">\n        <DisplayName>Username</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$\" HelpText=\"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <!-- Claims needed for local accounts. -->\n      <ClaimType Id=\"signInName\">\n        <DisplayName>Sign in name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"signInNames.emailAddress\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Email address to use for signing in.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"accountEnabled\">\n        <DisplayName>Account Enabled</DisplayName>\n        <DataType>boolean</DataType>\n        <AdminHelpText>Specifies whether the user's account is enabled.</AdminHelpText>\n        <UserHelpText>Specifies whether your account is enabled.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"password\">\n        <DisplayName>Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n      </ClaimType>\n\n      <!-- The claim types newPassword and reenterPassword are considered special, please do not change the names. \n           The UI validates that the user correctly re-entered their password during account creation based on these \n           claim types.\t  -->\n      <ClaimType Id=\"newPassword\">\n        <DisplayName>New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\"8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ &quot; ( ) ; .\" />\n        </Restriction>\n      </ClaimType>\n      <!-- The password regular expression above is constructed for AAD passwords based on restrictions at https://msdn.microsoft.com/en-us/library/azure/jj943764.aspx\n\n        ^( # one of the following four combinations must appear in the password\n         (?=.*[a-z])(?=.*[A-Z])(?=.*\\d) |            # matches lower case, upper case or digit\n         (?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]) |  # matches lower case, upper case or special character (i.e. non-alpha or digit)\n         (?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9]) |     # matches lower case, digit, or special character\n         (?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9])       # matches upper case, digit, or special character\n        )\n        ( # The password must match the following restrictions\n         [A-Za-z\\d@#$%^&*\\-_+=[\\]{}|\\\\:',?/`~\"();!] |   # The list of all acceptable characters (without .)\n         \\.(?!@)                                        # or . can appear as long as not followed by @\n        ) {8,16}$                                       # the length must be between 8 and 16 chars inclusive\n\n      -->\n\n      <ClaimType Id=\"reenterPassword\">\n        <DisplayName>Confirm New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Confirm new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\" \" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"passwordPolicies\">\n        <DisplayName>Password Policies</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Password policies used by Azure AD to determine password strength, expiry etc.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"client_id\">\n        <DisplayName>client_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"resource_id\">\n        <DisplayName>resource_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"alternativeSecurityId\">\n        <DisplayName>AlternativeSecurityId</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"mailNickName\">\n        <DisplayName>MailNickName</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Your mail nick name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"identityProvider\">\n        <DisplayName>Identity Provider</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/identityprovider\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"strongAuthenticationPhoneNumber\">\n        <DisplayName>Phone Number</DisplayName>\n        <DataType>string</DataType>\n        <Mask Type=\"Simple\">XXX-XXX-</Mask>\n        <UserHelpText>Your telephone number</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"Verified.strongAuthenticationPhoneNumber\">\n        <DisplayName>Verified Phone Number</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"phone_number\" />\n        </DefaultPartnerClaimTypes>\n        <Mask Type=\"Simple\">XXX-XXX-</Mask>\n        <UserHelpText>Your office phone number that has been verified</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newPhoneNumberEntered\">\n        <DisplayName>New Phone Number Entered</DisplayName>\n        <DataType>boolean</DataType>\n      </ClaimType>\n\n      <ClaimType Id=\"userIdForMFA\">\n        <DisplayName>UserId for MFA</DisplayName>\n        <DataType>string</DataType>\n      </ClaimType>\n\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\" HelpText=\"Please enter a valid email address.\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"otherMails\">\n        <DisplayName>Alternate Email Addresses</DisplayName>\n        <DataType>stringCollection</DataType>\n        <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newUser\">\n        <DisplayName>User is new</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"executed-SelfAsserted-Input\">\n        <DisplayName>Executed-SelfAsserted-Input</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"authenticationSource\">\n        <DisplayName>AuthenticationSource</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>\n      </ClaimType>\n\n      \n       <!--claims for refresh token revocation-->\n       <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\n        <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"refreshTokensValidFromDateTime\">\n        <DisplayName>refreshTokensValidFromDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n\n      <ClaimType Id=\"nca\">\n        <DisplayName>nca</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"grant_type\">\n        <DisplayName>grant_type</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"scope\">\n        <DisplayName>scope</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"isActiveMFASession\">\n        <DisplayName>isActiveMFASession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"verificationCode\">\n        <DisplayName>Verification Code</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter your verification code</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateOtherMailsFromEmail\" TransformationMethod=\"AddItemToStringCollection\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"item\" />\n          <InputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateRandomUPNUserName\" TransformationMethod=\"CreateRandomString\">\n        <InputParameters>\n          <InputParameter Id=\"randomGeneratorType\" DataType=\"string\" Value=\"GUID\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateUserPrincipalName\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"cpim_{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateAlternativeSecurityId\" TransformationMethod=\"CreateAlternativeSecurityId\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"issuerUserId\" TransformationClaimType=\"key\" />\n          <InputClaim ClaimTypeReferenceId=\"identityProvider\" TransformationClaimType=\"identityProvider\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" TransformationClaimType=\"alternativeSecurityId\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateUserIdForMFA\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"objectId\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userIdForMFA\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateSubjectClaimFromAlternativeSecurityId\" TransformationMethod=\"CreateStringClaim\">\n        <InputParameters>\n          <InputParameter Id=\"value\" DataType=\"string\" Value=\"Not supported currently. Use oid claim.\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"sub\" TransformationClaimType=\"createdClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"AssertAccountEnabledIsTrue\" TransformationMethod=\"AssertBooleanClaimIsEqualToValue\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"accountEnabled\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"valueToCompareTo\" DataType=\"boolean\" Value=\"true\" />\n        </InputParameters>\n      </ClaimsTransformation>\n      <!--claims transformation for refresh token revocation -->\n      <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\n          <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\n          <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\n          <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n    </ClaimsTransformations>\n\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n\n    <ContentDefinitions>\n\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections.signup\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign up</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.phonefactor\">\n        <LoadUri>~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Multi-factor authentication page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account sign up page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account change password page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <DisplayControls>\n      <DisplayControl Id=\"emailVerificationControl\" UserInterfaceControlType=\"VerificationControl\">\n        <DisplayClaims>\n          <DisplayClaim ClaimTypeReferenceId=\"email\" Required=\"true\" />\n          <DisplayClaim ClaimTypeReferenceId=\"verificationCode\" ControlClaimType=\"VerificationCode\" Required=\"true\" />\n        </DisplayClaims>\n        <OutputClaims></OutputClaims>\n        <Actions>\n          <Action Id=\"SendCode\">\n            <ValidationClaimsExchange>\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"AadSspr-SendCode\" />\n            </ValidationClaimsExchange>\n          </Action>\n          <Action Id=\"VerifyCode\">\n            <ValidationClaimsExchange>\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"AadSspr-VerifyCode\" />\n            </ValidationClaimsExchange>\n          </Action>\n        </Actions>\n      </DisplayControl>\n    </DisplayControls>\n  </BuildingBlocks>\n\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <!-- The following Domain element allows this profile to be used if the request comes with domain_hint \n           query string parameter, e.g. domain_hint=facebook.com  -->\n      <Domain>facebook.com</Domain>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <!-- The text in the following DisplayName element is shown to the user on the claims provider \n               selection screen. -->\n          <DisplayName>Facebook</DisplayName>\n          <Protocol Name=\"OAuth2\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">facebook</Item>\n            <Item Key=\"authorization_endpoint\">https://www.facebook.com/dialog/oauth</Item>\n            <Item Key=\"AccessTokenEndpoint\">https://graph.facebook.com/oauth/access_token</Item>\n            <Item Key=\"HttpBinding\">GET</Item>\n            <Item Key=\"UsePolicyInRedirectUri\">0</Item>\n\n            <!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->\n            <Item Key=\"AccessTokenResponseFormat\">json</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"client_secret\" StorageReferenceId=\"B2C_1A_FacebookSecret\" />\n          </CryptographicKeys>\n          <InputClaims />\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"issuerUserId\" PartnerClaimType=\"id\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"first_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" PartnerClaimType=\"last_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"identityProvider\" DefaultValue=\"facebook.com\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"socialIdpAuthentication\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateAlternativeSecurityId\" />\n          </OutputClaimsTransformations>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialLogin\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <DisplayName>Local Account SignIn</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n            <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n            <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n            <Item Key=\"response_types\">id_token</Item>\n            <Item Key=\"response_mode\">query</Item>\n            <Item Key=\"scope\">email openid</Item>\n\n            <!-- Policy Engine Clients -->\n            <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n            <Item Key=\"HttpBinding\">POST</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" PartnerClaimType=\"username\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n            <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n          </OutputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>PhoneFactor</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"PhoneFactor-InputOrVerify\">\n          <DisplayName>PhoneFactor</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.phonefactor</Item>\n            <Item Key=\"ManualPhoneNumberEntryAllowed\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateUserIdForMFA\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"userIdForMFA\" PartnerClaimType=\"UserId\" />\n            <InputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"Verified.OfficePhone\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPhoneNumberEntered\" PartnerClaimType=\"newPhoneNumberEntered\" />\n          </OutputClaims>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-MFA\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for social logins -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateOtherMailsFromEmail\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"mailNickName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"otherMails\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <!-- The following other mails claim is needed for the case when a user is created, we get otherMails from directory. Self-asserted provider also has an\n                 OutputClaims, and if this is absent, Self-Asserted provider will prompt the user for otherMails. -->\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId-NoError\">\n          <Metadata>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for local accounts -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration\" />\n\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\" />\n\n            <!-- Optional claims. -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingEmailAddress\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"accountEnabled\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"AssertAccountEnabledIsTrue\" />\n          </OutputClaimsTransformations>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserWritePasswordUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n\n            <!-- If the user stepped up during password reset, their phone number should be persisted for future authentication requests. -->\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\" />\n\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for updating user record using objectId -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- If the user stepped up during password reset, their phone number should be persisted for future authentication requests. -->\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- The following technical profile is used to read data after user authenticates. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserWritePhoneNumberUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Self Asserted</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"SelfAsserted-Social\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.socialccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <!-- These claims ensure that any values retrieved in the previous steps (e.g. from an external IDP) are prefilled. \n                 Note that some of these claims may not have any value, for example, if the external IDP did not provide any of\n                 these values, or if the claim did not appear in the OutputClaims section of the IDP.\n                 In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its\n                 value will not be prefilled, but the user will still be prompted for it (with an empty value). -->\n            <InputClaim ClaimTypeReferenceId=\"displayName\" />\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <DisplayClaims>\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <DisplayClaim ClaimTypeReferenceId=\"displayName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surname\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <!-- These claims are not shown to the user because their value is obtained through the \"ValidationTechnicalProfiles\"\n                 referenced below, or a default value is assigned to the claim. A claim is only shown to the user to provide a \n                 value if its value cannot be obtained through any other means. -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialSignup\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted.profileupdate</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <DisplayClaims>\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surname\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n          <DisplayName>Email signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" />\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim DisplayControlReferenceId=\"emailVerificationControl\" />\n            <DisplayClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <DisplayClaim ClaimTypeReferenceId=\"displayName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surName\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile uses a validation technical profile to authenticate the user. -->\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n          <DisplayName>Local Account Signin</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"SignUpTarget\">SignUpWithLogonEmailExchange</Item>\n            <Item Key=\"setting.operatingMode\">Email</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignin</Item>\n            <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile forces the user to verify the email address that they provide on the UI. Only after email is verified, the user account is\n        read from the directory. -->\n        <TechnicalProfile Id=\"LocalAccountDiscoveryUsingEmailAddress\">\n          <DisplayName>Reset password using email address</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <IncludeInSso>false</IncludeInSso>\n          <DisplayClaims>\n            <DisplayClaim DisplayControlReferenceId=\"emailVerificationControl\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserReadUsingEmailAddress\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"LocalAccountWritePasswordUsingObjectId\">\n          <DisplayName>Change password (username)</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <InputClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" />\n\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWritePasswordUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"signInName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <PersistedClaim ClaimTypeReferenceId=\"identityProvider\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newUser\" />\n            <PersistedClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectIdFromSession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Profile name is being used to disambiguate AAD session between sign up and sign in -->\n        <TechnicalProfile Id=\"SM-SocialSignup\">\n          <IncludeTechnicalProfile ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-SocialLogin\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.ExternalLoginSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"AlwaysFetchClaimsFromProvider\">true</Item>\n          </Metadata>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n          </PersistedClaims>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-MFA\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"isActiveMFASession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    \n     <!--claims provider for refresh token revocation-->\n  <ClaimsProvider>\n    <DisplayName>Refresh token journey</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\n        <Protocol Name=\"None\" />\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\n           <!--Requirement: Claims that you return in the relying party technical profile output claims\n            that are not stored in Azure AD B2C, must be added to the output claims collection here-->\n          <!--\n          \n          <OutputClaim ClaimTypeReferenceId=\"RESTAPIclaim1\" />\n          <OutputClaim ClaimTypeReferenceId=\"IDPclaim1\" />\n           -->\n        </OutputClaims>\n      </TechnicalProfile>\n\n\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\n          <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        </OutputClaims>\n        <OutputClaimsTransformations>\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\n        </OutputClaimsTransformations>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n\n\n    <ClaimsProvider>\n      <DisplayName>AAD SSPR</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"AadSspr-SendCode\">\n          <DisplayName>Send Code</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AadSsprProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"Operation\">SendCode</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"emailAddress\" />\n          </InputClaims>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"AadSspr-VerifyCode\">\n          <DisplayName>Verify Code</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AadSsprProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"Operation\">VerifyCode</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"verificationCode\" />\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"emailAddress\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n  </ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignIn\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Check if the user has selected to sign in using one of the social providers -->\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n            <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- For social IDP authentication, attempt to find the user account in the directory. -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadUsingAlternativeSecurityId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId-NoError\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). \n          This can only happen when authentication happened using a social IDP. If local account was created or authentication done\n          using ESTS in step 2, then an user account must exist in the directory by this time. -->\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SelfAsserted-Social\" TechnicalProfileReferenceId=\"SelfAsserted-Social\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent \n          in the token. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect \n             from the user. So, in that case, create the user in the directory if one does not already exist \n             (verified using objectId which would be set from the last step if account was created in the directory. -->\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWrite\" TechnicalProfileReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed.\n             This step checks whether there's a phone number on record,  for the user. If found, then the user is challenged to verify it. -->\n        <OrchestrationStep Order=\"7\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isActiveMFASession</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneFactor-Verify\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the \n             previous step. If so, then the phone number is stored in the directory for future authentication \n             requests. -->\n        <OrchestrationStep Order=\"8\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>newPhoneNumberEntered</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWriteWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserWritePhoneNumberUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"9\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"ProfileEdit\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.idpselections\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserRead\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- If the user ever stepped up to use 2FA, profile update must verify this because the user will be able to change\n          their sign in email address or strong authentication email here. This guards against scenarios where a user's \n          password is stolen, the attacker can change the email addresses leaving no way for the user to recover their account.\n          By requiring 2FA, stolen passwords cannot be used to take over the account completely. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneFactor\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"PasswordReset\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PasswordResetUsingEmailAddressExchange\" TechnicalProfileReferenceId=\"LocalAccountDiscoveryUsingEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneFactor-Verify\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewCredentials\" TechnicalProfileReferenceId=\"LocalAccountWritePasswordUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"RedeemRefreshToken\">\n      <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Extra steps can be added before or after this step for REST API or claims transformation calls-->\n        \n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n    </UserJourney>\n\n    \n  </UserJourneys>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccountsWithMfa/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  \n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\n  </BasePolicy>\n <BuildingBlocks>\n\n  </BuildingBlocks>\n\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <Metadata>\n            <Item Key=\"client_id\">facebook_clientid</Item>\n            <Item Key=\"scope\">email public_profile</Item>\n            <Item Key=\"ClaimsEndpoint\">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n         <TechnicalProfile Id=\"login-NonInteractive\">\n          <Metadata>\n            <Item Key=\"client_id\">ProxyIdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"IdTokenAudience\">IdentityExperienceFrameworkAppId</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"client_id\" DefaultValue=\"ProxyIdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"resource_id\" PartnerClaimType=\"resource\" DefaultValue=\"IdentityExperienceFrameworkAppId\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n  </ClaimsProviders>\n\n    <!--UserJourneys>\n\t\n\t</UserJourneys-->\n\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "Display Controls Starterpack/SocialAndLocalAccountsWithMfa/TrustFrameworkLocalization.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkLocalization\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkLocalization\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n\n  <BuildingBlocks>\n\n    <ContentDefinitions>\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.signuporsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.socialccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountpasswordreset.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.idpselections.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.profileupdate.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.phonefactor\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.phonefactor.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <Localization Enabled=\"true\">\n      <SupportedLanguages DefaultLanguage=\"en\" MergeBehavior=\"Append\">\n        <SupportedLanguage>en</SupportedLanguage>\n      </SupportedLanguages>\n\n      <LocalizedResources Id=\"api.signuporsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"heading\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"social_intro\">Sign in with your social account</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your {0}</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_password\">Please enter your password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_generic\">Please enter your {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_generic\">Please enter a valid {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_one_link\">Sign up now</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_two_links\">Sign up with {0} or {1}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_three_links\">Sign up with {0}, {1}, or {2}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"forgotpassword_link\">Forgot your password?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"divider_title\">OR</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_intro\">Don't have an account?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"unknown_error\">We are having trouble signing you in. Please try again later.</LocalizedString>\n          <!-- Uncomment the remember_me only if the keep me signed in is activated. \n          <LocalizedString ElementType=\"UxElement\" StringId=\"remember_me\">Keep me signed in</LocalizedString> -->\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!--Local account sign-up page English-->\n      <LocalizedResources Id=\"api.localaccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_requiredFieldMissing\">A required field is missing. Please fill out all required fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"helplink_text\">What is this?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please provide the following details.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"preloader_alt\">Please wait</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <!-- Display control UI elements-->\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_send_code_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_send_code_msg\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_verify_code_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_verify_code_msg\">We are having trouble verifying your email address. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_code\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_verify_code\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_new_code\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_change_claims\">Change e-mail</LocalizedString>\n          <!-- Display control errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInternalError\">We are having trouble verifying your email address. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfThrottled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfChallengeExpired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedNoRetry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedRetryAllowed\">That code is incorrect. Please try again.</LocalizedString>\n          <!-- Generic errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Social account sign-up page English-->\n      <LocalizedResources Id=\"api.socialccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Password reset page English-->\n      <LocalizedResources Id=\"api.localaccountpasswordreset.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">An account could not be found for the provided user ID.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <!-- Display control UI elements-->\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_send_code_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_send_code_msg\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"success_verify_code_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"failure_verify_code_msg\">We are having trouble verifying your email address. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_code\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_verify_code\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_send_new_code\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"emailVerificationControl\" StringId=\"but_change_claims\">Change e-mail</LocalizedString>\n          <!-- Display control errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInternalError\">We are having trouble verifying your email address. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfThrottled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfChallengeExpired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedNoRetry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfVerificationFailedRetryAllowed\">That code is incorrect. Please try again.</LocalizedString>\n          <!-- Generic errors -->\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in page English-->\n      <LocalizedResources Id=\"api.idpselections.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"LocalAccountSigninEmailExchange\">Local Account Signin</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in with local account English-->\n      <LocalizedResources Id=\"api.localaccountsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile page English-->\n      <LocalizedResources Id=\"api.selfasserted.profileupdate.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n\n      <!-- Phone factor English-->\n      <LocalizedResources Id=\"api.phonefactor.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_verify\">Call Me</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"country_code_label\">Country Code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"cancel_message\">The user has canceled multi-factor authentication</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"text_button_send_second_code\">Send a new code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"code_pattern\">\\d{6}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_mixed\">We have the following number on record for you. We can send a code via SMS or phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_mixed_p\">We have the following numbers on record for you. Choose a number that we can phone or send a code via SMS to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_verify_code\">Verify Code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_code\">Please enter the verification code you received</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_code\">Please enter the 6-digit code you received</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_number_input_placeholder_text\">Phone number</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_retry\">Retry</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"alternative_text\">I don't have my phone</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_phone_p\">We have the following numbers on record for you. Choose a number that we can phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_phone\">We have the following number on record for you. We will phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"enter_code_text_intro\">Enter your verification code below, or</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_entry_phone\">Enter a number below that we can phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_entry_sms\">Enter a number below that we can send a code via SMS to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_send_code\">Send Code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_number\">Please enter a valid phone number</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_sms\">We have the following number on record for you. We will send a code via SMS to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_entry_mixed\">Enter a number below that we can send a code via SMS or phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"number_pattern\">^\\+(?:[0-9][\\x20-]?){6,14}[0-9]$</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_sms_p\">We have the following numbers on record for you. Choose a number that we can send a code via SMS to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_countryCode\">Please select your country code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_number\">Please enter your phone number</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"country_code_input_placeholder_text\">Country or region</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"number_label\">Phone Number</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_tryagain\">The phone number you provided is busy or unavailable. Please check the number and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_sms_throttled\">You hit the limit on the number of text messages. Try again shortly.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_phone_throttled\">You hit the limit on the number of call attempts. Try again shortly.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_throttled\">You hit the limit on the number of verification attempts. Try again shortly.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_incorrect_code\">The verification code you have entered does not match our records. Please try again, or request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"countryList\">{\"DEFAULT\":\"Country/Region\",\"AF\":\"Afghanistan\",\"AX\":\"Åland Islands\",\"AL\":\"Albania\",\"DZ\":\"Algeria\",\"AS\":\"American Samoa\",\"AD\":\"Andorra\",\"AO\":\"Angola\",\"AI\":\"Anguilla\",\"AQ\":\"Antarctica\",\"AG\":\"Antigua and Barbuda\",\"AR\":\"Argentina\",\"AM\":\"Armenia\",\"AW\":\"Aruba\",\"AU\":\"Australia\",\"AT\":\"Austria\",\"AZ\":\"Azerbaijan\",\"BS\":\"Bahamas\",\"BH\":\"Bahrain\",\"BD\":\"Bangladesh\",\"BB\":\"Barbados\",\"BY\":\"Belarus\",\"BE\":\"Belgium\",\"BZ\":\"Belize\",\"BJ\":\"Benin\",\"BM\":\"Bermuda\",\"BT\":\"Bhutan\",\"BO\":\"Bolivia\",\"BQ\":\"Bonaire\",\"BA\":\"Bosnia and Herzegovina\",\"BW\":\"Botswana\",\"BV\":\"Bouvet Island\",\"BR\":\"Brazil\",\"IO\":\"British Indian Ocean Territory\",\"VG\":\"British Virgin Islands\",\"BN\":\"Brunei\",\"BG\":\"Bulgaria\",\"BF\":\"Burkina Faso\",\"BI\":\"Burundi\",\"CV\":\"Cabo Verde\",\"KH\":\"Cambodia\",\"CM\":\"Cameroon\",\"CA\":\"Canada\",\"KY\":\"Cayman Islands\",\"CF\":\"Central African Republic\",\"TD\":\"Chad\",\"CL\":\"Chile\",\"CN\":\"China\",\"CX\":\"Christmas Island\",\"CC\":\"Cocos (Keeling) Islands\",\"CO\":\"Colombia\",\"KM\":\"Comoros\",\"CG\":\"Congo\",\"CD\":\"Congo (DRC)\",\"CK\":\"Cook Islands\",\"CR\":\"Costa Rica\",\"CI\":\"Côte d'Ivoire\",\"HR\":\"Croatia\",\"CU\":\"Cuba\",\"CW\":\"Curaçao\",\"CY\":\"Cyprus\",\"CZ\":\"Czech Republic\",\"DK\":\"Denmark\",\"DJ\":\"Djibouti\",\"DM\":\"Dominica\",\"DO\":\"Dominican Republic\",\"EC\":\"Ecuador\",\"EG\":\"Egypt\",\"SV\":\"El Salvador\",\"GQ\":\"Equatorial Guinea\",\"ER\":\"Eritrea\",\"EE\":\"Estonia\",\"ET\":\"Ethiopia\",\"FK\":\"Falkland Islands\",\"FO\":\"Faroe Islands\",\"FJ\":\"Fiji\",\"FI\":\"Finland\",\"FR\":\"France\",\"GF\":\"French Guiana\",\"PF\":\"French Polynesia\",\"TF\":\"French Southern Territories\",\"GA\":\"Gabon\",\"GM\":\"Gambia\",\"GE\":\"Georgia\",\"DE\":\"Germany\",\"GH\":\"Ghana\",\"GI\":\"Gibraltar\",\"GR\":\"Greece\",\"GL\":\"Greenland\",\"GD\":\"Grenada\",\"GP\":\"Guadeloupe\",\"GU\":\"Guam\",\"GT\":\"Guatemala\",\"GG\":\"Guernsey\",\"GN\":\"Guinea\",\"GW\":\"Guinea-Bissau\",\"GY\":\"Guyana\",\"HT\":\"Haiti\",\"HM\":\"Heard Island and McDonald Islands\",\"HN\":\"Honduras\",\"HK\":\"Hong Kong SAR\",\"HU\":\"Hungary\",\"IS\":\"Iceland\",\"IN\":\"India\",\"ID\":\"Indonesia\",\"IR\":\"Iran\",\"IQ\":\"Iraq\",\"IE\":\"Ireland\",\"IM\":\"Isle of Man\",\"IL\":\"Israel\",\"IT\":\"Italy\",\"JM\":\"Jamaica\",\"JP\":\"Japan\",\"JE\":\"Jersey\",\"JO\":\"Jordan\",\"KZ\":\"Kazakhstan\",\"KE\":\"Kenya\",\"KI\":\"Kiribati\",\"KR\":\"Korea\",\"KW\":\"Kuwait\",\"KG\":\"Kyrgyzstan\",\"LA\":\"Laos\",\"LV\":\"Latvia\",\"LB\":\"Lebanon\",\"LS\":\"Lesotho\",\"LR\":\"Liberia\",\"LY\":\"Libya\",\"LI\":\"Liechtenstein\",\"LT\":\"Lithuania\",\"LU\":\"Luxembourg\",\"MO\":\"Macao SAR\",\"MK\":\"North Macedonia\",\"MG\":\"Madagascar\",\"MW\":\"Malawi\",\"MY\":\"Malaysia\",\"MV\":\"Maldives\",\"ML\":\"Mali\",\"MT\":\"Malta\",\"MH\":\"Marshall Islands\",\"MQ\":\"Martinique\",\"MR\":\"Mauritania\",\"MU\":\"Mauritius\",\"YT\":\"Mayotte\",\"MX\":\"Mexico\",\"FM\":\"Micronesia\",\"MD\":\"Moldova\",\"MC\":\"Monaco\",\"MN\":\"Mongolia\",\"ME\":\"Montenegro\",\"MS\":\"Montserrat\",\"MA\":\"Morocco\",\"MZ\":\"Mozambique\",\"MM\":\"Myanmar\",\"NA\":\"Namibia\",\"NR\":\"Nauru\",\"NP\":\"Nepal\",\"NL\":\"Netherlands\",\"NC\":\"New Caledonia\",\"NZ\":\"New Zealand\",\"NI\":\"Nicaragua\",\"NE\":\"Niger\",\"NG\":\"Nigeria\",\"NU\":\"Niue\",\"NF\":\"Norfolk Island\",\"KP\":\"North Korea\",\"MP\":\"Northern Mariana Islands\",\"NO\":\"Norway\",\"OM\":\"Oman\",\"PK\":\"Pakistan\",\"PW\":\"Palau\",\"PS\":\"Palestinian Authority\",\"PA\":\"Panama\",\"PG\":\"Papua New Guinea\",\"PY\":\"Paraguay\",\"PE\":\"Peru\",\"PH\":\"Philippines\",\"PN\":\"Pitcairn Islands\",\"PL\":\"Poland\",\"PT\":\"Portugal\",\"PR\":\"Puerto Rico\",\"QA\":\"Qatar\",\"RE\":\"Réunion\",\"RO\":\"Romania\",\"RU\":\"Russia\",\"RW\":\"Rwanda\",\"BL\":\"Saint Barthélemy\",\"KN\":\"Saint Kitts and Nevis\",\"LC\":\"Saint Lucia\",\"MF\":\"Saint Martin\",\"PM\":\"Saint Pierre and Miquelon\",\"VC\":\"Saint Vincent and the Grenadines\",\"WS\":\"Samoa\",\"SM\":\"San Marino\",\"ST\":\"São Tomé and Príncipe\",\"SA\":\"Saudi Arabia\",\"SN\":\"Senegal\",\"RS\":\"Serbia\",\"SC\":\"Seychelles\",\"SL\":\"Sierra Leone\",\"SG\":\"Singapore\",\"SX\":\"Sint Maarten\",\"SK\":\"Slovakia\",\"SI\":\"Slovenia\",\"SB\":\"Solomon Islands\",\"SO\":\"Somalia\",\"ZA\":\"South Africa\",\"GS\":\"South Georgia and South Sandwich Islands\",\"SS\":\"South Sudan\",\"ES\":\"Spain\",\"LK\":\"Sri Lanka\",\"SH\":\"St Helena, Ascension, Tristan da Cunha\",\"SD\":\"Sudan\",\"SR\":\"Suriname\",\"SJ\":\"Svalbard\",\"SZ\":\"Swaziland\",\"SE\":\"Sweden\",\"CH\":\"Switzerland\",\"SY\":\"Syria\",\"TW\":\"Taiwan\",\"TJ\":\"Tajikistan\",\"TZ\":\"Tanzania\",\"TH\":\"Thailand\",\"TL\":\"Timor-Leste\",\"TG\":\"Togo\",\"TK\":\"Tokelau\",\"TO\":\"Tonga\",\"TT\":\"Trinidad and Tobago\",\"TN\":\"Tunisia\",\"TR\":\"Turkey\",\"TM\":\"Turkmenistan\",\"TC\":\"Turks and Caicos Islands\",\"TV\":\"Tuvalu\",\"UM\":\"U.S. Outlying Islands\",\"VI\":\"U.S. Virgin Islands\",\"UG\":\"Uganda\",\"UA\":\"Ukraine\",\"AE\":\"United Arab Emirates\",\"GB\":\"United Kingdom\",\"US\":\"United States\",\"UY\":\"Uruguay\",\"UZ\":\"Uzbekistan\",\"VU\":\"Vanuatu\",\"VA\":\"Vatican City\",\"VE\":\"Venezuela\",\"VN\":\"Vietnam\",\"WF\":\"Wallis and Futuna\",\"YE\":\"Yemen\",\"ZM\":\"Zambia\",\"ZW\":\"Zimbabwe\"}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_448\">The phone number you provided is unreachable.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_449\">User has exceeded the number of retry attempts.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"verification_code_input_placeholder_text\">Verification code</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"strongAuthenticationPhoneNumber\" StringId=\"DisplayName\">Phone Number</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Add more languages here -->\n    </Localization>\n  </BuildingBlocks>\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "LICENSE",
    "content": "    MIT License\r\n\r\n    Copyright (c) Microsoft Corporation. All rights reserved.\r\n\r\n    Permission is hereby granted, free of charge, to any person obtaining a copy\r\n    of this software and associated documentation files (the \"Software\"), to deal\r\n    in the Software without restriction, including without limitation the rights\r\n    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\r\n    copies of the Software, and to permit persons to whom the Software is\r\n    furnished to do so, subject to the following conditions:\r\n\r\n    The above copyright notice and this permission notice shall be included in all\r\n    copies or substantial portions of the Software.\r\n\r\n    THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\r\n    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\r\n    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\r\n    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\r\n    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\r\n    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\r\n    SOFTWARE\r\n"
  },
  {
    "path": "LocalAccounts/PasswordReset.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_PasswordReset\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_PasswordReset\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"PasswordReset\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "LocalAccounts/ProfileEdit.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_ProfileEdit\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEdit\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "LocalAccounts/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n    <Endpoints>\n      <!--points to refresh token journey when app makes refresh token request-->\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" />\n    </Endpoints>\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "LocalAccounts/TrustFrameworkBase.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_TrustFrameworkBase\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase\">\n\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- The ClaimsSchema is divided into three sections:\n           1. Section I lists the minimum claims that are required for the user journeys to work properly.\n           2. Section II lists the claims required for query string parameters and other special parameters \n              to be passed to other claims providers, esp. login.microsoftonline.com for authentication. \n              Please do not modify these claims.\n           3. Section III lists any additional (optional) claims that can be collected from the user, stored \n              in the directory and sent in tokens during sign in. Add new claims to be collected from the user \n              and/or sent in the token in Section III. -->\n\n      <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames. \n           The trust framework policy treats Azure AD as any other claims provider and all its restrictions \n           are modelled in the policy. A policy could be modified to add more restrictions, or use another \n           claims provider for credential storage which will have its own restrictions. -->\n\n      <!-- SECTION I: Claims required for user journeys to work properly -->\n\n      <ClaimType Id=\"socialIdpUserId\">\n        <DisplayName>Username</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$\" HelpText=\"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <!-- Claims needed for local accounts. -->\n      <ClaimType Id=\"signInName\">\n        <DisplayName>Sign in name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"signInNames.emailAddress\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Email address to use for signing in.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"accountEnabled\">\n        <DisplayName>Account Enabled</DisplayName>\n        <DataType>boolean</DataType>\n        <AdminHelpText>Specifies whether the user's account is enabled.</AdminHelpText>\n        <UserHelpText>Specifies whether your account is enabled.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"password\">\n        <DisplayName>Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n      </ClaimType>\n\n      <!-- The claim types newPassword and reenterPassword are considered special, please do not change the names. \n           The UI validates that the user correctly re-entered their password during account creation based on these \n           claim types.\t  -->\n      <ClaimType Id=\"newPassword\">\n        <DisplayName>New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\"8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ &quot; ( ) ; .\" />\n        </Restriction>\n      </ClaimType>\n      <!-- The password regular expression above is constructed for AAD passwords based on restrictions at https://msdn.microsoft.com/en-us/library/azure/jj943764.aspx\n\n        ^( # one of the following four combinations must appear in the password\n         (?=.*[a-z])(?=.*[A-Z])(?=.*\\d) |            # matches lower case, upper case or digit\n         (?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]) |  # matches lower case, upper case or special character (i.e. non-alpha or digit)\n         (?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9]) |     # matches lower case, digit, or special character\n         (?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9])       # matches upper case, digit, or special character\n        )\n        ( # The password must match the following restrictions\n         [A-Za-z\\d@#$%^&*\\-_+=[\\]{}|\\\\:',?/`~\"();!] |   # The list of all acceptable characters (without .)\n         \\.(?!@)                                        # or . can appear as long as not followed by @\n        ) {8,16}$                                       # the length must be between 8 and 16 chars inclusive\n\n      -->\n\n      <ClaimType Id=\"reenterPassword\">\n        <DisplayName>Confirm New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Confirm new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\" \" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"passwordPolicies\">\n        <DisplayName>Password Policies</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Password policies used by Azure AD to determine password strength, expiry etc.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"client_id\">\n        <DisplayName>client_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"resource_id\">\n        <DisplayName>resource_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"identityProvider\">\n        <DisplayName>Identity Provider</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/identityprovider\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\" HelpText=\"Please enter a valid email address.\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"otherMails\">\n        <DisplayName>Alternate Email Addresses</DisplayName>\n        <DataType>stringCollection</DataType>\n        <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newUser\">\n        <DisplayName>User is new</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"executed-SelfAsserted-Input\">\n        <DisplayName>Executed-SelfAsserted-Input</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"authenticationSource\">\n        <DisplayName>AuthenticationSource</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>\n      </ClaimType>\n\n      <!--claims for refresh token revocation-->\n      <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\n        <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"refreshTokensValidFromDateTime\">\n        <DisplayName>refreshTokensValidFromDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n\n      <ClaimType Id=\"nca\">\n        <DisplayName>nca</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"grant_type\">\n        <DisplayName>grant_type</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"scope\">\n        <DisplayName>scope</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"isActiveMFASession\">\n        <DisplayName>isActiveMFASession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateOtherMailsFromEmail\" TransformationMethod=\"AddItemToStringCollection\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"item\" />\n          <InputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"AssertAccountEnabledIsTrue\" TransformationMethod=\"AssertBooleanClaimIsEqualToValue\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"accountEnabled\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"valueToCompareTo\" DataType=\"boolean\" Value=\"true\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n      <!--claims transformation for refresh token revocation -->\n      <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\n          <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\n          <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\n          <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\n        </InputParameters>\n      </ClaimsTransformation>\n      \n    </ClaimsTransformations>\n\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n\n    <ContentDefinitions>\n\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections.signup\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign up</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account sign up page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account change password page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n    </ContentDefinitions>\n  </BuildingBlocks>\n\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <DisplayName>Local Account SignIn</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n            <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n            <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n            <Item Key=\"response_types\">id_token</Item>\n            <Item Key=\"response_mode\">query</Item>\n            <Item Key=\"scope\">email openid</Item>\n            <!-- <Item Key=\"grant_type\">password</Item> -->\n\n            <!-- Policy Engine Clients -->\n            <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n            <Item Key=\"HttpBinding\">POST</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" PartnerClaimType=\"username\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n            <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n          </OutputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for local accounts -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration\" />\n\n            <!-- Optional claims. -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingEmailAddress\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"accountEnabled\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"AssertAccountEnabledIsTrue\" />\n          </OutputClaimsTransformations>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserWritePasswordUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for updating user record using objectId -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- The following technical profile is used to read data after user authenticates. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Self Asserted</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted.profileupdate</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n          <DisplayName>Email signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile uses a validation technical profile to authenticate the user. -->\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n          <DisplayName>Local Account Signin</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"SignUpTarget\">SignUpWithLogonEmailExchange</Item>\n            <Item Key=\"setting.operatingMode\">Email</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignin</Item>\n            <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile forces the user to verify the email address that they provide on the UI. Only after email is verified, the user account is\n        read from the directory. -->\n        <TechnicalProfile Id=\"LocalAccountDiscoveryUsingEmailAddress\">\n          <DisplayName>Reset password using email address</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <IncludeInSso>false</IncludeInSso>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserReadUsingEmailAddress\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"LocalAccountWritePasswordUsingObjectId\">\n          <DisplayName>Change password (username)</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" />\n\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWritePasswordUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"signInName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <PersistedClaim ClaimTypeReferenceId=\"identityProvider\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newUser\" />\n            <PersistedClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectIdFromSession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <!--claims provider for refresh token revocation-->\n  <ClaimsProvider>\n    <DisplayName>Refresh token journey</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\n        <Protocol Name=\"None\" />\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\n           <!--Requirement: Claims that you return in the relying party technical profile output claims\n            that are not stored in Azure AD B2C, must be added to the output claims collection here-->\n          <!--\n          \n          <OutputClaim ClaimTypeReferenceId=\"RESTAPIclaim1\" />\n          <OutputClaim ClaimTypeReferenceId=\"IDPclaim1\" />\n           -->\n        </OutputClaims>\n      </TechnicalProfile>\n\n\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\n          <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        </OutputClaims>\n        <OutputClaimsTransformations>\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\n        </OutputClaimsTransformations>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n\n  </ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignIn\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- This step reads any user attributes that we may not have received when in the token. -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"4\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"ProfileEdit\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.idpselections\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"PasswordReset\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PasswordResetUsingEmailAddressExchange\" TechnicalProfileReferenceId=\"LocalAccountDiscoveryUsingEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewCredentials\" TechnicalProfileReferenceId=\"LocalAccountWritePasswordUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"RedeemRefreshToken\">\n      <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        \n        <!-- Extra steps can be added before or after this step for REST API or claims transformation calls-->\n\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n    </UserJourney>\n    \n  </UserJourneys>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "LocalAccounts/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  \n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\n  </BasePolicy>\n  <BuildingBlocks>\n\n  </BuildingBlocks>\n\n  <ClaimsProviders>\n\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n         <TechnicalProfile Id=\"login-NonInteractive\">\n          <Metadata>\n            <Item Key=\"client_id\">ProxyIdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"IdTokenAudience\">IdentityExperienceFrameworkAppId</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"client_id\" DefaultValue=\"ProxyIdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"resource_id\" PartnerClaimType=\"resource\" DefaultValue=\"IdentityExperienceFrameworkAppId\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n  </ClaimsProviders>\n\n    <!--UserJourneys>\n\t\n\t</UserJourneys-->\n\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "LocalAccounts/TrustFrameworkLocalization.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkLocalization\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkLocalization\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n\n  <BuildingBlocks>\n\n    <ContentDefinitions>\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.signuporsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountpasswordreset.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.idpselections.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.profileupdate.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <Localization Enabled=\"true\">\n      <SupportedLanguages DefaultLanguage=\"en\" MergeBehavior=\"Append\">\n        <SupportedLanguage>en</SupportedLanguage>\n      </SupportedLanguages>\n\n      <LocalizedResources Id=\"api.signuporsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"heading\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your {0}</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_password\">Please enter your password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_generic\">Please enter your {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_generic\">Please enter a valid {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_one_link\">Sign up now</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_two_links\">Sign up with {0} or {1}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_three_links\">Sign up with {0}, {1}, or {2}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"forgotpassword_link\">Forgot your password?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_intro\">Don't have an account?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"unknown_error\">We are having trouble signing you in. Please try again later.</LocalizedString>\n          <!-- Uncomment the remember_me only if the keep me signed in is activated. \n          <LocalizedString ElementType=\"UxElement\" StringId=\"remember_me\">Keep me signed in</LocalizedString> -->\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!--Local account sign-up page English-->\n      <LocalizedResources Id=\"api.localaccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_requiredFieldMissing\">A required field is missing. Please fill out all required fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"helplink_text\">What is this?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please provide the following details.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"preloader_alt\">Please wait</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_edit\">Change e-mail</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_resend\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_send\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_verify\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_code_expired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_no_retry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_retry\">That code is incorrect. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_server\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_throttled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_info_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_input\">Verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_success_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Self-asserted page English-->\n      <LocalizedResources Id=\"api.selfasserted.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Password reset page English-->\n      <LocalizedResources Id=\"api.localaccountpasswordreset.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">An account could not be found for the provided user ID.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_edit\">Change e-mail</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_resend\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_send\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_verify\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_code_expired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_no_retry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_retry\">That code is incorrect. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_server\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_throttled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_info_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_input\">Verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_success_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in page English-->\n      <LocalizedResources Id=\"api.idpselections.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"LocalAccountSigninEmailExchange\">Local Account Signin</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in with local account English-->\n      <LocalizedResources Id=\"api.localaccountsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile page English-->\n      <LocalizedResources Id=\"api.selfasserted.profileupdate.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <!-- Add more languages here -->\n    </Localization>\n  </BuildingBlocks>\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "LocalAccounts/readme.md",
    "content": "# Local account sign-up or sign-in user journey overview\n\nThis article gives an overview of the **local account sign-up or sign-in** user journey custom policies. We recommend you to read the [Azure AD B2C custom policy overview](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview) before reading this article.\n\n\nYou can find the user journey and its orchestration steps in the TrustFrameworkBase.xml file, with the Id \"SignUpOrSignIn\". Each Orchestration step and its referenced technical profile will be explained in detail in the following series.\n\n\n\n## Logical Steps\n\nFor a user to be able to sign up and sign in, the following user experience must be translated into logical steps with a custom policy.\n\nHandling Sign Up:\n\n1. Display a page that allows users to enter their email, password, and name.\n1. Verify their email with a Timed One Time Passcode sent to their email address.\n1. When the user completes a sign up, we must create their account.\n1. Prevent a user to sign up with an existing email address.\n1. Issue an id token.\n\nHandling Sign In:\n\n1. Display a page where the user can enter their email and password.\n1. On the sign in page, display a link to sign up.\n1. If the user submits their credentials (signs in), we must validate the credentials.\n1. Issue an id token.\n\n## Translating this into custom policies  \n\nHandling Sign Up\n\n1. This requires a Self-Asserted technical profile. It must present output claims to obtain the email, password, and name claims.\n1. Make use of a special claim, which enforces email verification.\n1. Use a Validation technical profile to write the account to the directory. This Validation technical profile will be of type Azure Active Directory.\n1. As part of writing the account configures the technical profile to throw an error if the account exists.\n1. Read any additional information from the directory user object.\n1. Call a technical profile to issue a token.\n\nHandling Sign In:\n\n1. This requires a Self-Asserted technical profile. It must present output claims to obtain the email and password claims.\n1. Use the combined sign in and sign up content definition, which provides this for us.\n1. Run a Validation technical profile to validate the credentials.\n1. Read any additional information from the directory user object.\n1. Call a technical profile to issue a token.  \n\n## Building the custom policy\n\n### Handling Sign In\n\n**Orchestration Step 1**: Provides functionality for a user to sign up or sign in. This is achieved using a Self-Asserted technical profile and connected validation technical profile.\n\nThe XML required to generate this step is:\n\n```xml\n<OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n  <ClaimsProviderSelections>\n    <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n  </ClaimsProviderSelections>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nThe combined sign up and sign in page is treated uniquely by Azure AD B2C, since it presents a sign up link that can take the user to the sign up step.\nThis is achieved with the following two lines:\n\n```xml\n<OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n```\n\nSince Azure AD B2C understands that this is a sign in page, you must specify the `ClaimsProviderSelections` element with at least one reference to a `ClaimsProviderSelection`. This `ClaimsProviderSelection` maps to the `ClaimsExchange`, which ultimately calls a technical profile called `SelfAsserted-LocalAccountSignin-Email`.\n\nThe `SelfAsserted-LocalAccountSignin-Email` technical profile defines the actual page functionality:\n\n```xml\n<TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n  <DisplayName>Local Account Signin</DisplayName>\n  <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n  <Metadata>\n    <Item Key=\"SignUpTarget\">SignUpWithLogonEmailExchange</Item>\n    <Item Key=\"setting.operatingMode\">Email</Item>\n    <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted</Item>\n    <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n  </Metadata>\n  <IncludeInSso>false</IncludeInSso>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n  </OutputClaims>\n  <ValidationTechnicalProfiles>\n    <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n  </ValidationTechnicalProfiles>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|\n|DisplayName|Friendly name which can describe the function of this technical profile.|\n|Protocol|The Azure AD B2C technical profile type. In this case, it is Self-Asserted, such that a page is rendered for the user to provide their inputs.|\n|Metadata|For a Self-Asserted Combined Sign in and Sign up profile, we provide a SignUpTarget, which points to the Sign Up ClaimsExchange Id in a subsequent orchestrations step.|\n|InputClaims|Enables the ability to pre-populate the signInName claim|\n|OutputClaims| We require the user to provide their email and password, hence referenced as output claims. There are some claims here, such as objectId, that are not presented on the page since the validation technical profile satisfies this output claim.|\n|ValidationTechnicalProfiles|The technical profile to launch to validate the date the user provided, in this case to validate their credentials.|\n|UseTechnicalProfileForSessionManagement|References a technical profile to add this step into the session such that during SSO, this step is skipped.|\n\nTo see all the configuration options for a Self-Asserted technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).\n\nBy calling this technical profile, we now satisfy the initial logical step for sign in. When the user submits the page, any validation technical profiles referenced by the technical profile will run. In this case, that is the validation technical profile `login-NonInteractive`.\n\n`login-NonInteractive` is a technical profile, which makes an OpenId request using the [Resource Owner Password Credential](https://tools.ietf.org/html/rfc6749#section-4.3) grant flow to validate the users provided credentials at the Azure AD authorization server. This is an API-based login performed by the Azure AD B2C service against the Azure AD authentication service.\n\n```xml\n<TechnicalProfile Id=\"login-NonInteractive\">\n  <DisplayName>Local Account SignIn</DisplayName>\n  <Protocol Name=\"OpenIdConnect\" />\n  <Metadata>\n    <Item Key=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account</Item>\n    <Item Key=\"UserMessageIfInvalidPassword\">Your password is incorrect</Item>\n    <Item Key=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password</Item>\n\n    <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n    <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n    <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n    <Item Key=\"response_types\">id_token</Item>\n    <Item Key=\"response_mode\">query</Item>\n    <Item Key=\"scope\">email openid</Item>\n\n    <!-- Policy Engine Clients -->\n    <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n    <Item Key=\"HttpBinding\">POST</Item>\n  </Metadata>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"signInName\" PartnerClaimType=\"username\" Required=\"true\" />\n    <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n    <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n    <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n    <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n    <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n    <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n    <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n  </OutputClaims>\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|\n|DisplayName|Friendly name, which can describe the function of this technical profile.|\n|Protocol|The Azure AD B2C technical profile type. In this case, it is OpenId, such that Azure AD B2C understands to make an OpenId request.|\n|Metadata|Various configuration options to make a valid OpenId request since the grant_type is configured password and the HTTP binding is set to POST.  This also includes various error handling responses, such as incorrect password.|\n|InputClaims|Passes the username and password into the POST body of the OpenId request.|\n|OutputClaims| Maps the JWT issued by the authorization server into Azure AD B2C's claim bag. Here we obtain the objectId and authenticationSource, hence it is not shown on the Self-Asserted page.|\n\nTo see all the configuration options for an OpenID technical profile, find more [here](https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile).\n\nWe have now rendered a sign in page to the user, allowed the user to enter their email and password, and finally validated their credentials.\n\n**Orchestration Step 2** - Skipped as an objectId was output by Orchestration Step 1. This step pertains to sign up.\n\n**Orchestration Step 3** - Read any additional data from the user object.\n\nWe maybe storing additional data the user provided or other data on the user object, which allows your application/service to function correctly.\n\nTherefore, we will read the user object for any desired attributes to add into the Azure AD B2C claims bag.\n\nThe following Orchestration step calls a technical profile called `AAD-UserReadUsingObjectId`, which provides this functionality.\nThe ClaimsExchange Id is unique name for this claims exchange that you can set.\n\n```xml\n<OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nThe referenced technical profile is as follows:\n\n```xml\n<TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n  <Metadata>\n    <Item Key=\"Operation\">Read</Item>\n    <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n  </Metadata>\n  <IncludeInSso>false</IncludeInSso>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n    <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n    <OutputClaim ClaimTypeReferenceId=\"surname\" />\n  </OutputClaims>\n  <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n</TechnicalProfile>\n```\n\nThis technical profile does not state a protocol, therefore is automatically of type `Azure Active Directory`, which provides the ability to read or write to the directory structure.\n\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|\n|Metadata|This is configured to read the directory. And to throw an error if the user is not found.|\n|InputClaims|This is asking to lookup any matching user account in the directory with the objectId from the Azure AD B2C claims bag. This objectId will have been received via the `login-NonInteractive` technical profile and output into the claims bag by the `SelfAsserted-LocalAccountSignin-Email` technical profile. |\n|OutputClaims|We are asking to read these claims from the directory. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |\n|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|\n\nA special case must be noted for the `signInNames.emailAddress`, this references the attribute `signInNames` which is a collection of key value pairs. In this case, we are reading back the `emailAddress` key within the `signInNames` attribute.\n\n**Orchestration Step 4** - Issue an id token.\n\nIn most user journeys, the journey will end by issuing an id token back to the application. This orchestration step looks as follows:\n\n```xml\n<OrchestrationStep Order=\"4\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n```\n\nThe referenced technical profile is as follows:\n\n```xml\n<TechnicalProfile Id=\"JwtIssuer\">\n  <DisplayName>JWT Issuer</DisplayName>\n  <Protocol Name=\"OpenIdConnect\" />\n  <OutputTokenFormat>JWT</OutputTokenFormat>\n  <Metadata>\n    <Item Key=\"client_id\">{service:te}</Item>\n    <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n    <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n  </Metadata>\n  <CryptographicKeys>\n    <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n    <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n  </CryptographicKeys>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n</TechnicalProfile>\n```\n\nThis step does not need configuring any further, but find out more [here](https://docs.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile).\n\n### Handling Sign Up\n\nTo handle sign up, we must have one additional orchestration step, which allows the user to provide their email, new password, and name. And upon validating this information, we must write an account to the directory. the other steps are shared with the orchestration steps explained in `Handling Sign in`.\n\nThe additional orchestration step is as follows:\n\n```xml\n<OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n  <Preconditions>\n    <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n      <Value>objectId</Value>\n      <Action>SkipThisOrchestrationStep</Action>\n    </Precondition>\n  </Preconditions>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nSince orchestration steps run sequentially, we must not run this step if the user is trying to sign in, and only run if the user clicked the sign up link. This is achieved using the **Precondition**. Note that during the sign in phase, the Azure AD B2C claims bag will have an objectId populated after login-NonInteractive has run. Therefore we can use the existence of this claim to skip this step as follows.\n\n```xml\n<Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n    <Value>objectId</Value>\n    <Action>SkipThisOrchestrationStep</Action>\n</Precondition>\n```\n\nWhen displaying the Combined Sign up and Sign in page, it was mentioned that the metadata of the `SelfAsserted-LocalAccountSignin-Email` technical profile configures an item called `SignUpTarget`. This enables the Sign Up link on the Combined Sign in and Sign up page to call the claims exchange in Orchestration Step 2, which consequently executes the `LocalAccountSignUpWithLogonEmail` technical profile.\n\nThe technical profile is designed to capture the email, password, and the name of the user. Then write the account to the directory, as follows:\n\n```xml\n<TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n  <DisplayName>Email signup</DisplayName>\n  <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n  <Metadata>\n    <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n    <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignup</Item>\n    <Item Key=\"language.button_continue\">Create</Item>\n  </Metadata>\n  <CryptographicKeys>\n    <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n  </CryptographicKeys>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"email\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n    <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n\n    <!-- Optional claims, to be collected from the user -->\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n    <OutputClaim ClaimTypeReferenceId=\"surName\" />\n  </OutputClaims>\n  <ValidationTechnicalProfiles>\n    <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n  </ValidationTechnicalProfiles>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n</TechnicalProfile>\n\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|\n|Metadata|Various configuration options available for a Self-Asserted page.|\n|InputClaims| If an email is sent within the query parameter during the authentication request, it can be pre-populated here.|\n|OutputClaims|This asks the user to provide a verified email (via email verification), password, and names. Other claims are satisfied by the validation technical profile, and therefore not displayed. They are there only such that those claims be available to subsequent steps after this step completes.|\n|ValidationTechnicalProfiles|When the user submits the page, we must validate the users email doesn't already exist, and then write the account to the directory.|\n|UseTechnicalProfileForSessionManagement|References a technical profile to add this step into the session such that during SSO, this step is skipped.|\n\nAzure AD B2C uses a special partner claim type to enforce email verification on a claim, as seen here:\n\n```xml\n<OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n```\n\nHere we are forcing the email claim presented on screen to be verified. Azure AD B2C will therefore render the `Verify` button on the page against this text field, and only allow the user to continue if this field was verified by a code sent to the user's inbox. This technique can be used against any claim name presented to the user as an output claim `(ClaimTypeReferenceId)`.\n\nTo see all the configuration options for a Self-Asserted technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).\n\nWhen the user submits the page, the Validation technical profile will run, called `AAD-UserWriteUsingLogonEmail`. This is called to attempt to write the account. It is modeled as a Validation Technical profile as this process could fail if the account already exists. This allows an error to be displayed to the screen in such cases.\n\nThe `AAD-UserWriteUsingLogonEmail` is as follows:\n\n```xml\n<TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n  <Metadata>\n    <Item Key=\"Operation\">Write</Item>\n    <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n  </Metadata>\n  <IncludeInSso>false</IncludeInSso>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n  </InputClaims>\n  <PersistedClaims>\n    <!-- Required claims -->\n    <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n    <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\"/>\n    <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n    <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration\" />\n\n    <!-- Optional claims. -->\n    <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n    <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n  </PersistedClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n    <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n    <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n  </OutputClaims>\n  <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|\n|Metadata|This is configured to write to the directory. And to throw an error if the user already exists with an error message.|\n|InputClaims|This is attempting to find a user account with the `email` provided as part of the sign up page - `LocalAccountSignUpWithLogonEmail` technical profile.|\n|PersistedClaims|This section defines which claims are to be written to the account. In this case, it will automatically create the account with this information present.|\n|OutputClaims|We are asking to read these claims from account, which was just written. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |\n|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|\n\n**Orchestration Step 4** - Issue an id token.\n\nIn most user journeys, the journey will end by issuing an id token back to the application. This orchestration step looks as follows:\n\n```xml\n<OrchestrationStep Order=\"4\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n```\n\nThe referenced technical profile is as follows:\n\n```xml\n<TechnicalProfile Id=\"JwtIssuer\">\n  <DisplayName>JWT Issuer</DisplayName>\n  <Protocol Name=\"OpenIdConnect\" />\n  <OutputTokenFormat>JWT</OutputTokenFormat>\n  <Metadata>\n    <Item Key=\"client_id\">{service:te}</Item>\n    <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n    <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n  </Metadata>\n  <CryptographicKeys>\n    <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n    <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n  </CryptographicKeys>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n</TechnicalProfile>\n```\n\nThis step does not need configuring any further, but find out more [here](https://docs.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile).\n\n\n## Relying Party Policy\n\nThe relying party file contains the entry point to the User Journey described by the orchestration steps.\n\n```xml\n<RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n```\n\nThe output claims within the `Relying Party` section define what claims to populate into the token that is issued to the application/relying party.\n\n```xml\n<OutputClaims>\n  <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n  <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n  <OutputClaim ClaimTypeReferenceId=\"surname\" />\n  <OutputClaim ClaimTypeReferenceId=\"email\" />\n  <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n  <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n</OutputClaims>\n```\n\nThe output claims listed here must be output by at least one of the technical profiles called by the user journey, otherwise the file will not upload successfully.\n\nSince some steps can be skipped during a particular flow, these may not always be present in the token.\n\n## Summary\n\nBy reducing the user experience to a set of logical steps, we have translated these to a set of Orchestration Steps within an Azure AD B2C policy. These orchestration steps then implement the functionality of each logical step by allowing the user to interact with pages and validate various information. Finally we issue an id token back to the application.\n\n\n"
  },
  {
    "path": "README.md",
    "content": "# Contributing\r\n\r\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\r\n\r\n## Change log\r\n\r\n### 09 August 2022\r\n\r\nWith this version the starter pack now contains a Refresh Token user journey. This journey will be executed any time an application [refreshes a token](https://docs.microsoft.com/azure/active-directory-b2c/access-tokens#request-a-token). It will check the user still exists and is enabled in the Azure AD B2C directory. It also checks that the refresh token is not expired. It compiles any claims that are not persisted in the user profile, including claims from Identity Provider's and REST API calls. A new set of refreshed tokens is then issued.\r\n\r\nThis fix allows for refresh token to be revoked from users and prevents directory deleted users from getting continued access.Change affects all starterpack samples.\r\n\r\n|Policy  |Notes  |\r\n|-------|-------|\r\n| B2C_1A_TrustFrameworkBase | Added Refresh Token claims, Refresh Token ClaimsTransformations, Refresh Token Technical Profiles and Refresh Token User Journey |\r\n| B2C_1A_SignUpOrSignIn | Added Refresh Token Endpoint to Relying Party |\r\n\r\n### Migrate existing policy to this version\r\n\r\nYour custom policy can invoke a custom refresh token journey. Add the following user journey to your *TrustFrameworkExtensions.xml* file to get started.\r\n\r\n1. Open the extensions file of your policy. For example, `SocialAndLocalAccounts/TrustFrameworkExtensions.xml`.\r\n1. Locate the [UserJourneys](userjourneys.md) element. If the element doesn't exist, add it.\r\n1. Add the following **UserJourney** to the **UserJourneys** element.\r\n\r\n\r\n```xml\r\n<!--\r\n<UserJourneys>-->\r\n  <UserJourney Id=\"RedeemRefreshToken\">\r\n    <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\r\n    <OrchestrationSteps>\r\n      <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\r\n        <ClaimsExchanges>\r\n          <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\r\n        </ClaimsExchanges>\r\n      </OrchestrationStep>\r\n      <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\r\n        <ClaimsExchanges>\r\n          <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\r\n        </ClaimsExchanges>\r\n      </OrchestrationStep>\r\n      <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\r\n    </OrchestrationSteps>\r\n  </UserJourney>\r\n<!--\r\n</UserJourneys>-->\r\n```\r\n\r\nThis user journey will validate that the refresh token has not been revoked. You can revoke refresh tokens in Azure AD B2C following the Microsoft Graph API [Revoke sign in sessions](/graph/api/user-revokesigninsessions) guidance.\r\n\r\nYou can add additional steps into this journey to call any other technical profiles, such as to your REST API technical profiles or Azure AD read/write technical profiles.\r\n\r\n#### Configure the relying party policy\r\n\r\nThe relying party file must be configured to point to your custom refresh token journey. This allows Azure AD B2C to reference your refresh token journey when your app makes a refresh token request. \r\n\r\nAdd an [Endpoint](relyingparty.md#endpoints) with `Id` set to **token** and provide a `UserJourneyReferenceId` referencing the **UserJourney Id** from the prior section. Merge the following XML snippet into your *SignUpOrSignin.xml* file.\r\n\r\n```xml\r\n<RelyingParty> \r\n  <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" /> \r\n    <Endpoints> \r\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" /> \r\n    </Endpoints>\r\n    ...    \r\n</RelyingParty> \r\n```\r\n\r\nRepeat this for all Relying party files your application may invoke, such as **ProfileEdit.xml** and **PasswordReset.xml**.\r\n\r\n#### Configure refresh token revocation evaluation\r\n\r\nThe custom refresh token journey can be used to evaluate whether the current refresh token being presented has been revoked. To implement this logic, Azure AD B2C must compare the `refreshTokenIssuedOnDateTime` and the `refreshTokensValidFromDateTime`. Create the claims schema definitions as shown in the below XML snippet in your *TrustFrameworkExtensions.xml*.\r\n\r\n1. Open the extensions file of your policy. For example, `SocialAndLocalAccounts/TrustFrameworkExtensions.xml`.\r\n1. Locate the [BuildingBlocks](buildingblocks.md) element. If the element doesn't exist, add it.\r\n1. Locate the [ClaimsSchema](claimsschema.md) element. If the element doesn't exist, add it.\r\n1. Add the following claims to the **ClaimsSchema** element.\r\n\r\n\r\n```xml\r\n<!--\r\n<BuildingBlocks>\r\n  <ClaimsSchema> -->\r\n    <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\r\n      <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\r\n      <DataType>string</DataType>\r\n      <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\r\n      <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\r\n    </ClaimType>\r\n    <ClaimType Id=\"refreshTokensValidFromDateTime\">\r\n      <DisplayName>refreshTokensValidFromDateTime</DisplayName>\r\n      <DataType>string</DataType>\r\n      <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\r\n      <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\r\n    </ClaimType>\r\n  <!--\r\n  </ClaimsSchema>\r\n</BuildingBlocks> -->\r\n```\r\n\r\nTo check whether the refresh token has been revoked, the `refreshTokenIssuedOnDateTime` and the `refreshTokensValidFromDateTime` must be compared. Add the following [`AssertDateTimeIsGreaterThan`](date-transformations.md) **ClaimsTransformation** to your *TrustFrameworkExtensions.xml*.\r\n\r\n1. Open the extensions file of your policy. For example, `SocialAndLocalAccounts/TrustFrameworkExtensions.xml`.\r\n1.\tLocate the [BuildingBlocks](buildingblocks.md) element. If the element doesn't exist, add it.\r\n1.\tLocate the [ClaimsTransformations](claimstransformations.md) element. If the element doesn't exist, add it.\r\n1.\tAdd the following **ClaimsTransformation** to the **ClaimsTransformations** element.\r\n\r\n```xml\r\n<!--\r\n<BuildingBlocks>\r\n  <ClaimsTransformations> -->\r\n    <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\r\n      <InputClaims>\r\n        <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\r\n        <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\r\n      </InputClaims>\r\n      <InputParameters>\r\n        <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\r\n        <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\r\n        <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\r\n      </InputParameters>\r\n    </ClaimsTransformation>\r\n  <!--\r\n  </ClaimsTransformations>\r\n</BuildingBlocks> -->\r\n```\r\n\r\nTo invoke the process to evaluate whether the refresh token has been revoked, add the following technical profile to your *TrustFrameworkExtensions.xml*.\r\n\r\n1. Open the extensions file of your policy. For example, `SocialAndLocalAccounts/TrustFrameworkExtensions.xml`.\r\n1.\tLocate the [ClaimsProviders](claimsproviders.md) element. If the element doesn't exist, add it.\r\n1.\tAdd the following **ClaimsProvider** to the **ClaimsProviders** element.\r\n1.  Add extra claims collected from previous REST API's and Federated IDP's that have not been persisted in the directory as **OutputClaims** under the **RefreshTokenReadAndSetup** technical profile\r\n\r\n```xml\r\n<!--\r\n<ClaimsProviders> -->\r\n  <ClaimsProvider>\r\n    <DisplayName>Refresh token journey</DisplayName>\r\n    <TechnicalProfiles>\r\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\r\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\r\n        <Protocol Name=\"None\" />\r\n        <OutputClaims>\r\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\r\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\r\n              <!--additional claims from REST API or Federated IDP-->\r\n            <OutputClaim ClaimTypeReferenceId=\"ExtraClaim1\" />\r\n            <OutputClaim ClaimTypeReferenceId=\"ExtraClaim2\" />\r\n        </OutputClaims>\r\n      </TechnicalProfile>\r\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\r\n        <OutputClaims>\r\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\r\n        </OutputClaims>\r\n        <OutputClaimsTransformations>\r\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\r\n        </OutputClaimsTransformations>\r\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\r\n      </TechnicalProfile>\r\n    </TechnicalProfiles>\r\n  </ClaimsProvider>\r\n<!--\r\n</ClaimsProviders> -->\r\n```\r\n\r\n#### Upload the policies\r\n\r\n1. Select the **Identity Experience Framework** menu item in your B2C tenant in the Azure portal.\r\n1. Select **Upload custom policy**\r\n1. Select Overwrite the custom policy if it already exists\r\n1. In this order, upload the policy files:\r\n    1. *TrustFrameworkExtensions.xml*\r\n    1. *SignUpOrSignin.xml*\r\n\r\n### 11 October 2021\r\n\r\nWith this version the starter pack now contains localization policy file `TrustFrameworkLocalization.xml`. The localization policy allows your policy to accommodate different languages to suit your customer needs. For more information, check the [PR #107](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/pull/107).\r\n\r\nThe new localization policy is located between the base and the extension policies:\r\n\r\n|Policy  |Base policy  |Notes  |\r\n|---------|---------|---------|\r\n| B2C_1A_TrustFrameworkBase| | Contains most of the definitions. To help with troubleshooting and long-term maintenance of your policies, try to minimize the number of changes you make to this file. |\r\n| B2C_1A_TrustFrameworkLocalization | B2C_1A_TrustFrameworkBase | Holds the localization strings. |\r\n|B2C_1A_TrustFrameworkExtensions | B2C_1A_TrustFrameworkLocalization| Holds the unique configuration changes for your tenant.  |\r\n| Relying Parties (RP) | B2C_1A_TrustFrameworkExtensions| For example: sign-up, sign-in, password reset, or profile edit.  |\r\n\r\n### Migrate exiting policy to this version\r\n\r\nTo migrate from the older version of the starter pack to this version:\r\n\r\n1. Download the starter pack and update the tenant name.\r\n1. Upload the newer version of TrustFrameworkBase.xml file.\r\n1. Upload the new TrustFrameworkLocalization.xml file.\r\n1. Update your **existing** TrustFrameworkExtension.xml with the new base policy `B2C_1A_TrustFrameworkLocalization`. The following XML snippet demonstrates the base policy  **before** the change:\r\n    \r\n    ```xml\r\n    <!-- file: TrustFrameworkExtensions.xml -->\r\n    <BasePolicy>\r\n      <TenantId>yourtenant.onmicrosoft.com</TenantId>\r\n      <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\r\n    </BasePolicy>\r\n    ```\r\n    \r\n    The following XML snippet demonstrates the base policy  **after** the change:\r\n\r\n    ```xml\r\n    <!-- file: TrustFrameworkExtensions.xml -->\r\n    <BasePolicy>\r\n      <TenantId>yourtenant.onmicrosoft.com</TenantId>\r\n      <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\r\n    </BasePolicy>\r\n    ```\r\n\r\n1. Upload the TrustFrameworkExtension.xml policy.\r\n\r\n### 15 September 2021\r\n\r\n[Update](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/commit/6932a0af299950139da68faac103079406847b4a#diff-6cc2ef5ed426acc5056d6bd1b912ae4cbdeb3a00769252d35d50fb8d821d6342) to the content definition page version. With the new version the starter pack uses the page contract. For more information, see [Migrating to page layout](https://docs.microsoft.com/azure/active-directory-b2c/contentdefinitions#migrating-to-page-layout).\r\n\r\n### 20 July 2019\r\n\r\nUpdated policies to use the new Ocean Blue template\r\n\r\n### 29 January 2019\r\n\r\nA collection of bugfixes, improvements to code, and additional feature support is included in this starterpack.  It is not necessary or encouraged for developers to change policies currently in production or in testing.  We do encourage the use of these new versions for all new projects.\r\n\r\n### 10 May 2017\r\n\r\nPublic Preview Release\r\n\r\n### 5 May 2017\r\n\r\nAdded Key definition to the metadata element in all four TrustframeworkBase.xml versions. When this Item Key is set to TRUE, the expiration dates on the token issued by B2C will be presented as JSON Numbers.  When set to False (default) they will be presented as strings.\r\n\r\n```xml\r\n<Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item> \r\n```\r\n\r\n--------------------------------------------\r\n\r\n## Important notes\r\n\r\nThe following Change is incorporated into the latest version of starterpack (01/29/2019) - It remains here for historical purposes.\r\n06/26/2017 - Correction to SocialAndLocalAccountswMFA in TrustFrameworkBase.xml file.\r\n\r\nA change to fix a data loss issue related to SSO, the profile edit policy, and MFA. This issue was due to the MFA SSO technical profile not outputting the below claim in the same format that the regular MFA provider does\r\n\r\n```XML\r\n<TechnicalProfile Id=\"SM-MFA\">\r\n  <DisplayName>Session Mananagement Provider</DisplayName>\r\n  <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\r\n  <PersistedClaims>\r\n***OLD:  <PersistedClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\r\n***CORRECTED:  <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" />\r\n    <PersistedClaim ClaimTypeReferenceId=\"executed-PhoneFactor-Input\" />\r\n  </PersistedClaims>\r\n  <OutputClaims>\r\n    <OutputClaim ClaimTypeReferenceId=\"isActiveMFASession\" DefaultValue=\"true\" />\r\n  </OutputClaims>\r\n</TechnicalProfile>\r\n```\r\n"
  },
  {
    "path": "SocialAccounts/ProfileEdit.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_ProfileEdit\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEdit\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "SocialAccounts/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n    <Endpoints>\n      <!--points to refresh token journey when app makes refresh token request-->\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" />\n\n    </Endpoints>\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"identityProvider\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n        \n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "SocialAccounts/TrustFrameworkBase.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_TrustFrameworkBase\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase\">\n\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- The ClaimsSchema is divided into three sections:\n           1. Section I lists the minimum claims that are required for the user journeys to work properly.\n           2. Section II lists the claims required for query string parameters and other special parameters \n              to be passed to other claims providers, esp. login.microsoftonline.com for authentication. \n              Please do not modify these claims.\n           3. Section III lists any additional (optional) claims that can be collected from the user, stored \n              in the directory and sent in tokens during sign in. Add new claims to be collected from the user \n              and/or sent in the token in Section III. -->\n\n      <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames. \n           The trust framework policy treats Azure AD as any other claims provider and all its restrictions \n           are modelled in the policy. A policy could be modified to add more restrictions, or use another \n           claims provider for credential storage which will have its own restrictions. -->\n\n      <!-- SECTION I: Claims required for user journeys to work properly -->\n      <!-- The claim socialIdpUserId has been renamed to issuerUserId -->\n      <ClaimType Id=\"issuerUserId\">\n        <DisplayName>Username</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$\" HelpText=\"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"alternativeSecurityId\">\n        <DisplayName>AlternativeSecurityId</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"mailNickName\">\n        <DisplayName>MailNickName</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Your mail nick name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"identityProvider\">\n        <DisplayName>Identity Provider</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/identityprovider\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\" HelpText=\"Please enter a valid email address.\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"otherMails\">\n        <DisplayName>Alternate Email Addresses</DisplayName>\n        <DataType>stringCollection</DataType>\n        <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newUser\">\n        <DisplayName>User is new</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"executed-SelfAsserted-Input\">\n        <DisplayName>Executed-SelfAsserted-Input</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"authenticationSource\">\n        <DisplayName>AuthenticationSource</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>\n      </ClaimType>\n\n    \n      <!--claims for refresh token revocation-->\n      <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\n        <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"refreshTokensValidFromDateTime\">\n        <DisplayName>refreshTokensValidFromDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"isActiveMFASession\">\n        <DisplayName>isActiveMFASession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateOtherMailsFromEmail\" TransformationMethod=\"AddItemToStringCollection\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"item\" />\n          <InputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateRandomUPNUserName\" TransformationMethod=\"CreateRandomString\">\n        <InputParameters>\n          <InputParameter Id=\"randomGeneratorType\" DataType=\"string\" Value=\"GUID\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateUserPrincipalName\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"cpim_{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateAlternativeSecurityId\" TransformationMethod=\"CreateAlternativeSecurityId\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"issuerUserId\" TransformationClaimType=\"key\" />\n          <InputClaim ClaimTypeReferenceId=\"identityProvider\" TransformationClaimType=\"identityProvider\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" TransformationClaimType=\"alternativeSecurityId\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateSubjectClaimFromAlternativeSecurityId\" TransformationMethod=\"CreateStringClaim\">\n        <InputParameters>\n          <InputParameter Id=\"value\" DataType=\"string\" Value=\"Not supported currently. Use oid claim.\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"sub\" TransformationClaimType=\"createdClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      \n\n      <!--claims transformation for refresh token revocation -->\n      <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\n          <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\n          <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\n          <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n    </ClaimsTransformations>\n\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n\n    <ContentDefinitions>\n\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections.signup\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign up</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n    </ContentDefinitions>\n  </BuildingBlocks>\n\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <!-- The following Domain element allows this profile to be used if the request comes with domain_hint \n           query string parameter, e.g. domain_hint=facebook.com  -->\n      <Domain>facebook.com</Domain>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <!-- The text in the following DisplayName element is shown to the user on the claims provider \n               selection screen. -->\n          <DisplayName>Facebook</DisplayName>\n          <Protocol Name=\"OAuth2\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">facebook</Item>\n            <Item Key=\"authorization_endpoint\">https://www.facebook.com/dialog/oauth</Item>\n            <Item Key=\"AccessTokenEndpoint\">https://graph.facebook.com/oauth/access_token</Item>\n            <Item Key=\"HttpBinding\">GET</Item>\n            <Item Key=\"UsePolicyInRedirectUri\">0</Item>\n\n            <!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->\n            <Item Key=\"AccessTokenResponseFormat\">json</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"client_secret\" StorageReferenceId=\"B2C_1A_FacebookSecret\" />\n          </CryptographicKeys>\n          <InputClaims />\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"issuerUserId\" PartnerClaimType=\"id\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"first_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" PartnerClaimType=\"last_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"identityProvider\" DefaultValue=\"facebook.com\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"socialIdpAuthentication\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateAlternativeSecurityId\" />\n          </OutputClaimsTransformations>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialLogin\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for social logins -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateOtherMailsFromEmail\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"mailNickName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"otherMails\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <!-- The following other mails claim is needed for the case when a user is created, we get otherMails from directory. Self-asserted provider also has an\n                 OutputClaims, and if this is absent, Self-Asserted provider will prompt the user for otherMails. -->\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId-NoError\">\n          <Metadata>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for updating user record using objectId -->\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- The following technical profile is used to read data after user authenticates. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Self Asserted</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"SelfAsserted-Social\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.socialccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <!-- These claims ensure that any values retrieved in the previous steps (e.g. from an external IDP) are prefilled. \n                 Note that some of these claims may not have any value, for example, if the external IDP did not provide any of\n                 these values, or if the claim did not appear in the OutputClaims section of the IDP.\n                 In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its\n                 value will not be prefilled, but the user will still be prompted for it (with an empty value). -->\n            <InputClaim ClaimTypeReferenceId=\"displayName\" />\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- These claims are not shown to the user because their value is obtained through the \"ValidationTechnicalProfiles\"\n                 referenced below, or a default value is assigned to the claim. A claim is only shown to the user to provide a \n                 value if its value cannot be obtained through any other means. -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialSignup\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted.profileupdate</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <PersistedClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <PersistedClaim ClaimTypeReferenceId=\"identityProvider\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newUser\" />\n            <PersistedClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectIdFromSession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Profile name is being used to disambiguate AAD session between sign up and sign in -->\n        <TechnicalProfile Id=\"SM-SocialSignup\">\n          <IncludeTechnicalProfile ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-SocialLogin\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.ExternalLoginSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"AlwaysFetchClaimsFromProvider\">true</Item>\n          </Metadata>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n          </PersistedClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n   \n  <!--claims provider for refresh token revocation-->\n  <ClaimsProvider>\n    <DisplayName>Refresh token journey</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\n        <Protocol Name=\"None\" />\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\n           <!--Requirement: Claims that you return in the relying party technical profile output claims\n            that are not stored in Azure AD B2C, must be added to the output claims collection here-->\n          <!--\n          \n          <OutputClaim ClaimTypeReferenceId=\"RESTAPIclaim1\" />\n          <OutputClaim ClaimTypeReferenceId=\"IDPclaim1\" />\n           -->\n        </OutputClaims>\n      </TechnicalProfile>\n\n\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\n          <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        </OutputClaims>\n        <OutputClaimsTransformations>\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\n        </OutputClaimsTransformations>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n\n  </ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignIn\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- For social IDP authentication, attempt to find the user account in the directory. -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadUsingAlternativeSecurityId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId-NoError\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).  -->\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SelfAsserted-Social\" TechnicalProfileReferenceId=\"SelfAsserted-Social\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect \n             from the user. So, in that case, create the user in the directory if one does not already exist \n             (verified using objectId which would be set from the last step if account was created in the directory. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWrite\" TechnicalProfileReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"6\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"ProfileEdit\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.idpselections\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserRead\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    \n    <UserJourney Id=\"RedeemRefreshToken\">\n      <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        \n        <!-- Extra steps can be added before or after this step for REST API or claims transformation calls-->\n\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n    </UserJourney>\n  </UserJourneys>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "SocialAccounts/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  \n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\n  </BasePolicy>\n  <BuildingBlocks>\n\n  </BuildingBlocks>\n\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <Metadata>\n            <Item Key=\"client_id\">facebook_clientid</Item>\n            <Item Key=\"scope\">email public_profile</Item>\n            <Item Key=\"ClaimsEndpoint\">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n\n  </ClaimsProviders>\n\n    <!--UserJourneys>\n\t\n\t</UserJourneys-->\n\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "SocialAccounts/TrustFrameworkLocalization.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkLocalization\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkLocalization\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n\n  <BuildingBlocks>\n\n    <ContentDefinitions>\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.signuporsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.socialccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.idpselections.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.profileupdate.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <Localization Enabled=\"true\">\n      <SupportedLanguages DefaultLanguage=\"en\" MergeBehavior=\"Append\">\n        <SupportedLanguage>en</SupportedLanguage>\n      </SupportedLanguages>\n\n      <LocalizedResources Id=\"api.signuporsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"heading\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"social_intro\">Sign in with your social account</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your {0}</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_password\">Please enter your password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_generic\">Please enter your {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_generic\">Please enter a valid {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_one_link\">Sign up now</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_two_links\">Sign up with {0} or {1}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_three_links\">Sign up with {0}, {1}, or {2}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"forgotpassword_link\">Forgot your password?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"divider_title\">OR</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_intro\">Don't have an account?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"unknown_error\">We are having trouble signing you in. Please try again later.</LocalizedString>\n          <!-- Uncomment the remember_me only if the keep me signed in is activated. \n          <LocalizedString ElementType=\"UxElement\" StringId=\"remember_me\">Keep me signed in</LocalizedString> -->\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Social account sign-up page English-->\n      <LocalizedResources Id=\"api.socialccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in page English-->\n      <LocalizedResources Id=\"api.idpselections.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"LocalAccountSigninEmailExchange\">Local Account Signin</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile page English-->\n      <LocalizedResources Id=\"api.selfasserted.profileupdate.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Add more languages here -->\n    </Localization>\n  </BuildingBlocks>\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "SocialAndLocalAccounts/PasswordReset.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_PasswordReset\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_PasswordReset\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"PasswordReset\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "SocialAndLocalAccounts/ProfileEdit.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_ProfileEdit\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEdit\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "SocialAndLocalAccounts/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n    <Endpoints>\n      <!--points to refresh token journey when app makes refresh token request-->\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" />\n    </Endpoints>\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"identityProvider\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "SocialAndLocalAccounts/TrustFrameworkBase.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_TrustFrameworkBase\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase\">\n\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- The ClaimsSchema is divided into three sections:\n           1. Section I lists the minimum claims that are required for the user journeys to work properly.\n           2. Section II lists the claims required for query string parameters and other special parameters \n              to be passed to other claims providers, esp. login.microsoftonline.com for authentication. \n              Please do not modify these claims.\n           3. Section III lists any additional (optional) claims that can be collected from the user, stored \n              in the directory and sent in tokens during sign in. Add new claims to be collected from the user \n              and/or sent in the token in Section III. -->\n\n      <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames. \n           The trust framework policy treats Azure AD as any other claims provider and all its restrictions \n           are modelled in the policy. A policy could be modified to add more restrictions, or use another \n           claims provider for credential storage which will have its own restrictions. -->\n\n      <!-- SECTION I: Claims required for user journeys to work properly -->\n\n      <!-- The claim socialIdpUserId has been renamed to issuerUserId -->\n      <ClaimType Id=\"issuerUserId\">\n        <DisplayName>Username</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$\" HelpText=\"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <!-- Claims needed for local accounts. -->\n      <ClaimType Id=\"signInName\">\n        <DisplayName>Sign in name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"signInNames.emailAddress\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Email address to use for signing in.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"accountEnabled\">\n        <DisplayName>Account Enabled</DisplayName>\n        <DataType>boolean</DataType>\n        <AdminHelpText>Specifies whether the user's account is enabled.</AdminHelpText>\n        <UserHelpText>Specifies whether your account is enabled.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"password\">\n        <DisplayName>Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n      </ClaimType>\n\n      <!-- The claim types newPassword and reenterPassword are considered special, please do not change the names. \n           The UI validates that the user correctly re-entered their password during account creation based on these \n           claim types.\t  -->\n      <ClaimType Id=\"newPassword\">\n        <DisplayName>New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\"8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ &quot; ( ) ; .\" />\n        </Restriction>\n      </ClaimType>\n      <!-- The password regular expression above is constructed for AAD passwords based on restrictions at https://msdn.microsoft.com/en-us/library/azure/jj943764.aspx\n\n        ^( # one of the following four combinations must appear in the password\n         (?=.*[a-z])(?=.*[A-Z])(?=.*\\d) |            # matches lower case, upper case or digit\n         (?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]) |  # matches lower case, upper case or special character (i.e. non-alpha or digit)\n         (?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9]) |     # matches lower case, digit, or special character\n         (?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9])       # matches upper case, digit, or special character\n        )\n        ( # The password must match the following restrictions\n         [A-Za-z\\d@#$%^&*\\-_+=[\\]{}|\\\\:',?/`~\"();!] |   # The list of all acceptable characters (without .)\n         \\.(?!@)                                        # or . can appear as long as not followed by @\n        ) {8,16}$                                       # the length must be between 8 and 16 chars inclusive\n\n      -->\n\n      <ClaimType Id=\"reenterPassword\">\n        <DisplayName>Confirm New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Confirm new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\" \" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"passwordPolicies\">\n        <DisplayName>Password Policies</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Password policies used by Azure AD to determine password strength, expiry etc.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"client_id\">\n        <DisplayName>client_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"resource_id\">\n        <DisplayName>resource_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"alternativeSecurityId\">\n        <DisplayName>AlternativeSecurityId</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"mailNickName\">\n        <DisplayName>MailNickName</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Your mail nick name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"identityProvider\">\n        <DisplayName>Identity Provider</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/identityprovider\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\" HelpText=\"Please enter a valid email address.\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"otherMails\">\n        <DisplayName>Alternate Email Addresses</DisplayName>\n        <DataType>stringCollection</DataType>\n        <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newUser\">\n        <DisplayName>User is new</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText/>\n      </ClaimType>\n\n      <ClaimType Id=\"executed-SelfAsserted-Input\">\n        <DisplayName>Executed-SelfAsserted-Input</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"authenticationSource\">\n        <DisplayName>AuthenticationSource</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>\n      </ClaimType>\n\n      <!--claims for refresh token revocation-->\n      <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\n        <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"refreshTokensValidFromDateTime\">\n        <DisplayName>refreshTokensValidFromDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n\n      <ClaimType Id=\"nca\">\n        <DisplayName>nca</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"grant_type\">\n        <DisplayName>grant_type</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"scope\">\n        <DisplayName>scope</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"isActiveMFASession\">\n        <DisplayName>isActiveMFASession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateOtherMailsFromEmail\" TransformationMethod=\"AddItemToStringCollection\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"item\" />\n          <InputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateRandomUPNUserName\" TransformationMethod=\"CreateRandomString\">\n        <InputParameters>\n          <InputParameter Id=\"randomGeneratorType\" DataType=\"string\" Value=\"GUID\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateUserPrincipalName\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"cpim_{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateAlternativeSecurityId\" TransformationMethod=\"CreateAlternativeSecurityId\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"issuerUserId\" TransformationClaimType=\"key\" />\n          <InputClaim ClaimTypeReferenceId=\"identityProvider\" TransformationClaimType=\"identityProvider\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" TransformationClaimType=\"alternativeSecurityId\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateSubjectClaimFromAlternativeSecurityId\" TransformationMethod=\"CreateStringClaim\">\n        <InputParameters>\n          <InputParameter Id=\"value\" DataType=\"string\" Value=\"Not supported currently. Use oid claim.\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"sub\" TransformationClaimType=\"createdClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"AssertAccountEnabledIsTrue\" TransformationMethod=\"AssertBooleanClaimIsEqualToValue\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"accountEnabled\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"valueToCompareTo\" DataType=\"boolean\" Value=\"true\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n      <!--claims transformation for refresh token revocation -->\n      <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\n          <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\n          <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\n          <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n    </ClaimsTransformations>\n\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n\n    <ContentDefinitions>\n\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections.signup\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign up</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account sign up page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account change password page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n    </ContentDefinitions>\n  </BuildingBlocks>\n\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <!-- The following Domain element allows this profile to be used if the request comes with domain_hint \n           query string parameter, e.g. domain_hint=facebook.com  -->\n      <Domain>facebook.com</Domain>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <!-- The text in the following DisplayName element is shown to the user on the claims provider \n               selection screen. -->\n          <DisplayName>Facebook</DisplayName>\n          <Protocol Name=\"OAuth2\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">facebook</Item>\n            <Item Key=\"authorization_endpoint\">https://www.facebook.com/dialog/oauth</Item>\n            <Item Key=\"AccessTokenEndpoint\">https://graph.facebook.com/oauth/access_token</Item>\n            <Item Key=\"HttpBinding\">GET</Item>\n            <Item Key=\"UsePolicyInRedirectUri\">0</Item>\n\n            <!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->\n            <Item Key=\"AccessTokenResponseFormat\">json</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"client_secret\" StorageReferenceId=\"B2C_1A_FacebookSecret\" />\n          </CryptographicKeys>\n          <InputClaims />\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"issuerUserId\" PartnerClaimType=\"id\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"first_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" PartnerClaimType=\"last_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"identityProvider\" DefaultValue=\"facebook.com\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"socialIdpAuthentication\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateAlternativeSecurityId\" />\n          </OutputClaimsTransformations>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialLogin\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <DisplayName>Local Account SignIn</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n            <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n            <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n            <Item Key=\"response_types\">id_token</Item>\n            <Item Key=\"response_mode\">query</Item>\n            <Item Key=\"scope\">email openid</Item>\n            <!-- <Item Key=\"grant_type\">password</Item> -->\n\n            <!-- Policy Engine Clients -->\n            <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n            <Item Key=\"HttpBinding\">POST</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" PartnerClaimType=\"username\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n            <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n          </OutputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for social logins -->\n        <TechnicalProfile Id=\"AAD-UserWriteUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateOtherMailsFromEmail\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"mailNickName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"otherMails\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <!-- The following other mails claim is needed for the case when a user is created, we get otherMails from directory. Self-asserted provider also has an\n                 OutputClaims, and if this is absent, Self-Asserted provider will prompt the user for otherMails. -->\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId-NoError\">\n          <Metadata>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for local accounts -->\n        <TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration\" />\n\n            <!-- Optional claims. -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingEmailAddress\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"accountEnabled\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"AssertAccountEnabledIsTrue\" />\n          </OutputClaimsTransformations>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserWritePasswordUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for updating user record using objectId -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- The following technical profile is used to read data after user authenticates. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Self Asserted</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"SelfAsserted-Social\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.socialccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <!-- These claims ensure that any values retrieved in the previous steps (e.g. from an external IDP) are prefilled. \n                 Note that some of these claims may not have any value, for example, if the external IDP did not provide any of\n                 these values, or if the claim did not appear in the OutputClaims section of the IDP.\n                 In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its\n                 value will not be prefilled, but the user will still be prompted for it (with an empty value). -->\n            <InputClaim ClaimTypeReferenceId=\"displayName\" />\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- These claims are not shown to the user because their value is obtained through the \"ValidationTechnicalProfiles\"\n                 referenced below, or a default value is assigned to the claim. A claim is only shown to the user to provide a \n                 value if its value cannot be obtained through any other means. -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialSignup\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted.profileupdate</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n          <DisplayName>Email signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile uses a validation technical profile to authenticate the user. -->\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n          <DisplayName>Local Account Signin</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"SignUpTarget\">SignUpWithLogonEmailExchange</Item>\n            <Item Key=\"setting.operatingMode\">Email</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignin</Item>\n            <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile forces the user to verify the email address that they provide on the UI. Only after email is verified, the user account is\n        read from the directory. -->\n        <TechnicalProfile Id=\"LocalAccountDiscoveryUsingEmailAddress\">\n          <DisplayName>Reset password using email address</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <IncludeInSso>false</IncludeInSso>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserReadUsingEmailAddress\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"LocalAccountWritePasswordUsingObjectId\">\n          <DisplayName>Change password (username)</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" />\n\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWritePasswordUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"signInName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <PersistedClaim ClaimTypeReferenceId=\"identityProvider\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newUser\" />\n            <PersistedClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectIdFromSession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Profile name is being used to disambiguate AAD session between sign up and sign in -->\n        <TechnicalProfile Id=\"SM-SocialSignup\">\n          <IncludeTechnicalProfile ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-SocialLogin\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.ExternalLoginSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"AlwaysFetchClaimsFromProvider\">true</Item>\n          </Metadata>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n          </PersistedClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n  \n  <!--claims provider for refresh token revocation-->\n  <ClaimsProvider>\n    <DisplayName>Refresh token journey</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\n        <Protocol Name=\"None\" />\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\n           <!--Requirement: Claims that you return in the relying party technical profile output claims\n            that are not stored in Azure AD B2C, must be added to the output claims collection here-->\n          <!--\n          \n          <OutputClaim ClaimTypeReferenceId=\"RESTAPIclaim1\" />\n          <OutputClaim ClaimTypeReferenceId=\"IDPclaim1\" />\n           -->\n        </OutputClaims>\n      </TechnicalProfile>\n\n\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\n          <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        </OutputClaims>\n        <OutputClaimsTransformations>\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\n        </OutputClaimsTransformations>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n</ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignIn\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Check if the user has selected to sign in using one of the social providers -->\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n            <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- For social IDP authentication, attempt to find the user account in the directory. -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadUsingAlternativeSecurityId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId-NoError\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). \n          This can only happen when authentication happened using a social IDP. If local account was created or authentication done\n          using ESTS in step 2, then an user account must exist in the directory by this time. -->\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SelfAsserted-Social\" TechnicalProfileReferenceId=\"SelfAsserted-Social\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent \n          in the token. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect \n             from the user. So, in that case, create the user in the directory if one does not already exist \n             (verified using objectId which would be set from the last step if account was created in the directory. -->\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWrite\" TechnicalProfileReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"ProfileEdit\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.idpselections\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserRead\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"6\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"PasswordReset\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PasswordResetUsingEmailAddressExchange\" TechnicalProfileReferenceId=\"LocalAccountDiscoveryUsingEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewCredentials\" TechnicalProfileReferenceId=\"LocalAccountWritePasswordUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"RedeemRefreshToken\">\n      <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Extra steps can be added before or after this step for REST API or claims transformation calls-->\n        \n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n    </UserJourney>\n\n  </UserJourneys>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "SocialAndLocalAccounts/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  \n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\n  </BasePolicy>\n <BuildingBlocks>\n      \n  </BuildingBlocks>\n\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <Metadata>\n            <Item Key=\"client_id\">facebook_clientid</Item>\n            <Item Key=\"scope\">email public_profile</Item>\n            <Item Key=\"ClaimsEndpoint\">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n         <TechnicalProfile Id=\"login-NonInteractive\">\n          <Metadata>\n            <Item Key=\"client_id\">ProxyIdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"IdTokenAudience\">IdentityExperienceFrameworkAppId</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"client_id\" DefaultValue=\"ProxyIdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"resource_id\" PartnerClaimType=\"resource\" DefaultValue=\"IdentityExperienceFrameworkAppId\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n  </ClaimsProviders>\n\n    <!--UserJourneys>\n\t\n\t</UserJourneys-->\n\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "SocialAndLocalAccounts/TrustFrameworkLocalization.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkLocalization\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkLocalization\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n\n  <BuildingBlocks>\n\n    <ContentDefinitions>\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.signuporsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.socialccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountpasswordreset.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.idpselections.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.profileupdate.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <Localization Enabled=\"true\">\n      <SupportedLanguages DefaultLanguage=\"en\" MergeBehavior=\"Append\">\n        <SupportedLanguage>en</SupportedLanguage>\n      </SupportedLanguages>\n\n      <LocalizedResources Id=\"api.signuporsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"heading\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"social_intro\">Sign in with your social account</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your {0}</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_password\">Please enter your password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_generic\">Please enter your {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_generic\">Please enter a valid {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_one_link\">Sign up now</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_two_links\">Sign up with {0} or {1}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_three_links\">Sign up with {0}, {1}, or {2}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"forgotpassword_link\">Forgot your password?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"divider_title\">OR</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_intro\">Don't have an account?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"unknown_error\">We are having trouble signing you in. Please try again later.</LocalizedString>\n          <!-- Uncomment the remember_me only if the keep me signed in is activated. \n          <LocalizedString ElementType=\"UxElement\" StringId=\"remember_me\">Keep me signed in</LocalizedString> -->\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!--Local account sign-up page English-->\n      <LocalizedResources Id=\"api.localaccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_requiredFieldMissing\">A required field is missing. Please fill out all required fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"helplink_text\">What is this?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please provide the following details.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"preloader_alt\">Please wait</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_edit\">Change e-mail</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_resend\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_send\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_verify\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_code_expired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_no_retry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_retry\">That code is incorrect. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_server\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_throttled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_info_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_input\">Verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_success_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Social account sign-up page English-->\n      <LocalizedResources Id=\"api.socialccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Password reset page English-->\n      <LocalizedResources Id=\"api.localaccountpasswordreset.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">An account could not be found for the provided user ID.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_edit\">Change e-mail</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_resend\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_send\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_verify\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_code_expired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_no_retry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_retry\">That code is incorrect. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_server\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_throttled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_info_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_input\">Verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_success_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in page English-->\n      <LocalizedResources Id=\"api.idpselections.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"LocalAccountSigninEmailExchange\">Local Account Signin</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in with local account English-->\n      <LocalizedResources Id=\"api.localaccountsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile page English-->\n      <LocalizedResources Id=\"api.selfasserted.profileupdate.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <!-- Add more languages here -->\n    </Localization>\n  </BuildingBlocks>\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "SocialAndLocalAccounts/readme.md",
    "content": "# Local and social accounts sign-up or sign-in user journey overview\n\nThis article gives an overview of the **local and social accounts sign-up or sign-in** user journey custom policies. We recommend you to read the [Azure AD B2C custom policy overview](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview) before reading this article.\n\n\nYou will find the user journey and its orchestration steps in the TrustFrameworkBase.xml file, with the Id \"SignUpOrSignIn\". Each Orchestration step and its referenced technical profile will be explained in detail in the following series.\n\nFor a user to be able to Sign in and Sign Up, the following User Experience must be translated into logical steps with a custom policy.\n\n## Logical Steps\n\nHandling Sign In for a Local Account:\n\n1. Display a page where the user can enter their email and password.\n1. On the sign in page, display a link to sign up.\n1. If the user submits their credentials (signs in), we must validate the credentials.\n1. Issue an id token.\n\nHandling Sign In/Up for a SocialAccount:\n\n1. Display a page where the user can select to use their Facebook account.\n1. When the user clicks to \"Login with Facebook\", the user will be redirected to Facebook.\n1. When the user returns from Facebook, read the information Facebook provided.\n1. Lookup the account in the Azure AD B2C directory to determine if this user has already signed in with Facebook previously.\n1. Display a page where the user can modify the data, returned from Facebook about their profile if this is their first time logging in with Facebook.\n1. Write the account information to Azure AD B2C if the account was not already present in the directory.\n1. Issue an id token.\n\nHandling Sign Up for a Local Account:\n1. Display a page that allows users to enter their email, password, and name.\n1. Verify their email with a Timed One Time Passcode sent to their email address.\n1. When the user completes a sign up, we must create their account.\n1. Prevent a user to sign up with an existing email address.\n1. Issue an id token.\n\n## Translating this into custom policies\n  \nHandling Sign In for a Local Account:\n\n1. This requires a Self-Asserted technical profile. It must present output claims to obtain the email and password claims.\n1. Use the combined sign in and sign up content definition, which provides this for us.\n1. Run a Validation technical profile to validate the credentials.\n1. Read any additional information from the directory user object.\n1. Call a technical profile to issue a token.  \n\nHandling Sign In/Up for a SocialAccount:\n\n1. Display a page where the user can select to use their Facebook account.\n1. When the user clicks to \"Login with Facebook\", the user will be redirected to Facebook.\n1. Lookup the account in the Azure AD B2C directory to determine if this user has already signed in with Facebook previously.\n1. Display a page where the user can modify the data, returned from Facebook about their profile if this is their first time logging in with Facebook.\n1. Write the account information to Azure AD B2C if the account was not already present in the directory.\n1. Issue an id token.\n\n1. Using the combined sign in and sign up page, we must instruct Azure AD B2C that there is a new claims provider - Facebook. This will present a button on the page to \"Login with Facebook\" \n1. An OAuth2 technical profile must be configured to be able to redirect the user to Facebook.\n1. Use an Azure Active Directory technical profile to read the directory based off of the user identifier returned from Facebook. Usually the subject claim.\n1. Use a Self-Asserted technical profile, which presents the first name and last name retrieved from Facebook in editable text boxes.\n1. Use an Azure Active Directory technical profile to write the account data into the Azure AD B2C directory.\n1. Call a technical profile to issue a token.\n\nHandling Sign Up for a Local Account:\n\n1. This requires a Self-Asserted technical profile. It must present output claims to obtain the email, password, and name claims.\n1. Make use of a special claim which enforced email verification.\n1. Use a Validation technical profile to write the account to the directory. This Validation technical profile will be of type Azure Active Directory.\n1. As part of writing the account configures the technical profile to throw an error if the account exists.\n1. Read any additional information from the directory user object.\n1. Call a technical profile to issue a token.\n\n\n## Understand the SocialAndLocalAccounts starter pack implementation\n\nThe SocialAndLocalAccounts starter pack comes prebuilt with a lot of functionality for the various scenarios presented within the starter pack - Sign In, Sign Up, Password Reset and Profile Edit.\nWhen reading the user journey for a social and local account sign up or sign in, a fraction of the foundational elements contained within the files are being used. The following will unpick the elements and describe in detail the operation of a single journey.\n\n### Handling Sign In for a Local Account and Social Account\n\n**Orchestration Step 1**: Provide functionality for a user to Sign in or Sign Up. This is achieved using a Self-Asserted technical profile and connected validation technical profile.\n\nThe XML required to generate this step is:\n\n```xml\n<OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n  <ClaimsProviderSelections>\n    <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n    <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n  </ClaimsProviderSelections>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nThe combined sign in and sign up page is treated specially by Azure AD B2C, since it presents a sign up link that can take the user to the sign up step.\nThis is achieved with the following two lines:\n\n```xml\n<OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n```\n\nSince Azure AD B2C understands that this is a Sign In page, you must specify the `ClaimsProviderSelections` element with at least one reference to a `ClaimsProviderSelection`. This `ClaimsProviderSelection` maps to the `ClaimsExchange`. In this case, there are two `ClaimsProviderSelection` elements, such that Azure AD B2C understands that there is a Local Account and Facebook option to present on the page. The Local Account `ClaimsProviderSelection` maps to the `LocalAccountSigninEmailExchange` claims exchange, which will call the `SelfAsserted-LocalAccountSignin-Email` technical profile.\n\nThe `SelfAsserted-LocalAccountSignin-Email` technical profile defines the actual page functionality, allowing the user to sign in:\n\n```xml\n<TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n  <DisplayName>Local Account Signin</DisplayName>\n  <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n  <Metadata>\n    <Item Key=\"SignUpTarget\">SignUpWithLogonEmailExchange</Item>\n    <Item Key=\"setting.operatingMode\">Email</Item>\n    <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted</Item>\n    <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n  </Metadata>\n  <IncludeInSso>false</IncludeInSso>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n  </OutputClaims>\n  <ValidationTechnicalProfiles>\n    <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n  </ValidationTechnicalProfiles>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere, in this case from the Orchestration step.|\n|DisplayName|Friendly name, which can describe the function of this technical profile.|\n|Protocol|The Azure AD B2C technical profile type. In this case, it is Self-Asserted, such that a page is rendered for the user to provide their inputs.|\n|Metadata|For a Self-Asserted Combined Sign in and Sign up profile, we provide a SignUpTarget, which points to the Sign Up ClaimsExchange Id in a subsequent orchestrations step.|\n|InputClaims|Enables the ability to pre-populate the signInName claim|\n|OutputClaims| We require the user to provide their email and password, hence referenced as output claims. There are some claims here, such as objectId, that are not presented on the page since the validation technical profile satisfies this output claim.|\n|ValidationTechnicalProfiles|The technical profile to launch to validate the date the user provided, in this case to validate their credentials.|\n|UseTechnicalProfileForSessionManagement|TO DO|\n\nTo see all the configuration options for a Self-Asserted technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).\n\nBy calling this technical profile, we now satisfy the initial logical step for sign in. When the user submits the page, the Validation technical profile will run, called `login-NonInteractive`.\n\n```xml\n  <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n```\n\nThis is a technical profile, which makes an OpenID request using the [Resource Owner Password Credential](https://tools.ietf.org/html/rfc6749#section-4.3) grant flow to validate the user's credentials at the Azure AD authorization server. Essentially this is an API-based logon, which the Azure AD B2C server will complete against the Azure AD authorization server.\n\n```xml\n<TechnicalProfile Id=\"login-NonInteractive\">\n  <DisplayName>Local Account SignIn</DisplayName>\n  <Protocol Name=\"OpenIdConnect\" />\n  <Metadata>\n    <Item Key=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account</Item>\n    <Item Key=\"UserMessageIfInvalidPassword\">Your password is incorrect</Item>\n    <Item Key=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password</Item>\n\n    <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n    <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n    <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n    <Item Key=\"response_types\">id_token</Item>\n    <Item Key=\"response_mode\">query</Item>\n    <Item Key=\"scope\">email openid</Item>\n\n    <!-- Policy Engine Clients -->\n    <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n    <Item Key=\"HttpBinding\">POST</Item>\n  </Metadata>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"signInName\" PartnerClaimType=\"username\" Required=\"true\" />\n    <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n    <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n    <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n    <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n    <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n    <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n    <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n  </OutputClaims>\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|\n|DisplayName|Friendly name, which can describe the function of this technical profile.|\n|Protocol|The Azure AD B2C technical profile type. In this case, it is OpenId, such that Azure AD B2C understands to make an OpenId request.|\n|Metadata|Various configuration options with which to make a valid OpenId request. This also includes various error handling responses, such as incorrect password.|\n|InputClaims|Passes the username and password into the POST body of the OpenId request.|\n|OutputClaims| Maps the JWT issued by the authorization server into Azure AD B2C's claim bag. Here we obtain the objectId and authenticationSource, hence it is not shown on the Self-Asserted page explained previously.|\n\nTo see all the configuration options for an OpenId Connect technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/openid-connect-technical-profile).\n\nAt this point, we have now rendered a sign in page to the user, has the option to Sign In with Facebook, or provide their email and password after which they are verified against the Directory.\n\n**Orchestration Step 2**: Since Orchestration Step 1 provided a `ClaimsProviderSelection` for Facebook, this is satisfied in step 2 as part of a `ClaimsExchange`. Here the `ClaimsProviderSelection` for `FacebookExchange` is satisfied by referencing the `Facebook-OAUTH` technical profile, which provides the necessary means to redirect the user to Facebook for sign in.\n\n```xml\n<!-- Check if the user has selected to sign in using one of the social providers -->\n<OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n  <Preconditions>\n    <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n      <Value>objectId</Value>\n      <Action>SkipThisOrchestrationStep</Action>\n    </Precondition>\n  </Preconditions>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n    <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nThe `Facebook-OAUTH` technical profile is as follows in the base file:\n\n```xml\n<TechnicalProfile Id=\"Facebook-OAUTH\">\n  <DisplayName>Facebook</DisplayName>\n  <Protocol Name=\"OAuth2\" />\n  <Metadata>\n    <Item Key=\"ProviderName\">facebook</Item>\n    <Item Key=\"authorization_endpoint\">https://www.facebook.com/dialog/oauth</Item>\n    <Item Key=\"AccessTokenEndpoint\">https://graph.facebook.com/oauth/access_token</Item>\n    <Item Key=\"HttpBinding\">GET</Item>\n    <Item Key=\"UsePolicyInRedirectUri\">0</Item>\n    <Item Key=\"AccessTokenResponseFormat\">json</Item>\n  </Metadata>\n  <CryptographicKeys>\n    <Key Id=\"client_secret\" StorageReferenceId=\"B2C_1A_FacebookSecret\" />\n  </CryptographicKeys>\n  <InputClaims />\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"issuerUserId\" PartnerClaimType=\"id\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"first_name\" />\n    <OutputClaim ClaimTypeReferenceId=\"surname\" PartnerClaimType=\"last_name\" />\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n    <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"email\" />\n    <OutputClaim ClaimTypeReferenceId=\"identityProvider\" DefaultValue=\"facebook.com\" AlwaysUseDefaultValue=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"socialIdpAuthentication\" AlwaysUseDefaultValue=\"true\" />\n  </OutputClaims>\n  <OutputClaimsTransformations>\n    <OutputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n    <OutputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n    <OutputClaimsTransformation ReferenceId=\"CreateAlternativeSecurityId\" />\n  </OutputClaimsTransformations>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialLogin\" />\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|\n|DisplayName|Friendly name, which can describe the function of this technical profile.|\n|Protocol|The Azure AD B2C technical profile type. In this case, it is OAuth2, such that Azure AD B2C understands to make an OAuth2 request.|\n|Metadata|Various configuration options with which to make a valid OAuth2 request. Some of these options are specific to Facebook's requirements.|\n|InputClaims|There is nothing to send to Facebook, only an OAuth2 request.|\n|OutputClaims| Maps the JWT issued by the Facebook authorization server into Azure AD B2C's claim bag. Some claims have default values assigned, hence are not asked from the user.|\n|OutputClaimsTransformations| Various claims transformations that are called to manipulate the data returned from the token sent back by Facebook before being added into the Azure AD B2C claims bag.|\n\nAnd the `Facebook-OAUTH` technical profile has an augmentation in the Extensions file as follows to complete the setup. For administrators integrating Facebook login, these are the only parameters to modify, therefore they are added as augmentations into the Extension file, while the Base technical profile will be static for all environments.\n\n```xml\n<TechnicalProfile Id=\"Facebook-OAUTH\">\n  <Metadata>\n    <Item Key=\"client_id\">facebook_clientid</Item>\n    <Item Key=\"scope\">email public_profile</Item>\n    <Item Key=\"ClaimsEndpoint\">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>\n  </Metadata>\n</TechnicalProfile>\n```\n\nElement name  |Description  |\n|---------|---------|\n|TechnicalProfile Id | Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere or in this case has the same name as in the Base file to augment it.|\n|Metadata|Additional configuration options with which to make a valid OAuth2 request. These are specific to ones own federation with Facebook.|\n\nHere is the breakdown of each claims transformation that is run after the Facebook authentication succeeds and the token is returned back to Azure AD B2C. This applies to all external Identity Provider integration.\n\nThese are run such that pre-requisites for creating the account in Azure AD B2C and also for reading the account on subsequent sign in's.\n\n**CreateRandomUPNUserName** - This is required to generate a **prefix** for the userPrincipalName, which will be stored on the user account when created.    \n\n```xml\n<ClaimsTransformation Id=\"CreateRandomUPNUserName\" TransformationMethod=\"CreateRandomString\">\n  <InputParameters>\n    <InputParameter Id=\"randomGeneratorType\" DataType=\"string\" Value=\"GUID\" />\n  </InputParameters>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"outputClaim\" />\n  </OutputClaims>\n</ClaimsTransformation>\n```\n\nThis claims transform generates a random string, which is in the format of a GUID and issues it into the claim called `upnUserName`.\n\n**CreateUserPrincipalName** - This creates the final userPrincipalName.\n\n```xml\n<ClaimsTransformation Id=\"CreateUserPrincipalName\" TransformationMethod=\"FormatStringClaim\">\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"inputClaim\" />\n  </InputClaims>\n  <InputParameters>\n    <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"cpim_{0}@{RelyingPartyTenantId}\" />\n  </InputParameters>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" TransformationClaimType=\"outputClaim\" />\n  </OutputClaims>\n</ClaimsTransformation>\n```\n\nThis claims transform uses the `FormatStringClaim` method to create a string value using claims in the Azure AD B2C claim bag. The claim given to this transform is `upnUserName`, which is available from the output of the previous claims transform. Here the transform inserts the first input claim into `{0}` and Azure AD B2C knows the value of `{RelyingPartyTenantId}` already. Then end result is a fully formed userPrincipalName, which is output in the `userPrincipalName` claim: `aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb@something.onmicrosoft.com`.\n\n**CreateAlternativeSecurityId** - This creates a user identifier similar to an objectId, which will be used to map the subject claim (sub) from the Facebook token to the Azure AD B2C user on subsequent logons. The generated identifier is output into the claim called `alternativeSecurityId`.\n\n```xml\n<ClaimsTransformation Id=\"CreateAlternativeSecurityId\" TransformationMethod=\"CreateAlternativeSecurityId\">\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"issuerUserId\" TransformationClaimType=\"key\" />\n    <InputClaim ClaimTypeReferenceId=\"identityProvider\" TransformationClaimType=\"identityProvider\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" TransformationClaimType=\"alternativeSecurityId\" />\n  </OutputClaims>\n</ClaimsTransformation>\n```\n\nAfter this, the Facebook login is complete, and the claims from the token received from Facebook have been transformed into useful entities for Azure AD B2C to use.\n\n**Orchestration Step 3**: Read any additional data from the social account user object.\n\nWe need to determine if the social account has already been registered previously with this Azure AD B2C directory, or if this is their first logon via Facebook. Also we maybe storing additional data the user provided or other data on the user object, which allows your application/service to function correctly.\n\nTherefore, we will attempt to read the user object for any desired attributes to add into the Azure AD B2C claims bag. This technical profile is configured such that it does not throw an error if an account is not found.\n\nThe following Orchestration step calls a technical profile called `AAD-UserReadUsingAlternativeSecurityId-NoError` which provides this functionality.\nThe ClaimsExchange Id is a unique name for this claims exchange that you can set.\n\n```xml\n<!-- For social IDP authentication, attempt to find the user account in the directory. -->\n<OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n  <Preconditions>\n    <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n      <Value>authenticationSource</Value>\n      <Value>localAccountAuthentication</Value>\n      <Action>SkipThisOrchestrationStep</Action>\n    </Precondition>\n  </Preconditions>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"AADUserReadUsingAlternativeSecurityId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId-NoError\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nA **precondition** is used such that this step is only run if a Social Account authentication had been completed. This is achieved by checking whether the value of `authenticationSource` claim is equal to `localAccountAuthentication`. If `authenticationSource` does contain the value `localAccountAuthentication`, then this step is skipped, otherwise it is executed.\n\nThe referenced technical profile appears as follows:\n\n```xml\n<TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId-NoError\">\n  <Metadata>\n    <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n  </Metadata>\n  <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n</TechnicalProfile>\n```\n\nThis technical profile is taking the `AAD-UserReadUsingAlternativeSecurityId` technical profile and applying a modification to it. The modification here is only to prevent an error being raised if the user is not found in the directory. This will provide an indication if this is the first logon via Facebook for this user, or a subsequent logon.\n\nThe following implements the `AAD-UserReadUsingAlternativeSecurityId` technical profile.\n\n```xml\n<TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId\">\n  <Metadata>\n    <Item Key=\"Operation\">Read</Item>\n    <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n    <Item Key=\"UserMessageIfClaimsPrincipalDoesNotExist\">User does not exist. Please sign up before you can sign in.</Item>\n  </Metadata>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n  </InputClaims>\n  <OutputClaims>\n    <!-- Required claims -->\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <!-- Optional claims -->\n    <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n    <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n    <OutputClaim ClaimTypeReferenceId=\"surname\" />\n  </OutputClaims>\n  <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n</TechnicalProfile>\n```\n\nThis technical profile does not state a protocol, therefore is automatically of type `Azure Active Directory`, which provides the ability to read or write to the directory structure.\n\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|\n|Metadata|This is configured to read the directory. And to throw an error if the user is not found. This has been overridden by `AAD-UserReadUsingAlternativeSecurityId-NoError`.|\n|InputClaims|This is attempting to find a user account with the `alternativeSecurityId` generated in the claims transform after the Facebook sign in completed. |\n|OutputClaims|We are asking to read these claims from the directory. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |\n|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|\n\nAt this point the Azure AD B2C claims bag will now contain an objectId for the Social Account user who signed in, or not if this user is signing in for the first time.\n\n**Orchestration Step 4**: A Self-Asserted technical profile is used to display a page to the user to see the imported data from Facebook, and have the ability to modify it. This is only presented to a user who has logged in for the first time with Facebook.\n\n```xml\n<OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n  <Preconditions>\n    <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n      <Value>objectId</Value>\n      <Action>SkipThisOrchestrationStep</Action>\n    </Precondition>\n  </Preconditions>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"SelfAsserted-Social\" TechnicalProfileReferenceId=\"SelfAsserted-Social\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nThis contains a **precondition, which skips this step if an objectId was found, since the presence of an objectId would mean the user has already signed in for the first time.\n\nThe technical profile `SelfAsserted-Social` is as follows:\n\n```xml\n<TechnicalProfile Id=\"SelfAsserted-Social\">\n  <DisplayName>User ID signup</DisplayName>\n  <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n  <Metadata>\n    <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted</Item>\n  </Metadata>\n  <CryptographicKeys>\n    <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n  </CryptographicKeys>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"displayName\" />\n    <InputClaim ClaimTypeReferenceId=\"givenName\" />\n    <InputClaim ClaimTypeReferenceId=\"surname\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n    <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n    <OutputClaim ClaimTypeReferenceId=\"surname\" />\n  </OutputClaims>\n  <ValidationTechnicalProfiles>\n    <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n  </ValidationTechnicalProfiles>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialSignup\" />\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|\n|Metadata|Provides information about the content definition to reference - which will give the page a customized look and feel.|\n|InputClaims|These claims ensure that any values retrieved in the previous steps, in this case Facebook authentication, are prefilled. Note that some of these claims may not have any value, for example, if Facebook did not provide any of these values, or if the claim did not appear in the OutputClaims section of the `Facebook-OAUTH` technical profile. In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its value will not be prefilled, but the user will still be prompted for it (with an empty value). |\n|OutputClaims|These are claims that will be presented to the user on the rendered page, potentially prefilled based on the inputClaims status. Those claims, which cannot be fulfilled by the user, such as objectId and newUser, are not shown on the screen as they are fulfilled by the validation technical profile being referenced.|\n|ValidationTechnicalProfile|A validation technical profile is used to write the user account when the user submits the page confirming their information.|\n\n\nWhen the user submits the page, the Validation technical profile will run, called `AAD-UserWriteUsingAlternativeSecurityId`. This is called since either the user account can be written successfully based on the information provided, or it cannot be. In this case, the user account should always get written successfully. However, this fits best as a validation technical profile in this case.\n\n```xml\n  <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n```\n\nThis technical profile appears as follows:\n\n```xml\n<TechnicalProfile Id=\"AAD-UserWriteUsingAlternativeSecurityId\">\n  <Metadata>\n    <Item Key=\"Operation\">Write</Item>\n    <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n    <Item Key=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</Item>\n  </Metadata>\n  <IncludeInSso>false</IncludeInSso>\n  <InputClaimsTransformations>\n    <InputClaimsTransformation ReferenceId=\"CreateOtherMailsFromEmail\" />\n  </InputClaimsTransformations>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n  </InputClaims>\n  <PersistedClaims>\n    <!-- Required claims -->\n    <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n    <PersistedClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n    <PersistedClaim ClaimTypeReferenceId=\"mailNickName\" DefaultValue=\"unknown\" />\n    <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n\n    <!-- Optional claims -->\n    <PersistedClaim ClaimTypeReferenceId=\"otherMails\" />\n    <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n    <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n  </PersistedClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n    <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n  </OutputClaims>\n  <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|\n|Metadata|This is configured to write to the directory. And to throw an error if the user already exists with an error message.|\n|InputClaimsTransformations|<!-- is this needed? -->|\n|InputClaims|This is attempting to find a user account with the `alternativeSecurityId` generated in the claims transform after the Facebook sign in completed. |\n|PersistedClaims|This section defines which claims are to be written when writing to an account.|\n|OutputClaims|We are asking to read these claims from account, which was just written. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |\n|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|\n\n**Orchestration Step 5** - Read any additional data from the user object if it is a Local Account.\n\nWe maybe storing additional data the user provided or other data on the Local Account user object, which allows your application/service to function correctly.\n\nTherefore, we will read the user object for any desired attributes to add into the Azure AD B2C claims bag.\n\nThe following Orchestration step calls a technical profile called `AAD-UserReadUsingObjectId` which provides this functionality.\nThe ClaimsExchange Id is unique name for this claims exchange that you can set.\n\n```xml\n<OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n  <Preconditions>\n    <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n      <Value>authenticationSource</Value>\n      <Value>socialIdpAuthentication</Value>\n      <Action>SkipThisOrchestrationStep</Action>\n    </Precondition>\n  </Preconditions>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nA **precondition** is used such that this step is skipped if the value of `authenticationSource` is set to `socialIdpAuthentication`. This prevents it being run for Social Accounts, and only runs in the case of a Local Account logon.\n\nThe referenced technical profile is as follows:\n\n```xml\n<TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n  <Metadata>\n    <Item Key=\"Operation\">Read</Item>\n    <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n  </Metadata>\n  <IncludeInSso>false</IncludeInSso>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n    <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n    <OutputClaim ClaimTypeReferenceId=\"surname\" />\n  </OutputClaims>\n  <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n</TechnicalProfile>\n```\n\nThis technical profile does not state a protocol, therefore is automatically of type Azure Active Directory, which provides the ability to read or write to the directory structure.\n\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that this orchestration step calls.|\n|Metadata|This is configured to read the directory. And to throw an error if the user is not found.|\n|InputClaims|This is asking to find a user account with the objectId in the Azure AD B2C claims bag. This objectId will have been received via the login-NonInteractive technical profile and output into the claims bag by the SelfAsserted-LocalAccountSignin-Email technical profile. |\n|OutputClaims|We are asking to read these claims from the directory. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |\n|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|\n\nA special case must be noted for the `signInNames.emailAddress`, this references the attribute `signInNames` which is a collection of key value pairs. In this case, we are reading back the `emailAddress` key within the `signInNames` attribute.\n\n**Orchestration Step 6**: In the case that the Orchestration step 4 was removed, there is a backup option here to write the Social Account into the directory at this point in the journey. In such a case, the objectId would not yet exist in the Azure AD B2C claims bag, therefore a **precondition** is used such that this step is executed if one is still not present.\n\n```xml\n<OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n  <Preconditions>\n    <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n      <Value>objectId</Value>\n      <Action>SkipThisOrchestrationStep</Action>\n    </Precondition>\n  </Preconditions>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"AADUserWrite\" TechnicalProfileReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nThe functionality of the `AAD-UserWriteUsingAlternativeSecurityId` has already been explored earlier.\n\n**Orchestration Step 7**:- Issue an id token.\n\nIn the majority of user journeys, the journey will end by issuing an id token back to the application. This orchestration step looks as follows:\n\n```xml\n<OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n```\n\nThe referenced technical profile is as follows:\n\n```xml\n<TechnicalProfile Id=\"JwtIssuer\">\n  <DisplayName>JWT Issuer</DisplayName>\n  <Protocol Name=\"OpenIdConnect\" />\n  <OutputTokenFormat>JWT</OutputTokenFormat>\n  <Metadata>\n    <Item Key=\"client_id\">{service:te}</Item>\n    <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n    <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n  </Metadata>\n  <CryptographicKeys>\n    <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n    <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n  </CryptographicKeys>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n</TechnicalProfile>\n```\n\nThis step does not need configuring any further, but find out more [here](https://docs.microsoft.com/azure/active-directory-b2c/jwt-issuer-technical-profile) on available options.\n\n### Handling Local Account Sign Up\n\nTo handle up sign, we must have one additional orchestration step, which allows the user to provide their email, new password, and name. And upon validating this information, we must write an account to the directory. the other steps are shared with the orchestration steps explained in `Handling Sign in`.\n\nThe additional orchestration step is as follows:\n\n```xml\n<OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n  <Preconditions>\n    <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n      <Value>objectId</Value>\n      <Action>SkipThisOrchestrationStep</Action>\n    </Precondition>\n  </Preconditions>\n  <ClaimsExchanges>\n    <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n  </ClaimsExchanges>\n</OrchestrationStep>\n```\n\nSince orchestration steps run sequentially, we must not run this step if the user is trying to sign in, and only run if the user clicked the sign up link. This is achieved using the **Precondition**. Note, that during the sign in phase, the Azure AD B2C claims bag will have an objectId populated after `login-NonInteractive` has run. Therefore we can use the existence of this claim to skip this step as follows.\n\n```xml\n<Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n    <Value>objectId</Value>\n    <Action>SkipThisOrchestrationStep</Action>\n</Precondition>\n```\n\nWhen displaying the Combined Sign in and Sign up page, it was mentioned that the metadata of the `SelfAsserted-LocalAccountSignin-Email` technical profile configures an item called `SignUpTarget`. This enables the Sign Up link on the Combined Sign in and Sign up page to call the claims exchange in orchestration Step 2, which consequently executes the `LocalAccountSignUpWithLogonEmail` technical profile.\n\nThe technical profile is designed to capture the email, password and name of the user, and then write the account to the directory, as follows:\n\n```xml\n<TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n  <DisplayName>Email signup</DisplayName>\n  <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n  <Metadata>\n    <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n    <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignup</Item>\n    <Item Key=\"language.button_continue\">Create</Item>\n  </Metadata>\n  <CryptographicKeys>\n    <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n  </CryptographicKeys>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"email\" />\n  </InputClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n    <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n\n    <!-- Optional claims, to be collected from the user -->\n    <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n    <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n    <OutputClaim ClaimTypeReferenceId=\"surName\" />\n  </OutputClaims>\n  <ValidationTechnicalProfiles>\n    <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n  </ValidationTechnicalProfiles>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n</TechnicalProfile>\n\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|\n|Metadata|This is configured with a reference to a content definition to provide your custom look and feel to this page.|\n|InputClaims|This will pre-popualte the email field if the email claim was acquired earlier in the journey. |\n|OutputClaims|These are claims that will be presented to the user on the rendered page, potentially prefilled based on the inputClaims status. Those claims, which cannot be fulfilled by the user, such as objectId and newUser, are not shown on the screen as they are fulfilled by the validation technical profile being referenced.|\n|ValidationTechnicalProfile|A validation technical profile is used to write the user account when the user submits the page confirming their information.|\n\nTo see all the configuration options for a Self-Asserted technical profile, find more [here](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).\n\nAzure AD B2C uses a special partner claim type to enforce email verification on a claim, as seen here:\n\n```xml\n<OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n```\n\nHere we are forcing the email claim presented on screen to be verified. Azure AD B2C will therefore render the `Verify` button on the page against this text field, and only allow the user to continue if this field was verified by a code sent to the user's inbox. This technique can be used against any claim name presented to the user as an output claim (ClaimTypeReferenceId).\n\nWhen the user submits the page, the Validation technical profile will run, called `AAD-UserWriteUsingLogonEmail`. This is called since either the user account can be written successfully based on the information provided, or it cannot be. In this case, the user account may not be able to be written if the account exists.\n\nThe `AAD-UserWriteUsingLogonEmail` is as follows:\n\n```xml\n<TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n  <Metadata>\n    <Item Key=\"Operation\">Write</Item>\n    <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n  </Metadata>\n  <IncludeInSso>false</IncludeInSso>\n  <InputClaims>\n    <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n  </InputClaims>\n  <PersistedClaims>\n    <!-- Required claims -->\n    <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n    <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\"/>\n    <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n    <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration\" />\n\n    <!-- Optional claims. -->\n    <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n    <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n  </PersistedClaims>\n  <OutputClaims>\n    <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n    <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n    <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n    <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n    <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n  </OutputClaims>\n  <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n</TechnicalProfile>\n```\n\n|Element name  |Description  |\n|---------|---------|\n|TechnicalProfile Id|Identifier for this technical profile. It is used to find the technical profile that is referenced elsewhere.|\n|Metadata|This is configured to write to the directory. And to throw an error if the user already exists with an error message.|\n|InputClaims|This is attempting to find a user account with the `email` provided as part of the sign up page - `LocalAccountSignUpWithLogonEmail` technical profile.|\n|PersistedClaims|This section defines which claims are to be written to the account. In this case, it will automatically create the account with this information present.|\n|OutputClaims|We are asking to read these claims from account, which was just written. The Azure AD B2C claims referenced here have the same name as the attribute name in the directory. |\n|IncludeTechnicalProfile|AAD-Common is included to provide the foundational functionality to read or write to the directory.|\n\n*Orchestration Step 7**:- Issue an id token.\n\nIn the majority of user journeys, the journey will end by issuing an id token back to the application. This orchestration step looks as follows:\n\n```xml\n<OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n```\n\nThe referenced technical profile is as follows:\n\n```xml\n<TechnicalProfile Id=\"JwtIssuer\">\n  <DisplayName>JWT Issuer</DisplayName>\n  <Protocol Name=\"OpenIdConnect\" />\n  <OutputTokenFormat>JWT</OutputTokenFormat>\n  <Metadata>\n    <Item Key=\"client_id\">{service:te}</Item>\n    <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n    <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n  </Metadata>\n  <CryptographicKeys>\n    <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n    <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n  </CryptographicKeys>\n  <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n</TechnicalProfile>\n```\n\nThis step does not need configuring any further, but find out more [here](https://docs.microsoft.com/azure/active-directory-b2c/jwt-issuer-technical-profile) on available options.\n\n## Summary\n\nBy reducing the user experience to a set of logical steps, we have translated these to a set of Orchestration Steps within an Azure AD B2C policy. These orchestration steps then implement the functionality of each logical step by allowing the user to interact with pages and validate various information. Finally we issue an id token back to the application.\n"
  },
  {
    "path": "SocialAndLocalAccountsWithMfa/PasswordReset.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_PasswordReset\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_PasswordReset\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"PasswordReset\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "SocialAndLocalAccountsWithMfa/ProfileEdit.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_ProfileEdit\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEdit\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEdit\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n"
  },
  {
    "path": "SocialAndLocalAccountsWithMfa/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignIn\" />\n    <Endpoints>\n      <!--points to refresh token journey when app makes refresh token request-->\n      <Endpoint Id=\"Token\" UserJourneyReferenceId=\"RedeemRefreshToken\" />\n    </Endpoints>\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n        <OutputClaim ClaimTypeReferenceId=\"identityProvider\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "SocialAndLocalAccountsWithMfa/TrustFrameworkBase.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_TrustFrameworkBase\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase\">\n\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- The ClaimsSchema is divided into three sections:\n           1. Section I lists the minimum claims that are required for the user journeys to work properly.\n           2. Section II lists the claims required for query string parameters and other special parameters \n              to be passed to other claims providers, esp. login.microsoftonline.com for authentication. \n              Please do not modify these claims.\n           3. Section III lists any additional (optional) claims that can be collected from the user, stored \n              in the directory and sent in tokens during sign in. Add new claims to be collected from the user \n              and/or sent in the token in Section III. -->\n\n      <!-- NOTE: The claims schema contains restrictions on certain claims such as passwords and usernames. \n           The trust framework policy treats Azure AD as any other claims provider and all its restrictions \n           are modelled in the policy. A policy could be modified to add more restrictions, or use another \n           claims provider for credential storage which will have its own restrictions. -->\n\n      <!-- SECTION I: Claims required for user journeys to work properly -->\n\n      <!-- The claim socialIdpUserId has been renamed to issuerUserId -->\n      <ClaimType Id=\"issuerUserId\">\n        <DisplayName>Username</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText />\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9]+[a-zA-Z0-9_-]*$\" HelpText=\"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n\n      <!-- Claims needed for local accounts. -->\n      <ClaimType Id=\"signInName\">\n        <DisplayName>Sign in name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText />\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"signInNames.emailAddress\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Email address to use for signing in.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"accountEnabled\">\n        <DisplayName>Account Enabled</DisplayName>\n        <DataType>boolean</DataType>\n        <AdminHelpText>Specifies whether the user's account is enabled.</AdminHelpText>\n        <UserHelpText>Specifies whether your account is enabled.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"password\">\n        <DisplayName>Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n      </ClaimType>\n\n      <!-- The claim types newPassword and reenterPassword are considered special, please do not change the names. \n           The UI validates that the user correctly re-entered their password during account creation based on these \n           claim types.\t  -->\n      <ClaimType Id=\"newPassword\">\n        <DisplayName>New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\"8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ &quot; ( ) ; .\" />\n        </Restriction>\n      </ClaimType>\n      <!-- The password regular expression above is constructed for AAD passwords based on restrictions at https://msdn.microsoft.com/en-us/library/azure/jj943764.aspx\n\n        ^( # one of the following four combinations must appear in the password\n         (?=.*[a-z])(?=.*[A-Z])(?=.*\\d) |            # matches lower case, upper case or digit\n         (?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]) |  # matches lower case, upper case or special character (i.e. non-alpha or digit)\n         (?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9]) |     # matches lower case, digit, or special character\n         (?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9])       # matches upper case, digit, or special character\n        )\n        ( # The password must match the following restrictions\n         [A-Za-z\\d@#$%^&*\\-_+=[\\]{}|\\\\:',?/`~\"();!] |   # The list of all acceptable characters (without .)\n         \\.(?!@)                                        # or . can appear as long as not followed by @\n        ) {8,16}$                                       # the length must be between 8 and 16 chars inclusive\n\n      -->\n\n      <ClaimType Id=\"reenterPassword\">\n        <DisplayName>Confirm New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Confirm new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\" \" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"passwordPolicies\">\n        <DisplayName>Password Policies</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Password policies used by Azure AD to determine password strength, expiry etc.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"client_id\">\n        <DisplayName>client_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"resource_id\">\n        <DisplayName>resource_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText />\n      </ClaimType>\n\n      <ClaimType Id=\"alternativeSecurityId\">\n        <DisplayName>AlternativeSecurityId</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText />\n      </ClaimType>\n\n      <ClaimType Id=\"mailNickName\">\n        <DisplayName>MailNickName</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Your mail nick name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"identityProvider\">\n        <DisplayName>Identity Provider</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"idp\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/identityprovider\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText />\n      </ClaimType>\n\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"strongAuthenticationPhoneNumber\">\n        <DisplayName>Phone Number</DisplayName>\n        <DataType>string</DataType>\n        <Mask Type=\"Simple\">XXX-XXX-</Mask>\n        <UserHelpText>Your telephone number</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"Verified.strongAuthenticationPhoneNumber\">\n        <DisplayName>Verified Phone Number</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"phone_number\" />\n        </DefaultPartnerClaimTypes>\n        <Mask Type=\"Simple\">XXX-XXX-</Mask>\n        <UserHelpText>Your office phone number that has been verified</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newPhoneNumberEntered\">\n        <DisplayName>New Phone Number Entered</DisplayName>\n        <DataType>boolean</DataType>\n      </ClaimType>\n\n      <ClaimType Id=\"userIdForMFA\">\n        <DisplayName>UserId for MFA</DisplayName>\n        <DataType>string</DataType>\n      </ClaimType>\n\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\" HelpText=\"Please enter a valid email address.\" />\n        </Restriction>\n      </ClaimType>\n\n      <ClaimType Id=\"otherMails\">\n        <DisplayName>Alternate Email Addresses</DisplayName>\n        <DataType>stringCollection</DataType>\n        <UserHelpText>Email addresses that can be used to contact the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"newUser\">\n        <DisplayName>User is new</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText />\n      </ClaimType>\n\n      <ClaimType Id=\"executed-SelfAsserted-Input\">\n        <DisplayName>Executed-SelfAsserted-Input</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>A claim that specifies whether attributes were collected from the user.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"authenticationSource\">\n        <DisplayName>AuthenticationSource</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Specifies whether the user was authenticated at Social IDP or local account.</UserHelpText>\n      </ClaimType>\n\n\n       <!--claims for refresh token revocation-->\n       <ClaimType Id=\"refreshTokenIssuedOnDateTime\">\n        <DisplayName>refreshTokenIssuedOnDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"refreshTokensValidFromDateTime\">\n        <DisplayName>refreshTokensValidFromDateTime</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</AdminHelpText>\n        <UserHelpText>Used to determine if the user should be permitted to reauthenticate silently via their existing refresh token.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n\n      <ClaimType Id=\"nca\">\n        <DisplayName>nca</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"grant_type\">\n        <DisplayName>grant_type</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"scope\">\n        <DisplayName>scope</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"isActiveMFASession\">\n        <DisplayName>isActiveMFASession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the MFA session management to indicate that the user has an active MFA session.</UserHelpText>\n      </ClaimType>\n\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"given_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"family_name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateOtherMailsFromEmail\" TransformationMethod=\"AddItemToStringCollection\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"item\" />\n          <InputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"otherMails\" TransformationClaimType=\"collection\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateRandomUPNUserName\" TransformationMethod=\"CreateRandomString\">\n        <InputParameters>\n          <InputParameter Id=\"randomGeneratorType\" DataType=\"string\" Value=\"GUID\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateUserPrincipalName\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"cpim_{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateAlternativeSecurityId\" TransformationMethod=\"CreateAlternativeSecurityId\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"issuerUserId\" TransformationClaimType=\"key\" />\n          <InputClaim ClaimTypeReferenceId=\"identityProvider\" TransformationClaimType=\"identityProvider\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" TransformationClaimType=\"alternativeSecurityId\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateUserIdForMFA\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"objectId\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userIdForMFA\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"CreateSubjectClaimFromAlternativeSecurityId\" TransformationMethod=\"CreateStringClaim\">\n        <InputParameters>\n          <InputParameter Id=\"value\" DataType=\"string\" Value=\"Not supported currently. Use oid claim.\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"sub\" TransformationClaimType=\"createdClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n\n      <ClaimsTransformation Id=\"AssertAccountEnabledIsTrue\" TransformationMethod=\"AssertBooleanClaimIsEqualToValue\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"accountEnabled\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"valueToCompareTo\" DataType=\"boolean\" Value=\"true\" />\n        </InputParameters>\n      </ClaimsTransformation>\n      <!--claims transformation for refresh token revocation -->\n      <ClaimsTransformation Id=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" TransformationMethod=\"AssertDateTimeIsGreaterThan\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" TransformationClaimType=\"leftOperand\" />\n          <InputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" TransformationClaimType=\"rightOperand\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"AssertIfEqualTo\" DataType=\"boolean\" Value=\"false\" />\n          <InputParameter Id=\"AssertIfRightOperandIsNotPresent\" DataType=\"boolean\" Value=\"true\" />\n          <InputParameter Id=\"TreatAsEqualIfWithinMillseconds\" DataType=\"int\" Value=\"300000\" />\n        </InputParameters>\n      </ClaimsTransformation>\n\n    </ClaimsTransformations>\n\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n\n    <ContentDefinitions>\n\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections.signup\">\n        <LoadUri>~/tenant/templates/AzureBlue/idpSelector.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:providerselection:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Idp selection page</Item>\n          <Item Key=\"language.intro\">Sign up</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.phonefactor\">\n        <LoadUri>~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.5</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Multi-factor authentication page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account sign up page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Local account change password page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect information from user page</Item>\n        </Metadata>\n      </ContentDefinition>\n\n    </ContentDefinitions>\n  </BuildingBlocks>\n\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <!-- The following Domain element allows this profile to be used if the request comes with domain_hint \n           query string parameter, e.g. domain_hint=facebook.com  -->\n      <Domain>facebook.com</Domain>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <!-- The text in the following DisplayName element is shown to the user on the claims provider \n               selection screen. -->\n          <DisplayName>Facebook</DisplayName>\n          <Protocol Name=\"OAuth2\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">facebook</Item>\n            <Item Key=\"authorization_endpoint\">https://www.facebook.com/dialog/oauth</Item>\n            <Item Key=\"AccessTokenEndpoint\">https://graph.facebook.com/oauth/access_token</Item>\n            <Item Key=\"HttpBinding\">GET</Item>\n            <Item Key=\"UsePolicyInRedirectUri\">0</Item>\n\n            <!-- The Facebook required HTTP GET method, but the access token response is in JSON format from 3/27/2017 -->\n            <Item Key=\"AccessTokenResponseFormat\">json</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"client_secret\" StorageReferenceId=\"B2C_1A_FacebookSecret\" />\n          </CryptographicKeys>\n          <InputClaims />\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"issuerUserId\" PartnerClaimType=\"id\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"first_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" PartnerClaimType=\"last_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"identityProvider\" DefaultValue=\"facebook.com\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"socialIdpAuthentication\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n            <OutputClaimsTransformation ReferenceId=\"CreateAlternativeSecurityId\" />\n          </OutputClaimsTransformations>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialLogin\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <DisplayName>Local Account SignIn</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <Metadata>\n            <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n            <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n            <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n            <Item Key=\"response_types\">id_token</Item>\n            <Item Key=\"response_mode\">query</Item>\n            <Item Key=\"scope\">email openid</Item>\n            <!-- <Item Key=\"grant_type\">password</Item> -->\n\n            <!-- Policy Engine Clients -->\n            <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n            <Item Key=\"HttpBinding\">POST</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" PartnerClaimType=\"username\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n            <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n          </OutputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>PhoneFactor</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"PhoneFactor-InputOrVerify\">\n          <DisplayName>PhoneFactor</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.phonefactor</Item>\n            <Item Key=\"ManualPhoneNumberEntryAllowed\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateUserIdForMFA\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"userIdForMFA\" PartnerClaimType=\"UserId\" />\n            <InputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"Verified.OfficePhone\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPhoneNumberEntered\" PartnerClaimType=\"newPhoneNumberEntered\" />\n          </OutputClaims>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-MFA\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for social logins -->\n        <TechnicalProfile Id=\"AAD-UserWriteUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateOtherMailsFromEmail\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"mailNickName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"otherMails\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <!-- The following other mails claim is needed for the case when a user is created, we get otherMails from directory. Self-asserted provider also has an\n                 OutputClaims, and if this is absent, Self-Asserted provider will prompt the user for otherMails. -->\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" PartnerClaimType=\"alternativeSecurityId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId-NoError\">\n          <Metadata>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for local accounts -->\n        <TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration\" />\n\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\" />\n\n            <!-- Optional claims. -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" PartnerClaimType=\"newClaimsPrincipalCreated\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserReadUsingEmailAddress\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"localAccountAuthentication\" />\n\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"accountEnabled\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n            <OutputClaimsTransformation ReferenceId=\"AssertAccountEnabledIsTrue\" />\n          </OutputClaimsTransformations>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserWritePasswordUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n\n            <!-- If the user stepped up during password reset, their phone number should be persisted for future authentication requests. -->\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\" />\n\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- Technical profiles for updating user record using objectId -->\n\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <!-- Required claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <!-- If the user stepped up during password reset, their phone number should be persisted for future authentication requests. -->\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\" />\n\n            <!-- Optional claims -->\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <!-- The following technical profile is used to read data after user authenticates. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n\n            <!-- Optional claims -->\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"otherMails\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"AAD-UserWritePhoneNumberUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Self Asserted</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"SelfAsserted-Social\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.socialccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <!-- These claims ensure that any values retrieved in the previous steps (e.g. from an external IDP) are prefilled. \n                 Note that some of these claims may not have any value, for example, if the external IDP did not provide any of\n                 these values, or if the claim did not appear in the OutputClaims section of the IDP.\n                 In addition, if a claim is not in the InputClaims section, but it is in the OutputClaims section, then its\n                 value will not be prefilled, but the user will still be prompted for it (with an empty value). -->\n            <InputClaim ClaimTypeReferenceId=\"displayName\" />\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- These claims are not shown to the user because their value is obtained through the \"ValidationTechnicalProfiles\"\n                 referenced below, or a default value is assigned to the claim. A claim is only shown to the user to provide a \n                 value if its value cannot be obtained through any other means. -->\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. If a claim is to be persisted in the directory after having been \n                 collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below, i.e. \n                 in AAD-UserWriteUsingAlternativeSecurityId. -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialSignup\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted.profileupdate</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <OutputClaims>\n            <!-- Required claims -->\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n\n            <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the\n                 ValidationTechnicalProfile referenced below so it can be written to directory after being updated by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account</DisplayName>\n      <TechnicalProfiles>\n\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n          <DisplayName>Email signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignup</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" DefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <OutputClaim ClaimTypeReferenceId=\"newUser\" />\n\n            <!-- Optional claims, to be collected from the user -->\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile uses a validation technical profile to authenticate the user. -->\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n          <DisplayName>Local Account Signin</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"SignUpTarget\">SignUpWithLogonEmailExchange</Item>\n            <Item Key=\"setting.operatingMode\">Email</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountsignin</Item>\n            <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <!-- This technical profile forces the user to verify the email address that they provide on the UI. Only after email is verified, the user account is\n        read from the directory. -->\n        <TechnicalProfile Id=\"LocalAccountDiscoveryUsingEmailAddress\">\n          <DisplayName>Reset password using email address</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <IncludeInSso>false</IncludeInSso>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" />\n\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserReadUsingEmailAddress\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"LocalAccountWritePasswordUsingObjectId\">\n          <DisplayName>Change password (username)</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.localaccountpasswordreset</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" />\n\n            <InputClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" />\n\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWritePasswordUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"signInName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"authenticationSource\" />\n            <PersistedClaim ClaimTypeReferenceId=\"identityProvider\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newUser\" />\n            <PersistedClaim ClaimTypeReferenceId=\"executed-SelfAsserted-Input\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectIdFromSession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Profile name is being used to disambiguate AAD session between sign up and sign in -->\n        <TechnicalProfile Id=\"SM-SocialSignup\">\n          <IncludeTechnicalProfile ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-SocialLogin\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.ExternalLoginSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"AlwaysFetchClaimsFromProvider\">true</Item>\n          </Metadata>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"alternativeSecurityId\" />\n          </PersistedClaims>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"SM-MFA\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"isActiveMFASession\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n\n     <!--claims provider for refresh token revocation-->\n  <ClaimsProvider>\n    <DisplayName>Refresh token journey</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"RefreshTokenReadAndSetup\">\n        <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>\n        <Protocol Name=\"None\" />\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokenIssuedOnDateTime\" />\n           <!--Requirement: Claims that you return in the relying party technical profile output claims\n            that are not stored in Azure AD B2C, must be added to the output claims collection here-->\n          <!--\n          \n          <OutputClaim ClaimTypeReferenceId=\"RESTAPIclaim1\" />\n          <OutputClaim ClaimTypeReferenceId=\"IDPclaim1\" />\n           -->\n        </OutputClaims>\n      </TechnicalProfile>\n\n\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"refreshTokensValidFromDateTime\" />\n          <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        </OutputClaims>\n        <OutputClaimsTransformations>\n          <OutputClaimsTransformation ReferenceId=\"AssertRefreshTokenIssuedLaterThanValidFromDate\" />\n        </OutputClaimsTransformations>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-UserReadUsingObjectId\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n\n  </ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignIn\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Check if the user has selected to sign in using one of the social providers -->\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n            <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- For social IDP authentication, attempt to find the user account in the directory. -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadUsingAlternativeSecurityId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId-NoError\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). \n          This can only happen when authentication happened using a social IDP. If local account was created or authentication done\n          using ESTS in step 2, then an user account must exist in the directory by this time. -->\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SelfAsserted-Social\" TechnicalProfileReferenceId=\"SelfAsserted-Social\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent \n          in the token. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect \n             from the user. So, in that case, create the user in the directory if one does not already exist \n             (verified using objectId which would be set from the last step if account was created in the directory. -->\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWrite\" TechnicalProfileReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed.\n             This step checks whether there's a phone number on record,  for the user. If found, then the user is challenged to verify it. -->\n        <OrchestrationStep Order=\"7\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isActiveMFASession</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneFactor-Verify\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the \n             previous step. If so, then the phone number is stored in the directory for future authentication \n             requests. -->\n        <OrchestrationStep Order=\"8\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>newPhoneNumberEntered</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWriteWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserWritePhoneNumberUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"9\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"ProfileEdit\">\n      <OrchestrationSteps>\n\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.idpselections\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"FacebookExchange\" />\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"FacebookExchange\" TechnicalProfileReferenceId=\"Facebook-OAUTH\" />\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserRead\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- If the user ever stepped up to use 2FA, profile update must verify this because the user will be able to change\n          their sign in email address or strong authentication email here. This guards against scenarios where a user's \n          password is stolen, the attacker can change the email addresses leaving no way for the user to recover their account.\n          By requiring 2FA, stolen passwords cannot be used to take over the account completely. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneFactor\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"PasswordReset\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PasswordResetUsingEmailAddressExchange\" TechnicalProfileReferenceId=\"LocalAccountDiscoveryUsingEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneFactor-Verify\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewCredentials\" TechnicalProfileReferenceId=\"LocalAccountWritePasswordUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n    <UserJourney Id=\"RedeemRefreshToken\">\n      <PreserveOriginalAssertion>false</PreserveOriginalAssertion>\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"RefreshTokenSetupExchange\" TechnicalProfileReferenceId=\"RefreshTokenReadAndSetup\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Extra steps can be added before or after this step for REST API or claims transformation calls-->\n        \n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"CheckRefreshTokenDateFromAadExchange\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId-CheckRefreshTokenDate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n    </UserJourney>\n\n\n  </UserJourneys>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "SocialAndLocalAccountsWithMfa/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  \n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkLocalization</PolicyId>\n  </BasePolicy>\n <BuildingBlocks>\n\n  </BuildingBlocks>\n\n  <ClaimsProviders>\n\n    <ClaimsProvider>\n      <DisplayName>Facebook</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"Facebook-OAUTH\">\n          <Metadata>\n            <Item Key=\"client_id\">facebook_clientid</Item>\n            <Item Key=\"scope\">email public_profile</Item>\n            <Item Key=\"ClaimsEndpoint\">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n         <TechnicalProfile Id=\"login-NonInteractive\">\n          <Metadata>\n            <Item Key=\"client_id\">ProxyIdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"IdTokenAudience\">IdentityExperienceFrameworkAppId</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"client_id\" DefaultValue=\"ProxyIdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"resource_id\" PartnerClaimType=\"resource\" DefaultValue=\"IdentityExperienceFrameworkAppId\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n  </ClaimsProviders>\n\n    <!--UserJourneys>\n\t\n\t</UserJourneys-->\n\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "SocialAndLocalAccountsWithMfa/TrustFrameworkLocalization.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkLocalization\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkLocalization\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n\n  <BuildingBlocks>\n\n    <ContentDefinitions>\n      <ContentDefinition Id=\"api.signuporsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.signuporsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.socialccountsignup\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.socialccountsignup.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountpasswordreset\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountpasswordreset.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.idpselections\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.idpselections.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.localaccountsignin\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.localaccountsignin.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.selfasserted.profileupdate\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.selfasserted.profileupdate.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n\n      <ContentDefinition Id=\"api.phonefactor\">\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"api.phonefactor.en\" />\n          <!-- Add more languages here -->\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n    </ContentDefinitions>\n\n    <Localization Enabled=\"true\">\n      <SupportedLanguages DefaultLanguage=\"en\" MergeBehavior=\"Append\">\n        <SupportedLanguage>en</SupportedLanguage>\n      </SupportedLanguages>\n\n      <LocalizedResources Id=\"api.signuporsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"heading\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"social_intro\">Sign in with your social account</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your {0}</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_password\">Please enter your password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_generic\">Please enter your {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_generic\">Please enter a valid {0}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_one_link\">Sign up now</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_two_links\">Sign up with {0} or {1}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_three_links\">Sign up with {0}, {1}, or {2}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"forgotpassword_link\">Forgot your password?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"divider_title\">OR</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"createaccount_intro\">Don't have an account?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"unknown_error\">We are having trouble signing you in. Please try again later.</LocalizedString>\n          <!-- Uncomment the remember_me only if the keep me signed in is activated. \n          <LocalizedString ElementType=\"UxElement\" StringId=\"remember_me\">Keep me signed in</LocalizedString> -->\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!--Local account sign-up page English-->\n      <LocalizedResources Id=\"api.localaccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_requiredFieldMissing\">A required field is missing. Please fill out all required fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"helplink_text\">What is this?</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please provide the following details.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"preloader_alt\">Please wait</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_edit\">Change e-mail</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_resend\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_send\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_verify\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_code_expired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_no_retry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_retry\">That code is incorrect. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_server\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_throttled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_info_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_input\">Verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_success_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Social account sign-up page English-->\n      <LocalizedResources Id=\"api.socialccountsignup.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Password reset page English-->\n      <LocalizedResources Id=\"api.localaccountpasswordreset.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"UserHelpText\">Email address that can be used to contact you.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"email\" StringId=\"PatternHelpText\">Please enter a valid email address.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"DisplayName\">New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"UserHelpText\">Enter new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"newPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"DisplayName\">Confirm New Password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"UserHelpText\">Confirm new password</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"reenterPassword\" StringId=\"PatternHelpText\">8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ \" ( ) ; .</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_passwordEntryMismatch\">The password entry fields do not match. Please enter the same password in both fields and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_fieldIncorrect\">One or more fields are filled out incorrectly. Please check your entries and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">An account could not be found for the provided user ID.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"required_field\">This information is required.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_edit\">Change e-mail</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_resend\">Send new code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_send\">Send verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_but_verify\">Verify code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_code_expired\">That code is expired. Please request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_no_retry\">You've made too many incorrect attempts. Please try again later.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_retry\">That code is incorrect. Please try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_server\">We are having trouble verifying your email address. Please enter a valid email address and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_fail_throttled\">There have been too many requests to verify this email address. Please wait a while, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_info_msg\">Verification code has been sent to your inbox. Please copy it to the input box below.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_input\">Verification code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_intro_msg\">Verification is necessary. Please click Send button.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_success_msg\">E-mail address verified. You can now continue.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ServiceThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimNotVerified\">Claim not verified: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalAlreadyExists\">A user with the specified ID already exists. Please choose a different one.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfIncorrectPattern\">Incorrect pattern for: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidInput\">{0} has invalid input.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfMissingRequiredElement\">Missing required element: {0}</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfValidationError\">Error in validation by: {0}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in page English-->\n      <LocalizedResources Id=\"api.idpselections.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro\">Sign in</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"LocalAccountSigninEmailExchange\">Local Account Signin</LocalizedString>\n          <LocalizedString ElementType=\"ClaimsProvider\" StringId=\"FacebookExchange\">Facebook</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile sign-in with local account English-->\n      <LocalizedResources Id=\"api.localaccountsignin.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"signInName\" StringId=\"DisplayName\">Email Address</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"password\" StringId=\"DisplayName\">Password</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"ResourceOwnerFlowInvalidCredentials\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfInvalidPassword\">Your password is incorrect.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfPasswordExpired\">Your password has expired.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"DefaultMessage\">Invalid username or password.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountDisabled\">Your account has been locked. Contact your support person to unlock it, then try again.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"UserMessageIfUserAccountLocked\">Your account is temporarily locked to prevent unauthorized use. Try again later.</LocalizedString>\n          <LocalizedString ElementType=\"ErrorMessage\" StringId=\"AADRequestsThrottled\">There are too many requests at this moment. Please wait for some time and try again.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Edit profile page English-->\n      <LocalizedResources Id=\"api.selfasserted.profileupdate.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"DisplayName\">Display Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"displayName\" StringId=\"UserHelpText\">Your display name.</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"DisplayName\">Surname</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"surname\" StringId=\"UserHelpText\">Your surname (also known as family name or last name).</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"DisplayName\">Given Name</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"givenName\" StringId=\"UserHelpText\">Your given name (also known as first name).</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n\n      <!-- Phone factor English-->\n      <LocalizedResources Id=\"api.phonefactor.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_verify\">Call Me</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"country_code_label\">Country Code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"cancel_message\">The user has canceled multi-factor authentication</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"text_button_send_second_code\">Send a new code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"code_pattern\">\\d{6}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_mixed\">We have the following number on record for you. We can send a code via SMS or phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_mixed_p\">We have the following numbers on record for you. Choose a number that we can phone or send a code via SMS to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_verify_code\">Verify Code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_code\">Please enter the verification code you received</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_code\">Please enter the 6-digit code you received</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_cancel\">Cancel</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_number_input_placeholder_text\">Phone number</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_retry\">Retry</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"alternative_text\">I don't have my phone</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_phone_p\">We have the following numbers on record for you. Choose a number that we can phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_phone\">We have the following number on record for you. We will phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"enter_code_text_intro\">Enter your verification code below, or</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_entry_phone\">Enter a number below that we can phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_entry_sms\">Enter a number below that we can send a code via SMS to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_send_code\">Send Code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"invalid_number\">Please enter a valid phone number</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_sms\">We have the following number on record for you. We will send a code via SMS to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_entry_mixed\">Enter a number below that we can send a code via SMS or phone to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"number_pattern\">^\\+(?:[0-9][\\x20-]?){6,14}[0-9]$</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"intro_sms_p\">We have the following numbers on record for you. Choose a number that we can send a code via SMS to authenticate you.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_countryCode\">Please select your country code</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"requiredField_number\">Please enter your phone number</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"country_code_input_placeholder_text\">Country or region</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"number_label\">Phone Number</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_tryagain\">The phone number you provided is busy or unavailable. Please check the number and try again.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_sms_throttled\">You hit the limit on the number of text messages. Try again shortly.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_phone_throttled\">You hit the limit on the number of call attempts. Try again shortly.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_throttled\">You hit the limit on the number of verification attempts. Try again shortly.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_incorrect_code\">The verification code you have entered does not match our records. Please try again, or request a new code.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"countryList\">{\"DEFAULT\":\"Country/Region\",\"AF\":\"Afghanistan\",\"AX\":\"Åland Islands\",\"AL\":\"Albania\",\"DZ\":\"Algeria\",\"AS\":\"American Samoa\",\"AD\":\"Andorra\",\"AO\":\"Angola\",\"AI\":\"Anguilla\",\"AQ\":\"Antarctica\",\"AG\":\"Antigua and Barbuda\",\"AR\":\"Argentina\",\"AM\":\"Armenia\",\"AW\":\"Aruba\",\"AU\":\"Australia\",\"AT\":\"Austria\",\"AZ\":\"Azerbaijan\",\"BS\":\"Bahamas\",\"BH\":\"Bahrain\",\"BD\":\"Bangladesh\",\"BB\":\"Barbados\",\"BY\":\"Belarus\",\"BE\":\"Belgium\",\"BZ\":\"Belize\",\"BJ\":\"Benin\",\"BM\":\"Bermuda\",\"BT\":\"Bhutan\",\"BO\":\"Bolivia\",\"BQ\":\"Bonaire\",\"BA\":\"Bosnia and Herzegovina\",\"BW\":\"Botswana\",\"BV\":\"Bouvet Island\",\"BR\":\"Brazil\",\"IO\":\"British Indian Ocean Territory\",\"VG\":\"British Virgin Islands\",\"BN\":\"Brunei\",\"BG\":\"Bulgaria\",\"BF\":\"Burkina Faso\",\"BI\":\"Burundi\",\"CV\":\"Cabo Verde\",\"KH\":\"Cambodia\",\"CM\":\"Cameroon\",\"CA\":\"Canada\",\"KY\":\"Cayman Islands\",\"CF\":\"Central African Republic\",\"TD\":\"Chad\",\"CL\":\"Chile\",\"CN\":\"China\",\"CX\":\"Christmas Island\",\"CC\":\"Cocos (Keeling) Islands\",\"CO\":\"Colombia\",\"KM\":\"Comoros\",\"CG\":\"Congo\",\"CD\":\"Congo (DRC)\",\"CK\":\"Cook Islands\",\"CR\":\"Costa Rica\",\"CI\":\"Côte d'Ivoire\",\"HR\":\"Croatia\",\"CU\":\"Cuba\",\"CW\":\"Curaçao\",\"CY\":\"Cyprus\",\"CZ\":\"Czech Republic\",\"DK\":\"Denmark\",\"DJ\":\"Djibouti\",\"DM\":\"Dominica\",\"DO\":\"Dominican Republic\",\"EC\":\"Ecuador\",\"EG\":\"Egypt\",\"SV\":\"El Salvador\",\"GQ\":\"Equatorial Guinea\",\"ER\":\"Eritrea\",\"EE\":\"Estonia\",\"ET\":\"Ethiopia\",\"FK\":\"Falkland Islands\",\"FO\":\"Faroe Islands\",\"FJ\":\"Fiji\",\"FI\":\"Finland\",\"FR\":\"France\",\"GF\":\"French Guiana\",\"PF\":\"French Polynesia\",\"TF\":\"French Southern Territories\",\"GA\":\"Gabon\",\"GM\":\"Gambia\",\"GE\":\"Georgia\",\"DE\":\"Germany\",\"GH\":\"Ghana\",\"GI\":\"Gibraltar\",\"GR\":\"Greece\",\"GL\":\"Greenland\",\"GD\":\"Grenada\",\"GP\":\"Guadeloupe\",\"GU\":\"Guam\",\"GT\":\"Guatemala\",\"GG\":\"Guernsey\",\"GN\":\"Guinea\",\"GW\":\"Guinea-Bissau\",\"GY\":\"Guyana\",\"HT\":\"Haiti\",\"HM\":\"Heard Island and McDonald Islands\",\"HN\":\"Honduras\",\"HK\":\"Hong Kong SAR\",\"HU\":\"Hungary\",\"IS\":\"Iceland\",\"IN\":\"India\",\"ID\":\"Indonesia\",\"IR\":\"Iran\",\"IQ\":\"Iraq\",\"IE\":\"Ireland\",\"IM\":\"Isle of Man\",\"IL\":\"Israel\",\"IT\":\"Italy\",\"JM\":\"Jamaica\",\"JP\":\"Japan\",\"JE\":\"Jersey\",\"JO\":\"Jordan\",\"KZ\":\"Kazakhstan\",\"KE\":\"Kenya\",\"KI\":\"Kiribati\",\"KR\":\"Korea\",\"KW\":\"Kuwait\",\"KG\":\"Kyrgyzstan\",\"LA\":\"Laos\",\"LV\":\"Latvia\",\"LB\":\"Lebanon\",\"LS\":\"Lesotho\",\"LR\":\"Liberia\",\"LY\":\"Libya\",\"LI\":\"Liechtenstein\",\"LT\":\"Lithuania\",\"LU\":\"Luxembourg\",\"MO\":\"Macao SAR\",\"MK\":\"North Macedonia\",\"MG\":\"Madagascar\",\"MW\":\"Malawi\",\"MY\":\"Malaysia\",\"MV\":\"Maldives\",\"ML\":\"Mali\",\"MT\":\"Malta\",\"MH\":\"Marshall Islands\",\"MQ\":\"Martinique\",\"MR\":\"Mauritania\",\"MU\":\"Mauritius\",\"YT\":\"Mayotte\",\"MX\":\"Mexico\",\"FM\":\"Micronesia\",\"MD\":\"Moldova\",\"MC\":\"Monaco\",\"MN\":\"Mongolia\",\"ME\":\"Montenegro\",\"MS\":\"Montserrat\",\"MA\":\"Morocco\",\"MZ\":\"Mozambique\",\"MM\":\"Myanmar\",\"NA\":\"Namibia\",\"NR\":\"Nauru\",\"NP\":\"Nepal\",\"NL\":\"Netherlands\",\"NC\":\"New Caledonia\",\"NZ\":\"New Zealand\",\"NI\":\"Nicaragua\",\"NE\":\"Niger\",\"NG\":\"Nigeria\",\"NU\":\"Niue\",\"NF\":\"Norfolk Island\",\"KP\":\"North Korea\",\"MP\":\"Northern Mariana Islands\",\"NO\":\"Norway\",\"OM\":\"Oman\",\"PK\":\"Pakistan\",\"PW\":\"Palau\",\"PS\":\"Palestinian Authority\",\"PA\":\"Panama\",\"PG\":\"Papua New Guinea\",\"PY\":\"Paraguay\",\"PE\":\"Peru\",\"PH\":\"Philippines\",\"PN\":\"Pitcairn Islands\",\"PL\":\"Poland\",\"PT\":\"Portugal\",\"PR\":\"Puerto Rico\",\"QA\":\"Qatar\",\"RE\":\"Réunion\",\"RO\":\"Romania\",\"RU\":\"Russia\",\"RW\":\"Rwanda\",\"BL\":\"Saint Barthélemy\",\"KN\":\"Saint Kitts and Nevis\",\"LC\":\"Saint Lucia\",\"MF\":\"Saint Martin\",\"PM\":\"Saint Pierre and Miquelon\",\"VC\":\"Saint Vincent and the Grenadines\",\"WS\":\"Samoa\",\"SM\":\"San Marino\",\"ST\":\"São Tomé and Príncipe\",\"SA\":\"Saudi Arabia\",\"SN\":\"Senegal\",\"RS\":\"Serbia\",\"SC\":\"Seychelles\",\"SL\":\"Sierra Leone\",\"SG\":\"Singapore\",\"SX\":\"Sint Maarten\",\"SK\":\"Slovakia\",\"SI\":\"Slovenia\",\"SB\":\"Solomon Islands\",\"SO\":\"Somalia\",\"ZA\":\"South Africa\",\"GS\":\"South Georgia and South Sandwich Islands\",\"SS\":\"South Sudan\",\"ES\":\"Spain\",\"LK\":\"Sri Lanka\",\"SH\":\"St Helena, Ascension, Tristan da Cunha\",\"SD\":\"Sudan\",\"SR\":\"Suriname\",\"SJ\":\"Svalbard\",\"SZ\":\"Swaziland\",\"SE\":\"Sweden\",\"CH\":\"Switzerland\",\"SY\":\"Syria\",\"TW\":\"Taiwan\",\"TJ\":\"Tajikistan\",\"TZ\":\"Tanzania\",\"TH\":\"Thailand\",\"TL\":\"Timor-Leste\",\"TG\":\"Togo\",\"TK\":\"Tokelau\",\"TO\":\"Tonga\",\"TT\":\"Trinidad and Tobago\",\"TN\":\"Tunisia\",\"TR\":\"Turkey\",\"TM\":\"Turkmenistan\",\"TC\":\"Turks and Caicos Islands\",\"TV\":\"Tuvalu\",\"UM\":\"U.S. Outlying Islands\",\"VI\":\"U.S. Virgin Islands\",\"UG\":\"Uganda\",\"UA\":\"Ukraine\",\"AE\":\"United Arab Emirates\",\"GB\":\"United Kingdom\",\"US\":\"United States\",\"UY\":\"Uruguay\",\"UZ\":\"Uzbekistan\",\"VU\":\"Vanuatu\",\"VA\":\"Vatican City\",\"VE\":\"Venezuela\",\"VN\":\"Vietnam\",\"WF\":\"Wallis and Futuna\",\"YE\":\"Yemen\",\"ZM\":\"Zambia\",\"ZW\":\"Zimbabwe\"}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_448\">The phone number you provided is unreachable.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"error_449\">User has exceeded the number of retry attempts.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"verification_code_input_placeholder_text\">Verification code</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"strongAuthenticationPhoneNumber\" StringId=\"DisplayName\">Phone Number</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n\n      <!-- Add more languages here -->\n    </Localization>\n  </BuildingBlocks>\n\n</TrustFrameworkPolicy>"
  },
  {
    "path": "SocialAndLocalAccountsWithMfa/readme.md",
    "content": "# Local and social accounts sign-up or sign-in and MFA user journey overview\n\nAzure Active Directory B2C (Azure AD B2C) integrates directly with Azure AD Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your applications. For more information, see [Enable multi-factor authentication in Azure Active Directory B2C](https://docs.microsoft.com/azure/active-directory-b2c/multi-factor-authentication?pivots=b2c-custom-policy)\n\nThis article gives an overview of the **local and social accounts sign-up or sign-in with MFA** user journey custom policies. We recommend you to check out the [Local and social accounts sign-up or sign-in user journey](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/SocialAndLocalAccounts) before reading this article.\n\n\nThe _SocialAndLocalAccountsWithMfa_ starter pack relies on the [SocialAndLocalAccounts](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/SocialAndLocalAccounts). The following are the elements that you have to add to your policy to support MFA.\n\n## Claim types\n\nA claim provides a temporary storage of data during an Azure AD B2C policy execution. The [claims schema](https://docs.microsoft.com/azure/active-directory-b2c/claimsschema) is the place where you declare your claims. The following elements are used to define the claim:\n\n```xml\n<!--\n<BuildingBlocks>\n  <ClaimsSchema> -->\n    <ClaimType Id=\"strongAuthenticationPhoneNumber\">\n      <DisplayName>Phone Number</DisplayName>\n      <DataType>string</DataType>\n      <Mask Type=\"Simple\">XXX-XXX-</Mask>\n      <UserHelpText>Your telephone number</UserHelpText>\n    </ClaimType>\n\n    <ClaimType Id=\"Verified.strongAuthenticationPhoneNumber\">\n      <DisplayName>Verified Phone Number</DisplayName>\n      <DataType>string</DataType>\n      <DefaultPartnerClaimTypes>\n        <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"phone_number\" />\n      </DefaultPartnerClaimTypes>\n      <Mask Type=\"Simple\">XXX-XXX-</Mask>\n      <UserHelpText>Your office phone number that has been verified</UserHelpText>\n    </ClaimType>\n\n    <ClaimType Id=\"newPhoneNumberEntered\">\n      <DisplayName>New Phone Number Entered</DisplayName>\n      <DataType>boolean</DataType>\n    </ClaimType>\n\n    <ClaimType Id=\"userIdForMFA\">\n      <DisplayName>UserId for MFA</DisplayName>\n      <DataType>string</DataType>\n    </ClaimType>\n  <!--\n  </ClaimsSchema>\n</BuildingBlocks> -->\n```\n\n## Claims transformation\n\nThe _CreateUserIdForMFA_ claims transformation creates a unique identifier for the user. The identifier is used when Azure AD B2C sends and verifies the code.\n\n```xml\n<!--\n<BuildingBlocks>\n  <ClaimsTransformations> -->\n    <ClaimsTransformation Id=\"CreateUserIdForMFA\" TransformationMethod=\"FormatStringClaim\">\n      <InputClaims>\n        <InputClaim ClaimTypeReferenceId=\"objectId\" TransformationClaimType=\"inputClaim\" />\n      </InputClaims>\n      <InputParameters>\n        <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"{0}@{RelyingPartyTenantId}\" />\n      </InputParameters>\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"userIdForMFA\" TransformationClaimType=\"outputClaim\" />\n      </OutputClaims>\n    </ClaimsTransformation>\n  <!--\n  </ClaimsTransformations>\n</BuildingBlocks> -->\n```\n\n### Content definitions\n\nThe following [content definition](https://docs.microsoft.com/azure/active-directory-b2c/contentdefinitions) is used to render the MFA registration and verification. \n\n```xml\n<!--\n<BuildingBlocks>\n  <ContentDefinitions> -->\n    <ContentDefinition Id=\"api.phonefactor\">\n      <LoadUri>~/tenant/templates/AzureBlue/multifactor-1.0.0.cshtml</LoadUri>\n      <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n      <DataUri>urn:com:microsoft:aad:b2c:elements:contract:multifactor:1.2.5</DataUri>\n      <Metadata>\n        <Item Key=\"DisplayName\">Multi-factor authentication page</Item>\n      </Metadata>\n    </ContentDefinition>\n  <!--\n  </ContentDefinitions>\n</BuildingBlocks> -->\n```\n\n## Technical profiles\n\nThe following technical profiles in used to support MFA.\n\n\n|Technical profile  |Type  |Description  |Changes from the  SocialAndLocalAccounts |\n|---------|---------|---------|---------|\n|PhoneFactor-InputOrVerify | [Phone Factor](https://docs.microsoft.com/azure/active-directory-b2c/phone-factor-technical-profile) | Provides a user interface to interact with the user to verify, or enroll a phone number.| New |\n|AAD-UserReadUsingAlternativeSecurityId | [AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | | |\n|AAD-UserWriteUsingLogonEmail |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) |  | Persists the phone number to the user profile. |\n|AAD-UserReadUsingEmailAddress |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | | Returns the phone number to the user profile.|\n|AAD-UserWritePasswordUsingObjectId |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | Update user's password | Persists the phone number to the user profile.|\n|AAD-UserWriteProfileUsingObjectId |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | Update user's profile | Persists the phone number to the user profile. |\n|AAD-UserReadUsingObjectId |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | Read user profile by user object ID| Returns the phone number to the user profile. |\n|AAD-UserWritePhoneNumberUsingObjectId |[AzureActiveDirectory](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-technical-profile) | Persists the phone number to the user profile. | New |\n|LocalAccountDiscoveryUsingEmailAddress | [SelfAsserted](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile) | Password reset flow | Returns the phone number to the user profile. |\n|LocalAccountWritePasswordUsingObjectId |[SelfAsserted](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile) |  | Input claim |\n|SM-MFA |[SSO](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-reference-sso) | MFA session manager | New |\n\n\n```xml\n<!-- \n<ClaimsProviders> -->\n  <ClaimsProvider>\n    <DisplayName>PhoneFactor</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"PhoneFactor-InputOrVerify\">\n        <DisplayName>PhoneFactor</DisplayName>\n        <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        <Metadata>\n          <Item Key=\"ContentDefinitionReferenceId\">api.phonefactor</Item>\n          <Item Key=\"ManualPhoneNumberEntryAllowed\">true</Item>\n        </Metadata>\n        <CryptographicKeys>\n          <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n        </CryptographicKeys>\n        <InputClaimsTransformations>\n          <InputClaimsTransformation ReferenceId=\"CreateUserIdForMFA\" />\n        </InputClaimsTransformations>\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"userIdForMFA\" PartnerClaimType=\"UserId\" />\n          <InputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"Verified.OfficePhone\" />\n          <OutputClaim ClaimTypeReferenceId=\"newPhoneNumberEntered\" PartnerClaimType=\"newPhoneNumberEntered\" />\n        </OutputClaims>\n        <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-MFA\" />\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n  <ClaimsProvider>\n    <DisplayName>Azure Active Directory</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"AAD-UserReadUsingAlternativeSecurityId\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\"/>\n        </OutputClaims>\n      </TechnicalProfile>\n      <TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n        <PersistedClaims>\n          <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\"/>\n          </PersistedClaims>\n      </TechnicalProfile>\n      <TechnicalProfile Id=\"AAD-UserReadUsingEmailAddress\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\"/>\n        </OutputClaims>\n      </TechnicalProfile>\n      <TechnicalProfile Id=\"AAD-UserWritePasswordUsingObjectId\">\n        <PersistedClaims>\n          <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\"/>\n        </PersistedClaims>\n      </TechnicalProfile>\n      <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n        <PersistedClaims>\n          <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\"/>\n        </PersistedClaims>\n      </TechnicalProfile>\n      <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\"/>\n        </OutputClaims>\n      </TechnicalProfile>\n      <TechnicalProfile Id=\"AAD-UserWritePhoneNumberUsingObjectId\">\n        <Metadata>\n          <Item Key=\"Operation\">Write</Item>\n          <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n          <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n        </Metadata>\n        <IncludeInSso>false</IncludeInSso>\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\"/>\n        </InputClaims>\n        <PersistedClaims>\n          <PersistedClaim ClaimTypeReferenceId=\"objectId\"/>\n          <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\" PartnerClaimType=\"strongAuthenticationPhoneNumber\"/>\n        </PersistedClaims>\n        <IncludeTechnicalProfile ReferenceId=\"AAD-Common\"/>\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n  <ClaimsProvider>\n    <DisplayName>Local Account</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"LocalAccountDiscoveryUsingEmailAddress\">\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationPhoneNumber\"/>\n        </OutputClaims>\n      </TechnicalProfile>\n      <TechnicalProfile Id=\"LocalAccountWritePasswordUsingObjectId\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\"/>\n        </InputClaims>\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n  <ClaimsProvider>\n    <DisplayName>Session Management</DisplayName>\n    <TechnicalProfiles>\n      <TechnicalProfile Id=\"SM-MFA\">\n        <DisplayName>Session Mananagement Provider</DisplayName>\n        <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\"/>\n        <PersistedClaims>\n          <PersistedClaim ClaimTypeReferenceId=\"Verified.strongAuthenticationPhoneNumber\"/>\n        </PersistedClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"isActiveMFASession\" DefaultValue=\"true\"/>\n        </OutputClaims>\n      </TechnicalProfile>\n    </TechnicalProfiles>\n  </ClaimsProvider>\n<!-- \n</ClaimsProviders> -->\n```\n\n## User journeys\n\nThe following are the required orchestration steps required for MFA. The _PhoneFactor-Verify_ registers (if the phone number claim is empty), or verifies (if the phone number is stored in the directory).  \n\n```xml\n<UserJourneys>\n  <UserJourney Id=\"SignUpOrSignIn\">\n    <OrchestrationSteps>\n      ...\n      <OrchestrationStep Order=\"7\" Type=\"ClaimsExchange\">\n        <Preconditions>\n          <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n            <Value>isActiveMFASession</Value>\n            <Action>SkipThisOrchestrationStep</Action>\n          </Precondition>\n        </Preconditions>\n        <ClaimsExchanges>\n          <ClaimsExchange Id=\"PhoneFactor-Verify\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\"/>\n        </ClaimsExchanges>\n      </OrchestrationStep>\n      <OrchestrationStep Order=\"8\" Type=\"ClaimsExchange\">\n        <Preconditions>\n          <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n            <Value>newPhoneNumberEntered</Value>\n            <Action>SkipThisOrchestrationStep</Action>\n          </Precondition>\n        </Preconditions>\n        <ClaimsExchanges>\n          <ClaimsExchange Id=\"AADUserWriteWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserWritePhoneNumberUsingObjectId\"/>\n        </ClaimsExchanges>\n      </OrchestrationStep>\n      ...\n    </OrchestrationSteps>\n  </UserJourney>\n\n  <UserJourney Id=\"ProfileEdit\">\n    <OrchestrationSteps>\n      ...\n      <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n        <ClaimsExchanges>\n          <ClaimsExchange Id=\"PhoneFactor\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\"/>\n        </ClaimsExchanges>\n      </OrchestrationStep>\n      ...\n    </OrchestrationSteps>\n    <ClientDefinition ReferenceId=\"DefaultWeb\"/>\n  </UserJourney>\n\n  <UserJourney Id=\"PasswordReset\">\n    <OrchestrationSteps>\n      ...\n      <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n        <ClaimsExchanges>\n          <ClaimsExchange Id=\"PhoneFactor-Verify\" TechnicalProfileReferenceId=\"PhoneFactor-InputOrVerify\"/>\n        </ClaimsExchanges>\n      </OrchestrationStep>\n      ...\n    <ClientDefinition ReferenceId=\"DefaultWeb\"/>\n  </UserJourney>\n\n</UserJourneys>\n```"
  },
  {
    "path": "TrustFrameworkPolicy_0.3.0.0.xsd",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<xs:schema xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" targetNamespace=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" xmlns:tfp=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" elementFormDefault=\"qualified\">\n  <!-- <xs:schema xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2014/07\" targetNamespace=\"http://schemas.microsoft.com/online/cpim/schemas/2014/07\" xmlns:tfp=\"http://schemas.microsoft.com/online/cpim/schemas/2014/07\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" elementFormDefault=\"qualified\"> -->\n  <!--\n    The top-level definition of a trust framework policy. Each section is defined by type elsewhere.\n  -->\n  <xs:element name=\"TrustFrameworkPolicy\">\n    <xs:annotation>\n      <xs:documentation>\n        The root element within which a Trust Framework Policy is defined.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:complexType>\n      <xs:sequence>\n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"BasePolicy\" type=\"tfp:BasePolicy\" />\n\n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"PolicyConstraints\">\n          <xs:annotation>\n            <xs:documentation>\n              This section contains the policy constraints controlling which tenants and policies\n              can inherit from it.\n            </xs:documentation>\n          </xs:annotation>\n          <xs:complexType>\n            <xs:sequence>\n              <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Inheritance\" type=\"tfp:Inheritance\" />\n              <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"RerouteRules\" type=\"tfp:RerouteRules\" />\n            </xs:sequence>\n          </xs:complexType>\n        </xs:element>\n\n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Contacts\">\n          <xs:annotation>\n            <xs:documentation>\n              Contains a list of contacts who can be communicated with for notifications and issues regarding the Policy.\n            </xs:documentation>\n          </xs:annotation>\n          <xs:complexType>\n            <xs:sequence>\n              <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"Contact\" type=\"tfp:Contact\" />\n            </xs:sequence>\n          </xs:complexType>\n        </xs:element>\n\n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"DocumentReferences\">\n          <xs:annotation>\n            <xs:documentation>\n              Contains a list of references to documents for the Policy.\n            </xs:documentation>\n          </xs:annotation>\n          <xs:complexType>\n            <xs:sequence>\n              <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"DocumentReference\" type=\"tfp:DocumentReference\" />\n            </xs:sequence>\n          </xs:complexType>\n          <xs:key name=\"UniqueDocumentReferenceId\">\n            <xs:selector xpath=\"tfp:DocumentReference\"/>\n            <xs:field xpath=\"@Id\"/>\n          </xs:key>\n        </xs:element>\n\n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"BuildingBlocks\" type=\"tfp:BuildingBlocks\" />\n\n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ClaimsProviders\">\n          <xs:annotation>\n            <xs:documentation>\n              This section contains the Claims Providers and their Technical Profiles that may be used in the various User Journeys.\n            </xs:documentation>\n          </xs:annotation>\n          <xs:complexType>\n            <xs:sequence>\n              <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"ClaimsProvider\" type=\"tfp:ClaimsProvider\"/>\n            </xs:sequence>\n          </xs:complexType>\n          <xs:key name=\"UniqueTechnicalProfileId\">\n            <xs:selector xpath=\"tfp:ClaimsProvider/tfp:TechnicalProfiles/tfp:TechnicalProfile\"/>\n            <xs:field xpath=\"@Id\"/>\n          </xs:key>\n        </xs:element>\n\n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"UserJourneys\">\n          <xs:annotation>\n            <xs:documentation>\n              The User Journeys through which a user is taken to retrieve the claims that are to be presented to the relying party.\n            </xs:documentation>\n          </xs:annotation>\n          <xs:complexType>\n            <xs:sequence>\n              <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"UserJourney\" type=\"tfp:UserJourney\" />\n            </xs:sequence>\n          </xs:complexType>\n          <xs:key name=\"UniqueUserJourneyId\">\n            <xs:selector xpath=\"tfp:UserJourney\"/>\n            <xs:field xpath=\"@Id\"/>\n          </xs:key>\n        </xs:element>\n        \n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"SubJourneys\">\n          <xs:annotation>\n            <xs:documentation>\n              The SubJourneys that are components of UserJourneys and are executed as part of a User Journey.\n            </xs:documentation>\n          </xs:annotation>\n          <xs:complexType>\n            <xs:sequence>\n              <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"SubJourney\" type=\"tfp:SubJourney\" />\n            </xs:sequence>\n          </xs:complexType>\n          <xs:key name=\"UniqueSubJourney\">\n            <xs:selector xpath=\"tfp:SubJourney\" />\n            <xs:field xpath=\"@Id\" />\n          </xs:key>\n        </xs:element>\n\n        <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"RelyingParty\">\n          <xs:complexType>\n            <xs:sequence>\n              <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"DefaultUserJourney\">\n                <xs:annotation>\n                  <xs:documentation>\n                    An identifier of the User Journey which the orchestration engine will begin with. A merged trust framework policy\n                    can contain multiple user journeys and relying parties select one of them as the starting point.\n                  </xs:documentation>\n                </xs:annotation>\n                <xs:complexType>\n                  <xs:attribute use=\"required\" name=\"ReferenceId\" type=\"xs:string\"/>\n                </xs:complexType>\n              </xs:element>\n              <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Endpoints\">\n                <xs:annotation>\n                  <xs:documentation>\n                    Defines different endpoints exposed by the policy and maps to UserJourneys to invoke.\n                  </xs:documentation>\n                </xs:annotation>\n                <xs:complexType>\n                  <xs:sequence>\n                    <xs:element name=\"Endpoint\" type=\"tfp:Endpoint\" minOccurs=\"1\" maxOccurs=\"unbounded\" />\n                  </xs:sequence>\n                </xs:complexType>\n                <xs:key name=\"UniqueEndpoint\">\n                  <xs:selector xpath=\"tfp:Endpoint\" />\n                  <xs:field xpath=\"@Id\" />\n                </xs:key>\n              </xs:element>\n              <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"UserJourneyBehaviors\">\n                <xs:annotation>\n                  <xs:documentation>\n                    Controls the scope of various user journey behaviors.\n                  </xs:documentation>\n                </xs:annotation>\n                <xs:complexType>\n                  <xs:sequence>\n                    <xs:element name=\"SingleSignOn\" type=\"tfp:SingleSignOn\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          Controls the scope of the single sign on behavior of a user journey.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                    <xs:element name=\"SessionExpiryType\" type=\"tfp:SessionExpiryTypeTYPE\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          Controls the whether the session is rolling or absolute.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                    <xs:element name=\"SessionExpiryInSeconds\" type=\"xs:int\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          Controls the time of the session expiry in seconds.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                    <xs:element name=\"AzureApplicationInsights\" type=\"tfp:AzureApplicationInsights\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          DEPRECATED - Use JourneyInsights indicating ApplicationInsights as the telemetry engine.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                    <xs:element name=\"JourneyInsights\" type=\"tfp:JourneyInsights\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          Specifies the details required for journey insights.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                    <xs:element name=\"ContentDefinitionParameters\" type=\"tfp:ContentDefinitionParameters\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          Specifies the a list of key value pairs to be appended to the content definition load uri.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                    <xs:element name=\"JourneyFraming\" type=\"tfp:JourneyFraming\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          Specifies whether journey framing is enabled and for what sources.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                    <xs:element name=\"ScriptExecution\" type=\"tfp:ScriptExecutionType\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          Controls the whether script execution is allowed for the journey.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                    <xs:element name=\"OnError\" type=\"tfp:JourneyOnError\" minOccurs=\"0\" maxOccurs=\"1\">\n                      <xs:annotation>\n                        <xs:documentation>\n                          Specifies the error handling behavior of a journey.\n                        </xs:documentation>\n                      </xs:annotation>\n                    </xs:element>\n                  </xs:sequence>\n                </xs:complexType>\n              </xs:element>\n              <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"TechnicalProfile\" type=\"tfp:TechnicalProfile\"/>\n            </xs:sequence>\n          </xs:complexType>\n        </xs:element>\n      </xs:sequence>\n      <xs:attribute use=\"required\" name=\"PolicySchemaVersion\" type=\"tfp:FourPartVersionNumber\">\n        <xs:annotation>\n          <xs:documentation>\n            Determines the schema version published by Microsoft using which this Policy is to be executed.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:attribute>\n      <xs:attribute use=\"required\" name=\"TenantId\" type=\"tfp:TenantId\">\n        <xs:annotation>\n          <xs:documentation>\n            The unique identifier of the tenant to which this policy belongs.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:attribute>\n      <xs:attribute use=\"optional\" name=\"TenantObjectId\" type=\"tfp:TenantObjectId\">\n        <xs:annotation>\n          <xs:documentation>\n            The unique identifier of the object ID of the Azure tenant.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:attribute>\n      <xs:attribute use=\"required\" name=\"PolicyId\" type=\"tfp:PolicyId\">\n        <xs:annotation>\n          <xs:documentation>\n            The unique identifier of this policy.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:attribute>\n      <xs:attribute use=\"required\" name=\"PublicPolicyUri\" type=\"xs:anyURI\">\n        <xs:annotation>\n          <xs:documentation>\n            The URI for the policy which is an appropriate name of the policy outside of the CPIM system.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:attribute>\n      <xs:attribute use=\"optional\" name=\"StateTableName\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The name of the StateTable that should execute this policy.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:attribute>\n      <xs:attribute use=\"optional\" name=\"DeploymentMode\" type=\"tfp:DeploymentModeType\">\n        <xs:annotation>\n          <xs:documentation>\n            The mode under which the policy should be deployed.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:attribute>\n      <xs:attribute use=\"optional\" name=\"UserJourneyRecorderEndpoint\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The Url in the format http://{host}?stream={guid} (where the braces are omitted)\n            of a service able to receive http posts documenting user journey progress\n          </xs:documentation>\n        </xs:annotation>\n      </xs:attribute>\n    </xs:complexType>\n  </xs:element>\n\n  <xs:complexType name=\"BasePolicy\">\n    <xs:annotation>\n      <xs:documentation>\n        This section defines the base policy from which this Policy is derived.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"TenantId\" type=\"tfp:TenantId\">\n        <xs:annotation>\n          <xs:documentation>\n            The identifier of the tenant that published the base policy. The base policy is looked up inside the tenant\n            specified here.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"PolicyId\" type=\"tfp:PolicyId\">\n        <xs:annotation>\n          <xs:documentation>\n            The identifier of the base policy. The policy is looked up using this identifier within the tenant specified\n            by the preceding element.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"Inheritance\">\n    <xs:annotation>\n      <xs:documentation>\n        This section defines the constraints for policies inheriting from this policy.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:choice minOccurs=\"0\">\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Tenants\" type=\"tfp:TenantListType\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of tenant references used when the inheritance rule is an allow or deny list.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ConstraintHandler\" type=\"tfp:ConstraintHandler\">\n        <xs:annotation>\n          <xs:documentation>\n            A handler implementing the IConstraintHandler interface for applying more complex inheritance rules.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:choice>\n    <xs:attribute use=\"required\" name=\"DerivingPolicies\" type=\"xs:string\" />\n  </xs:complexType>\n\n  <xs:complexType name=\"RerouteRules\">\n    <xs:annotation>\n      <xs:documentation>\n        This section defines policy rerouting rules.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"RerouteRule\" type=\"tfp:RerouteRule\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of reroute rules\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Type\" type=\"xs:string\" />\n  </xs:complexType>\n\n  <xs:complexType name=\"RerouteRule\">\n    <xs:annotation>\n      <xs:documentation>\n        This section defines details of a rerouting rule\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"PolicyId\" type=\"tfp:PolicyIdPattern\">\n      <xs:annotation>\n        <xs:documentation>\n          The unique identifier of this policy.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"Weight\" type=\"tfp:Weight\">\n      <xs:annotation>\n        <xs:documentation>\n          The weight for a policy in case of A/B testing.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"Match\" type=\"tfp:Match\">\n      <xs:annotation>\n        <xs:documentation>\n          Defines an attribute that can be passed into the query string, that will match the policy to be redirected to.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"ConstraintHandler\">\n    <xs:annotation>\n      <xs:documentation>\n        This section defines the constraints for policies inheriting from this policy.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular constraint handler.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"Handler\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A fully-qualified name of the assembly that will be used by CPIM to determine the constraint handler.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"TechnicalProfile\">\n    <xs:annotation>\n      <xs:documentation>\n        Every Claims Provider must have one or more Technical Profiles which determines the end points and the protocols needed\n        to communicate with that Claims Provider. In fact, in CPIM, it is the Technical Profile that is referenced elsewhere for\n        communication with a particular Claims Provider.\n\n        A Claims Provider can have multiple Technical Profiles for various reasons. For example, multiple Technical Profiles may\n        be defined because the Claims Provider supports multiple protocols, various endpoints with different capabilities, or\n        releases different claims at different assurance levels. It may be acceptable to release\n        sensitive claims in one User Journey, but not in another one. A Technical Profile is usually certified for\n        a Level of Assurance and thus one Claims Provider may have multiple Technical Profiles for different Levels of Assurance.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Domains\">\n        <xs:annotation>\n          <xs:documentation>\n            The human understandable domain names for the technical profile.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Domain\" type=\"tfp:nonemptystring\">\n              <xs:annotation>\n                <xs:documentation>\n                  The human understandable domain name for the technical profile.\n                </xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Domain\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The human understandable domain name for the technical profile.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"DisplayName\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The human understandable name of the Technical Profile that can be displayed to the users.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Description\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            Provides detailed user understandable text to explain the Technical Profile.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Protocol\">\n        <xs:annotation>\n          <xs:documentation>\n            The protocol used for federation.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:attribute use=\"required\" name=\"Name\" type=\"tfp:ProtocolName\">\n            <xs:annotation>\n              <xs:documentation>\n                Name of the protocol used by CPIM for claims exchange with the claims provider.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n          <xs:attribute use=\"optional\" name=\"Handler\" type=\"xs:string\">\n            <xs:annotation>\n              <xs:documentation>\n                A fully-qualified name of the assembly that will be used by CPIM to determine the protocol handler if the protocol\n                name is \"Proprietary\". It is invalid to provide this attribute with any other protocol name.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n        </xs:complexType>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"InputTokenFormat\" type=\"tfp:TokenFormat\">\n        <xs:annotation>\n          <xs:documentation>\n            Format of the input token\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"OutputTokenFormat\" type=\"tfp:TokenFormat\">\n        <xs:annotation>\n          <xs:documentation>\n            Format of the output token\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"AssuranceLevelOfOutputClaims\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            Lists the assurance level of the claims that are retrieved from the Technical Profile.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"RequiredAssuranceLevelsOfInputClaims\">\n        <xs:annotation>\n          <xs:documentation>\n            Lists the assurance levels that a claim must have in order for it to be used as an input claim to the Technical Profile.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"RequiredAssuranceLevelOfInputClaims\" type=\"xs:string\"/>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"SubjectAuthenticationRequirements\">\n        <xs:annotation>\n          <xs:documentation>\n            Requirements regarding the conscious and active participation of the subject in authentication\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:attribute use=\"required\" name=\"TimeToLive\" type=\"xs:int\">\n            <xs:annotation>\n              <xs:documentation>\n                The maximum number of minutes cached credentials can be used following an active authentication by the subject.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n          <xs:attribute use=\"optional\" name=\"ResetExpiryWhenTokenIssued\" type=\"xs:boolean\">\n            <xs:annotation>\n              <xs:documentation>\n                Default is False.  If True then whenever a token is issued\n                (even using a cached credential) the expiry time is set to the current time plus the TimeToLive\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n        </xs:complexType>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Metadata\" type=\"tfp:metadataTYPE\">\n        <xs:annotation>\n          <xs:documentation>\n            This is the data utilized by the protocol for communicating with the endpoint.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"CryptographicKeys\" type=\"tfp:CryptographicKeys\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of cryptographic keys used in this technical profile.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Suppressions\" type=\"tfp:ItemGroup\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of suppressions supported by the protocol.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"PreferredBinding\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            If the protocol supports multiple bindings, this represents binding preferred by the protocol, for example HTTP POST or HTTP GET\n            in the case of SAML.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"IncludeInSso\" type=\"xs:boolean\">\n        <xs:annotation>\n          <xs:documentation>\n            A value indicating whether usage of this technical profile should apply\n            single-signon behavior for the session and instead require explicit interaction\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"InputTokenSources\" type=\"tfp:InputTokenSources\">\n        <xs:annotation>\n          <xs:documentation>\n            CPIM can send the original token from one claims provider to another claims provider. InputTokenSources are\n            the list of technical profiles of the claims providers from which the original tokens are to be sent.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"InputClaimsTransformations\">\n        <xs:annotation>\n          <xs:documentation>\n            ClaimsTransformations can be used to modify existing ClaimsSchema claims or generate new ones. This element contains the\n            list of references to ClaimsTransformations that should be executed before any claims are sent to the claims provider or the\n            relying party.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"InputClaimsTransformation\" type=\"tfp:ClaimsTransformationReference\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"InputClaims\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of the ClaimsSchema claim types that are sent as input to the claims provider or the relying party.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"InputClaim\" type=\"tfp:ClaimsSchemaClaimTypeReference\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element name=\"DisplayClaims\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>Defines a list of display claims for user interface controls.</xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element name=\"DisplayClaim\" type=\"DisplayClaimReference\" minOccurs=\"0\" maxOccurs=\"unbounded\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"PersistedClaims\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of the ClaimsSchema claim types that are persisted by the claims provider.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"PersistedClaim\" type=\"tfp:PersistedClaim\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"OutputClaims\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of the ClaimsSchema claim types that are received as output from the claims provider.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"OutputClaim\" type=\"tfp:ClaimsSchemaClaimTypeReference\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"OutputClaimsTransformations\">\n        <xs:annotation>\n          <xs:documentation>\n            ClaimsTransformations can be used to modify existing ClaimsSchema claims or generate new ones. This element contains the\n            list of references to ClaimsTransformations that should be executed after claims are received from the claims provider.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"OutputClaimsTransformation\" type=\"tfp:ClaimsTransformationReference\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"ValidationTechnicalProfiles\">\n        <xs:annotation>\n          <xs:documentation>\n            A TechnicalProfile can have a set of other TechnicalProfiles that it uses for validation purposes. This section lists all\n            such technical profiles.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"ValidationTechnicalProfile\">\n              <xs:complexType>\n                <xs:annotation>\n                  <xs:documentation>\n                    The technical profile to be used for validating some or all of the output claims of the referencing technical profile.\n                    Therefore, all the input claims of the referenced technical profile must appear in the output claims of the\n                    referencing technical profile.\n                  </xs:documentation>\n                </xs:annotation>\n\t\t\t\t<xs:sequence>\n\t\t\t\t  <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"Preconditions\" type=\"tfp:Preconditions\">\n\t\t\t\t\t<xs:annotation>\n\t\t\t\t\t  <xs:documentation>\n\t\t\t\t\t\tA list of preconditions that must be satisfied for the validation technical profile to execute.\n\t\t\t\t\t  </xs:documentation>\n\t\t\t\t\t</xs:annotation>\n\t\t\t\t  </xs:element>\n\t\t\t\t</xs:sequence>\n                <xs:attribute use=\"required\" name=\"ReferenceId\" type=\"xs:string\" />\n                <xs:attribute use=\"optional\" name=\"ContinueOnSuccess\" type=\"xs:boolean\">\n                  <xs:annotation>\n                    <xs:documentation>\n                      A boolean indicating whether validation of any subsequent validation profiles should continue if this\n                      profile succeeds. The default is true, meaning that the processing of further validation profiles will continue.\n                    </xs:documentation>\n                  </xs:annotation>\n                </xs:attribute>\n                <xs:attribute use=\"optional\" name=\"ContinueOnError\" type=\"xs:boolean\">\n                  <xs:annotation>\n                    <xs:documentation>\n                      A boolean indicating whether validation of any subsequent validation profiles should continue if this\n                      profile errors. The default is false, meaning that processing of further validation profiles will stop and\n                      an error returned.\n                    </xs:documentation>\n                  </xs:annotation>\n                </xs:attribute>\n              </xs:complexType>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniqueTechnicalProfileReferenceId\">\n          <xs:selector xpath=\"tfp:ValidationTechnicalProfile\"/>\n          <xs:field xpath=\"@ReferenceId\"/>\n        </xs:key>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"SubjectNamingInfo\">\n        <xs:annotation>\n          <xs:documentation>\n            Information that controls production of the subject name in tokens (e.g. SAML) where subject name is specified separately\n            from claims.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:attribute use=\"required\" name=\"ClaimType\" type=\"xs:string\" />\n          <xs:attribute use=\"optional\" name=\"NameQualifier\" type=\"xs:string\" />\n          <xs:attribute use=\"optional\" name=\"SPNameQualifier\" type=\"xs:string\" />\n          <xs:attribute use=\"optional\" name=\"Format\" type=\"xs:string\" />\n          <xs:attribute use=\"optional\" name=\"SPProvidedID\" type=\"xs:string\" />\n          <xs:attribute use=\"optional\" name=\"ExcludeAsClaim\" type=\"xs:boolean\" />\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" name=\"Extensions\" type=\"tfp:Extensions\">\n        <xs:annotation>\n          <xs:documentation>\n            An element for including additional information specific to a particular technical profile\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"IncludeClaimsFromTechnicalProfile\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            A id of different technical profile. All input and output claims from referenced technical profile will be\n            added to this technical profile. Referenced technical profile must be defined in the same trust framework policy.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"IncludeTechnicalProfile\">\n        <xs:complexType>\n          <xs:annotation>\n            <xs:documentation>\n              A id of different technical profile. All data from referenced technical profile will be\n              added to this technical profile. Referenced technical profile must exists in trust framework policy.\n            </xs:documentation>\n          </xs:annotation>\n          <xs:attribute use=\"required\" name=\"ReferenceId\" type=\"xs:string\" />\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"UseTechnicalProfileForSessionManagement\">\n        <xs:complexType>\n          <xs:annotation>\n            <xs:documentation>\n              An id of a technical profile to be used for session managemetn.\n            </xs:documentation>\n          </xs:annotation>\n          <xs:attribute use=\"required\" name=\"ReferenceId\" type=\"xs:string\" />\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ErrorHandlers\">\n        <xs:annotation>\n          <xs:documentation>\n            Error handlers to take action based on different error responses.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"ErrorHandler\">\n              <xs:complexType>\n                <xs:sequence>\n                  <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ErrorResponseFormat\" type=\"tfp:ErrorResponseFormat\" >\n                    <xs:annotation>\n                      <xs:documentation>\n                        Format of error response. Used to indicate the reader of the error response for path matching. Default is json.\n                      </xs:documentation>\n                    </xs:annotation>\n                  </xs:element>\n                  <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"ResponseMatch\" type=\"xs:string\" >\n                    <xs:annotation>\n                      <xs:documentation>\n                        Match path for the response to trigger the action. JSONPath is used for json response. XPath is used for XML response.\n                      </xs:documentation>\n                    </xs:annotation>\n                  </xs:element>\n                  <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"Action\" type=\"tfp:ErrorHandlingAction\" >\n                    <xs:annotation>\n                      <xs:documentation>\n                        Action to perform when the error response matches the pattern.\n                      </xs:documentation>\n                    </xs:annotation>\n                  </xs:element>\n                  <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"AdditionalRequestParameters\">\n                    <xs:complexType>\n                      <xs:annotation>\n                        <xs:documentation>\n                          Additional query string to send for reauthentication action.\n                        </xs:documentation>\n                      </xs:annotation>\n                      <xs:simpleContent>\n                        <xs:extension base=\"xs:string\">\n                          <xs:attribute name=\"Key\" type=\"xs:string\" use=\"required\"/>\n                        </xs:extension>\n                      </xs:simpleContent>\n                    </xs:complexType>\n                  </xs:element>\n                </xs:sequence>\n              </xs:complexType>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"EnabledForUserJourneys\" type=\"tfp:EnabledForUserJourneysValues\">\n        <xs:annotation>\n          <xs:documentation>\n            A boolean indicating if the technical provile should be used within a user journey, this includes ClaimProviderSelections.\n            If this value is set to true, it will disable the selection.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular TechnicalProfile,\n          and reference it from other sections of the document, for example OrchestrationSteps and InputTokenSources.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <!--\n    Describes a particular user journey, which may refer to sections defined elsewhere.\n  -->\n  <xs:complexType name=\"UserJourney\">\n    <xs:annotation>\n      <xs:documentation>\n        A User Journey defines all the constructs necessary for a complete user flow.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"AssuranceLevel\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies a measurement of identity assurance when the claims are presented to the Relying\n            Party at the conclusion of the orchestration steps contained in the User Journey.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"PreserveOriginalAssertion\" type=\"xs:boolean\">\n        <xs:annotation>\n          <xs:documentation>\n            Claims are presented to the Relying Party Application in a token generated by CPIM. However, a Technical\n            Policy may state, using a true or a false for this element, that the original assertion which was returned from\n            the Claims Provider(s) must also be preserved so that if needed, it can be looked at by Relying Party for auditing\n            or diagnostic purposes.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      \n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Authorization\">\n        <xs:annotation>\n            <xs:documentation>\n            Specifies relevent information required for the Authorization elements of a UserJourney. This can point to other\n            element references in policy for validating information about the request in order to assert the request is allowed.\n            </xs:documentation>\n        </xs:annotation>\n        \n        <xs:complexType>\n          <xs:sequence>\n        \n            <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"AuthorizationTechnicalProfiles\">\n              <xs:annotation>\n                <xs:documentation>\n                  A TechnicalProfile can be used to extract information from a request and perform authorization of the request. This section lists all\n                  such technical profiles.\n                </xs:documentation>\n              </xs:annotation>\n              <xs:complexType>\n                <xs:sequence>\n                  <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"AuthorizationTechnicalProfile\">\n                    <xs:complexType>\n                      <xs:annotation>\n                        <xs:documentation>\n                          The technical profile to be used for validating/authorizing incoming data to assert the information is valid for the UserJourney. If\n                          the information is invalid, the UserJourney will not execute and the request is Forbidden.\n                        </xs:documentation>\n                      </xs:annotation>\n                      <xs:attribute use=\"required\" name=\"ReferenceId\" type=\"xs:string\" />\n                    </xs:complexType>\n                  </xs:element>\n                </xs:sequence>\n              </xs:complexType>\n              <xs:key name=\"UniqueAuthorizationTechnicalProfileReferenceId\">\n                <xs:selector xpath=\"tfp:AuthorizationTechnicalProfile\"/>\n                <xs:field xpath=\"@ReferenceId\"/>\n              </xs:key>\n            </xs:element>\n          \n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      \n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"OrchestrationSteps\">\n        <xs:annotation>\n          <xs:documentation>\n            This section lists the orchestration sequence that must be followed through for a successful transaction (i.e. a\n            complete user flow). Thus, every User Journey consists of an ordered list of Orchestration Steps (OS) that are\n            executed in sequence. If any step fails, the transaction fails.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"OrchestrationStep\" type=\"tfp:OrchestrationStep\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniqueOrchestrationStepOrder\">\n          <xs:selector xpath=\"tfp:OrchestrationStep\"/>\n          <xs:field xpath=\"@Order\"/>\n        </xs:key>\n        <xs:key name=\"UniqueClaimsExchangeId\">\n          <xs:selector xpath=\"tfp:OrchestrationStep/tfp:ClaimsExchanges/tfp:ClaimsExchange\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ClientDefinition\">\n        <xs:annotation>\n          <xs:documentation>\n            References settings definition section that determines the client behavior.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:attribute name=\"ReferenceId\" type=\"xs:string\">\n            <xs:annotation>\n              <xs:documentation>\n                The identifier of the policy to use.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"CryptographicKeys\" type=\"tfp:CryptographicKeys\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of cryptographic keys used in this User Journey.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n\n    </xs:sequence>\n\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular User Journey.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n\n    <xs:attribute use=\"optional\" name=\"NonInteractive\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          A boolean that is used to indicate whether this particular User Journey is non interactive.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n\n    <xs:attribute use=\"optional\" name=\"DefaultCpimIssuerTechnicalProfileReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The default Issuer TechnicalProfileId of the claims provider that will mint the token for the relyingParty.\n          If absent then CpimIssuerTechicalProfileReferenceId from first SendClaims step would be considered as default.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    \n  </xs:complexType>\n  \n  <xs:complexType name=\"SubJourney\">\n    <xs:annotation>\n      <xs:documentation>\n        A SubJourney describes a part of the User Journey\n      </xs:documentation>\n    </xs:annotation>\n    \n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"OrchestrationSteps\">\n        <xs:annotation>\n          <xs:documentation>\n            This section lists the orchestration sequence that must be followed through for a successful transaction (i.e. a\n            complete user flow). Thus, every SubJourney consists of an ordered list of Orchestration Steps (OS) that are\n            executed in sequence. If any step fails, the transaction fails.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"OrchestrationStep\" type=\"tfp:OrchestrationStep\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniqueOrchestrationStepOrderForSubJourney\">\n          <xs:selector xpath=\"tfp:OrchestrationStep\"/>\n          <xs:field xpath=\"@Order\"/>\n        </xs:key>\n        <xs:key name=\"UniqueClaimsExchangeIdForSubJourney\">\n          <xs:selector xpath=\"tfp:OrchestrationStep/tfp:ClaimsExchanges/tfp:ClaimsExchange\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n    </xs:sequence>\n    \n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular SubJourney.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    \n    <xs:attribute use=\"required\" name=\"Type\" type=\"tfp:SubJourneyTYPE\">\n      <xs:annotation>\n        <xs:documentation>\n          The type of the SubJourney that governs how it is executed in the context of the policy.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n      \n  </xs:complexType>\n  \n  <xs:complexType name=\"Endpoint\">\n    <xs:annotation>\n      <xs:documentation>\n        An Endpoint that describes what UserJourney should be invoked when a user agent lands on the endpoint.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular Endpoint.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"UserJourneyReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The unique identifier of the UserJourney to be executed on invoking the endpoint.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <!--\n    Policy definitions that technical policies may refer to\n  -->\n  <xs:complexType name=\"BuildingBlocks\">\n    <xs:annotation>\n      <xs:documentation>\n        This section contains all the definitions that are used by the Technical Policies.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ClaimsSchema\">\n        <xs:annotation>\n          <xs:documentation>\n            This section defines all the claim types that can be referenced from other sections of the document.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"ClaimType\" type=\"tfp:ClaimType\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniqueClaimTypeId\">\n          <xs:selector xpath=\"tfp:ClaimType\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Predicates\">\n        <xs:annotation>\n          <xs:documentation>\n            This section defines all the predicates that are used to validate input strings.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"Predicate\" type=\"tfp:Predicate\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniquePredicateId\">\n          <xs:selector xpath=\"tfp:Predicate\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"InputValidations\">\n        <xs:annotation>\n          <xs:documentation>\n            This section defines input validations that combine predicates to create a string validation logic.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"InputValidation\" type=\"tfp:InputValidation\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniqueInputValidationId\">\n          <xs:selector xpath=\"tfp:InputValidation\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n\t  \n\t    <!--New password complexity schema xsd-->\n\t    <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"PredicateValidations\">\n        <xs:annotation>\n          <xs:documentation>\n            This section defines predicate validations that combine predicates to create a string validation logic.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"PredicateValidation\" type=\"tfp:PredicateValidation\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniquePredicateValidationId\">\n          <xs:selector xpath=\"tfp:PredicateValidation\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n\t    <!--END-->\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ClaimsTransformations\">\n        <xs:annotation>\n          <xs:documentation>\n            Contains a list of claims transforms that can be used in Technical Policies.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"ClaimsTransformation\" type=\"tfp:ClaimsTransformation\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniqueClaimsTransformationId\">\n          <xs:selector xpath=\"tfp:ClaimsTransformation\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ClientDefinitions\">\n        <xs:annotation>\n          <xs:documentation>\n            ClientDefinitions specify various properties specific to the end-user device for which the policy is being executed.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"ClientDefinition\" type=\"tfp:ClientDefinition\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniqueClientDefinitionId\">\n          <xs:selector xpath=\"tfp:ClientDefinition\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"ContentDefinitions\">\n        <xs:annotation>\n          <xs:documentation>\n            Content definitions contain URLs to external content (for example, URLs to pages used in claims providers such as Phone Factor).\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"ContentDefinition\" type=\"tfp:ContentDefinition\" />\n          </xs:sequence>\n        </xs:complexType>\n        <xs:key name=\"UniqueContentDefinitionId\">\n          <xs:selector xpath=\"tfp:ContentDefinition\"/>\n          <xs:field xpath=\"@Id\"/>\n        </xs:key>\n      </xs:element>\n\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Localization\">\n        <xs:annotation>\n          <xs:documentation>\n            Defines the supported cultures and contains strings and collections in those cultures.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"SupportedLanguages\" type=\"tfp:SupportedLanguages\">\n              <xs:annotation>\n                <xs:documentation>\n                  Defines all the cultures that are supported by this policy.\n                </xs:documentation>\n              </xs:annotation>\n            </xs:element>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"LocalizedResources\" type=\"tfp:LocalizedResources\">\n              <xs:annotation>\n                <xs:documentation>\n                  Contains all the translated strings for a specific culture.\n                </xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n          <xs:attribute use=\"optional\" name=\"Enabled\" type=\"xs:boolean\">\n            <xs:annotation>\n              <xs:documentation>\n                If set to true, the Localization section is used for rendering the strings and collections in appropriate languages, otherwise\n                this section is not used.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n        </xs:complexType>\n      </xs:element>\n\n      <xs:element name=\"DisplayControls\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>This section defines all display controls associated with user interface controls.</xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element name=\"DisplayControl\" type=\"DisplayControl\" minOccurs=\"0\" maxOccurs=\"unbounded\">\n              <xs:annotation>\n                <xs:documentation>Defines the display control associated with user interface control.</xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"SupportedLanguages\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the set of supported language including the default language.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"SupportedLanguage\" type=\"tfp:Culture\">\n        <xs:annotation>\n          <xs:documentation>\n            Represents one supported language\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute name=\"DefaultLanguage\" type=\"tfp:Culture\">\n      <xs:annotation>\n        <xs:documentation>\n          This is the default language that the customer will see user journeys in, if he doesnt specify any other supported culture.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute name=\"PolicyLanguage\" type=\"tfp:Culture\">\n      <xs:annotation>\n        <xs:documentation>\n          This is the the language the default values in the policy are written in.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"MergeBehavior\" type=\"tfp:MergeBehavior\">\n      <xs:annotation>\n        <xs:documentation>\n          Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy\n          with the same identifier.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"LocalizedResources\">\n    <xs:annotation>\n      <xs:documentation>\n\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"LocalizedCollections\">\n        <xs:annotation>\n          <xs:documentation>\n            A collection can have different number of items, and different strings for various cultures. This element\n            allows defining the entire collections in various cultures. Examples of collections include the enumerations\n            that appear in claim types, e.g. country/region list, and are shown to the user in a drop down list.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"LocalizedCollection\" type=\"tfp:LocalizedCollection\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"LocalizedStrings\">\n        <xs:annotation>\n          <xs:documentation>\n            This section is used to define all the strings, except those that appear in collections, in various cultures.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"LocalizedString\" type=\"tfp:LocalizedString\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute name=\"Culture\" type=\"tfp:Culture\">\n      <xs:annotation>\n        <xs:documentation>\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  <!--\n    Specifications for the various low-level types\n  -->\n  <xs:complexType name=\"JourneyFraming\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines whether content journey framing is supported and the the corresponding\n        domains allowed to frame.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Enabled\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Attribute indicating whether journey framing is enabled.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"Sources\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A space seperated list of sources used to populate the CSP frame-ancestors directive\n          and the X-Frame-Options headers. In the case if X-Frame-Options if more than one\n          source is specified only the first source is included for X-Frame-Options and must\n          be an absolute URL.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"JourneyOnError\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines whether errors should be returned to the requestor or displayed in service.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Mode\" type=\"tfp:JourneyOnErrorModeType\">\n      <xs:annotation>\n        <xs:documentation>\n          Attribute the error handling mode.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"SingleSignOn\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines the behavior of the single sign-on functionality for this application policy\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Scope\" type=\"tfp:UserJourneyBehaviorScopeType\">\n      <xs:annotation>\n        <xs:documentation>\n          Defines the scope of the single sign-on behavior.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"KeepAliveInDays\" type=\"xs:int\">\n      <xs:annotation>\n        <xs:documentation>\n          Defines the number of days to keep the session alive for when a user selects to be remembered.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"EnforceIdTokenHintOnLogout\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Attribute indicating whether the presence of the id_token_hint parameter is required for OIDC logout.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  <xs:complexType name=\"AzureApplicationInsights\">\n    <xs:annotation>\n      <xs:documentation>\n        DEPRECATED - Use JourneyInsights indicating ApplicationInsights as the telemetry engine.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"InstrumentationKey\" type=\"tfp:InstrumentationKey\">\n      <xs:annotation>\n        <xs:documentation>\n          Defines the instrumentation key for the application insights element.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  <xs:complexType name=\"JourneyInsights\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines the Azure Applications Insight element which includes the application insights script in the user journeys.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"InstrumentationKey\" type=\"tfp:InstrumentationKey\">\n      <xs:annotation>\n        <xs:documentation>\n          Defines the instrumentation key for the application insights element.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"TelemetryEngine\" type=\"tfp:TelemetryEngineType\">\n      <xs:annotation>\n        <xs:documentation>\n          Values indicating which telemetry engine to use.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"DeveloperMode\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Values indicating whether the aplication insights should operate in developer mode. Default if not specified is false.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"ClientEnabled\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Values indicating whether the aplication insights should be run on the client via JavaScript. Default if not specified is false.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"ServerEnabled\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Values indicating whether the server-side journey recording is enabled. Default if not specified is false.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"TelemetryVersion\" type=\"tfp:ThreePartVersionNumber\">\n      <xs:annotation>\n        <xs:documentation>\n          Values indicating whether the version of journey telemetry to use. If not specified the lastest version is used.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n\n  </xs:complexType>\n  <xs:complexType name=\"ContentDefinitionParameters\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a list of key value pairs to be appended to the query string of the content definition load uris.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element name=\"Parameter\" maxOccurs=\"unbounded\" type=\"tfp:ContentDefinitionParameter\">\n        <xs:key name=\"UniqueContentDefinitionParameterName\">\n          <xs:selector xpath=\"tfp:ContentDefinitionParameter\"/>\n          <xs:field xpath=\"@Name\"/>\n        </xs:key>\n      </xs:element>\n    </xs:sequence>\n  </xs:complexType>\n  <xs:complexType name=\"ContentDefinitionParameter\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a key value pair that is to be appended to the query string of content definition load uri.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:simpleContent>\n      <xs:extension base=\"xs:string\">\n        <xs:attribute name=\"Name\" type=\"xs:string\" use=\"required\"/>\n      </xs:extension>\n    </xs:simpleContent>\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsTransformation\">\n    <xs:annotation>\n      <xs:documentation>\n        Transforms take a set of claims, process them, and output another set of claims.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element name=\"InputClaims\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of the Claim Types that are taken as input to the Claims Transformation. Each of these elements contains reference\n            to a ClaimType already defined in the ClaimsSchema section.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"InputClaim\" type=\"tfp:ClaimsTransformationClaimTypeReference\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element name=\"InputParameters\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of the parameters that are provided as input to the Claims Transformation. Each of these elements contains a value that is passed\n            verbatim to the transformation.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"InputParameter\" type=\"tfp:ClaimsTransformationParameter\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element name=\"OutputClaims\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of the Claim Types that are taken as input to the Claims Transformation. Each of these elements contains reference\n            to a ClaimType already defined in the ClaimsSchema section.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"OutputClaim\" type=\"tfp:ClaimsTransformationClaimTypeReference\">\n              <xs:annotation>\n                <xs:documentation>\n                  The Claim Type that is outputted by the Claims Transformation. This element contains reference to a ClaimType already defined\n                  in the ClaimsSchema section.\n                </xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular Claims Transform, and reference it\n          from other sections of the document.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"TransformationMethod\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier to reference the published transformation method to be used.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  <xs:complexType name=\"ContentDefinition\">\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"LoadUri\" />\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"RecoveryUri\" type=\"tfp:ContentUriTYPE\" />\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"DataUri\" type=\"tfp:ContentUriTYPE\" />\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Metadata\" type=\"tfp:metadataTYPE\">\n        <xs:annotation>\n          <xs:documentation>\n            Metadata section that can be used to override API settings and content\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"LocalizedResourcesReferences\">\n        <xs:annotation>\n          <xs:documentation>\n            Contains a list of references to localized resources. The reference can be of the form of URL or a machine understandable identifier\n            that is used to uniquely identify the specific localized resource in the policy.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"LocalizedResourcesReference\" type=\"tfp:LocalizedResourcesReference\" />\n          </xs:sequence>\n          <xs:attribute use=\"optional\" name=\"MergeBehavior\" type=\"tfp:MergeBehavior\">\n            <xs:annotation>\n              <xs:documentation>\n                Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy\n                with the same identifier.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular Content Definition, and reference it\n          from other sections of the document.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"LocalizedResourcesReference\">\n    <xs:attribute use=\"required\" name=\"Language\" type=\"tfp:Culture\" />\n    <xs:attribute use=\"optional\"  name=\"Url\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The url to a localized resource hosted on a CORS enabled endpoint. This resource will be fetched by the clientside code.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\"  name=\"LocalizedResourcesReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular Localized Resource, and reference it\n          from other sections of the document.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"ClientDefinition\">\n    <xs:annotation>\n      <xs:documentation>\n        Contains settings for a User Journey on a client.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"ClientUIFilterFlags\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            These flags are used for indicate the client's UI behavior.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A unique identifier that allows this client definition to be referenced from a User Journey.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsProvider\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a Claims Provider, along with its technical profiles.\n      </xs:documentation>\n    </xs:annotation>    \n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Domains\">\n        <xs:annotation>\n          <xs:documentation>\n            Domain names for the claim provider.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Domain\" type=\"tfp:nonemptystring\">\n              <xs:annotation>\n                <xs:documentation>\n                  The human understandable domain name for the claim provider.\n                </xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n         </xs:complexType>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Domain\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The human understandable domain name for the claim provider.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"DisplayName\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The human understandable name of the claims provider that can be displayed to the users.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element name=\"TechnicalProfiles\">\n        <xs:annotation>\n          <xs:documentation>\n            List of Technical Profiles for exchanging claims with this claims provider.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"TechnicalProfile\" type=\"tfp:TechnicalProfile\" />\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"Preconditions\">\n    <xs:annotation>\n      <xs:documentation>\n        A collection of Precondition elements.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Precondition\" type=\"tfp:Precondition\" />\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"Precondition\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a conditional check should is performed to determine if an OrchestrationStep or a validation technical profile should be executed.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Value\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The data that is used by the check. For example, if the Type of this check is \"ClaimsExist\", this field\n            will specify a ClaimTypeReferenceId to query for.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Action\" type=\"tfp:PreconditionActionType\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies the action that should be taken if the Precondition check is true, such as \"SkipThisOrchestrationStep\" and \"SkipThisValidationTechnicalProfile\"\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Type\" type=\"tfp:PreconditionType\" >\n      <xs:annotation>\n        <xs:documentation>\n          The type of check to perform.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"ExecuteActionsIf\" type=\"xs:boolean\" >\n      <xs:annotation>\n        <xs:documentation>\n          Specifies if the actions in this precondition should be performed if the test is true or false.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"PredicateReference\">\n    <xs:annotation>\n      <xs:documentation>\n        A reference to a predicate element.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine readable identifier that references a predicate in the policy.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"InputValidation\">\n    <xs:annotation>\n      <xs:documentation>\n        A combination of predicate groups and predicates that will define how to validate an input.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"PredicateReferences\" type=\"tfp:PredicateReferences\" />\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine readable identifier that can be used to reference the input validation in the policy.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"PredicateReferences\">\n    <xs:annotation>\n      <xs:documentation>\n        A set of predicates.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"PredicateReference\" type=\"tfp:PredicateReference\" />\n    </xs:sequence>\n\t<!--This attribute will need to be removed in favor of the id in \"PredicateGroup\"-->\n    <xs:attribute name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine readable identifier for the pattern group that cannot be refrenced.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n\t<!--This attribute will need to be removed in favor of the element type \"UserHelpText\"-->\n    <xs:attribute name=\"HelpText\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The help text shown for the predicate group in case of an error.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute name=\"MatchAtLeast\" type=\"xs:integer\">\n      <xs:annotation>\n        <xs:documentation>\n          The least number of predicates that must match for the prediate group to take effect.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute name=\"Reject\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          The least number of predicates that must match for the prediate group to take effect.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"Parameter\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a single parameter that will be passed to a predicate method.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:simpleContent>\n      <xs:extension base=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The value of the parameter.\n          </xs:documentation>\n        </xs:annotation>\n\n        <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n          <xs:annotation>\n            <xs:documentation>\n              The name of the parameter.\n            </xs:documentation>\n          </xs:annotation>\n        </xs:attribute>\n      </xs:extension>\n    </xs:simpleContent>\n  </xs:complexType>\n\n  <xs:complexType name=\"Parameters\">\n    <xs:annotation>\n      <xs:documentation>\n        A collection of Parameters passed to a predicate.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"Parameter\" type=\"tfp:Parameter\" />\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"Predicate\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a single predicate that will be used to create an input validation.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"UserHelpText\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            A description of the predicate that can be helpful for the users to know what password they should type.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Parameters\" type=\"tfp:Parameters\" />\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular Predicate, and reference it\n          from other sections of the document.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"Method\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The method that will be called to validate this predicate, it takes as input the param elements and a string value and returns a boolean.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n\t<!--This attribute will need to remove in favor of the element type \"UserHelpText\"-->\n    <xs:attribute name=\"HelpText\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The help text that will be shown to the user if the input validation that the predicate is in fails.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  \n  <!--New password complexity schema xsd-->\n  <xs:complexType name=\"PredicateGroups\">\n    <xs:annotation>\n      <xs:documentation>\n        A set of predicate group.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"PredicateGroup\" type=\"tfp:PredicateGroup\" />\n    </xs:sequence>\n  </xs:complexType>\n  \n  <xs:complexType name=\"PredicateGroup\">\n    <xs:annotation>\n      <xs:documentation>\n        A reference to a predicate element.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"UserHelpText\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            A description of the predicate that can be helpful for the users to know what password they should type.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"PredicateReferences\" type=\"tfp:PredicateReferences\" />\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine readable identifier that can be used to indicate the name of predicate group, it can not be referenced.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  \n  <xs:complexType name=\"PredicateValidation\">\n    <xs:annotation>\n      <xs:documentation>\n        A combination of predicate groups and predicates that will define how to validate an input.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"PredicateGroups\" type=\"tfp:PredicateGroups\" />\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n      <xs:documentation>\n        A machine readable identifier that can be used to reference the predicate validation in the policy.\n      </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  \n  <xs:complexType name=\"PredicateValidationReference\">\n    <xs:annotation>\n      <xs:documentation>\n        A reference to an predicate validation element.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine readable identifier that references a predicate validation in the policy.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  <!--End-->\n\n  <xs:complexType name=\"ClaimsProviderSelections\">\n    <xs:annotation>\n      <xs:documentation>\n        A collection of ClaimsProviderSelection elements.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"ClaimsProviderSelection\" type=\"tfp:ClaimsProviderSelection\" />\n    </xs:sequence>\n    <xs:attribute use=\"optional\" name=\"DisplayOption\" type=\"tfp:ClaimsProviderSelectionDisplayOption\" default=\"DoNotShowSingleProvider\" />\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsProviderSelection\">\n    <xs:annotation>\n      <xs:documentation>\n        Shows options for the selection between various claims providers in a given step (such as Google/Facebook/Microsoft Account).\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"optional\" name=\"TargetClaimsExchangeId\" type=\"xs:string\" />\n    <xs:attribute use=\"optional\" name=\"ValidationClaimsExchangeId\" type=\"xs:string\" />\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsExchanges\">\n    <xs:annotation>\n      <xs:documentation>\n        A collection of ClaimsExchange elements.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"ClaimsExchange\" type=\"tfp:ClaimsExchange\" />\n    </xs:sequence>\n    <xs:attribute use=\"optional\" name=\"UserIdentity\" type=\"xs:boolean\" default=\"false\" />\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsExchange\">\n    <xs:annotation>\n      <xs:documentation>\n        Depending on the Technical Profile being used, a Claims Exchange either redirects the user’s client corresponding to the\n        ClaimsProviderSelection that the user may have selected, or makes a server call to exchange claims.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular Claims Exchange step, and reference\n          it from a ClaimsProviderSelection step.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"TechnicalProfileReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The unique identifier of the Technical Profile which is used for claims exchange.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n  \n  <xs:complexType name=\"JourneyList\">\n    <xs:annotation>\n      <xs:documentation>\n        A list of SubJourneys that are able to be executed during an Orchestration Step\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Candidate\" type=\"tfp:Candidate\" />\n    </xs:sequence>\n  </xs:complexType>\n  \n  <xs:complexType name=\"Candidate\">\n    <xs:annotation>\n      <xs:documentation>\n        A candidate is a single journey type that can be invoked on it's own during an Orchestration Step\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"SubJourneyReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The unique identifier for the SubJourney that can be executed\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsTransformationReference\">\n    <xs:annotation>\n      <xs:documentation>\n        ClaimsTransformations may be used in a TechnicalProfile for transforming claims when they are sent to and received from a claims\n        provider. A ClaimsTransformation must be defined in this section before it can be referenced in a TechnicalProfile.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"ReferenceId\" type=\"xs:string\" />\n  </xs:complexType>\n\n  <xs:complexType name=\"InputValidationReference\">\n    <xs:annotation>\n      <xs:documentation>\n        A reference to an input validation element.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine readable identifier that references a predicate in the policy.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimType\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a single claim type.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"DisplayName\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The human understandable name of the claim type that is displayed to the users on various screens.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"DataType\" type=\"tfp:DataType\">\n        <xs:annotation>\n          <xs:documentation>\n            The type of data stored in the claim type, such as String, Boolean, Int or DateTime. This type may be used by\n            claims transforms and may thus participate in comparison or arithmetic operations. Associating an appropriate type\n            ensures that these operations are performed correctly by the transforms.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"DefaultPartnerClaimTypes\">\n        <xs:annotation>\n          <xs:documentation>\n            If a partner claim type is not provided in a claim mapping, then these partner claim types are used for\n            the specified protocol.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"Protocol\">\n              <xs:complexType>\n                <xs:annotation>\n                  <xs:documentation>\n                    The list of technical profiles that is allowed to be used against a claims provider selection.\n                  </xs:documentation>\n                </xs:annotation>\n                <xs:attribute use=\"required\" name=\"Name\" type=\"tfp:ProtocolName\" />\n\t\t\t\t<xs:attribute use=\"optional\" name=\"Handler\" type=\"xs:string\" />\n                <xs:attribute use=\"required\" name=\"PartnerClaimType\" type=\"xs:string\" />\n              </xs:complexType>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Mask\" type=\"tfp:claimMaskTYPE\">\n        <xs:annotation>\n          <xs:documentation>\n            An optional string of masking characters that can be applied to the claim when displaying the claim for example phone number\n            324-232-4343 masked as XXX-XXX-4343\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"AdminHelpText\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            A description of the claim type that can be helpful for the administrators to understand the purpose and/or usage of\n            the claim type.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"UserHelpText\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            A description of the claim type that can be helpful for the users to understand the purpose and/or usage of the claim type.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"UserInputType\" type=\"tfp:UserInputType\">\n        <xs:annotation>\n          <xs:documentation>\n            The type of input control that should be available to the user when manually entering claim data for this claim type.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Restriction\" type=\"tfp:Restriction\">\n        <xs:annotation>\n          <xs:documentation>\n            The value restrictions for this claim, such as a regular expression or a list of acceptable values.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"InputValidationReference\" type=\"tfp:InputValidationReference\" />\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"PredicateValidationReference\" type=\"tfp:PredicateValidationReference\" />\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular Claim Type, and reference it\n          from other sections of the document.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute name=\"StatementType\" type=\"tfp:StatementType\" default=\"Attribute\">\n      <xs:annotation>\n        <xs:documentation>\n          The type of statement the claim type represents, such as Attribute, Authentication or Subject, the default being Attribute. This type may be used by\n          claims transforms and may thus participate in comparison or arithmetic operations. Associating an appropriate type\n          ensures that these operations are performed correctly by the transforms.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"Contact\">\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"DisplayName\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The display name.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"TelephoneNumber\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The telephone number.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"Email\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The email address.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"Role\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The role of the contact.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A machine understandable identifier that is used to uniquely identify this particular Contact.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"DocumentReference\">\n    <xs:annotation>\n      <xs:documentation>\n        Certain documents, such as terms of use or privacy policy, may be made available to the Relying Parties or even the\n        users before they sign up to the use one of the services provided by CPIM. The RPs may use these documents to determine\n        whether the TF is appropriate for the purposes it intends to use it for. The users may view these documents to look at\n        the parameters within which RPs and the TF will operate and determine whether they want to participate or not.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"DisplayName\" type=\"xs:string\">\n        <xs:annotation>\n          <xs:documentation>\n            The display name of the document.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"1\" maxOccurs=\"1\" name=\"Url\" type=\"xs:anyURI\">\n        <xs:annotation>\n          <xs:documentation>\n            The url where the document is located.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\" />\n  </xs:complexType>\n  <xs:complexType name=\"OrchestrationStep\">\n    <xs:annotation>\n      <xs:documentation>\n        Specifies the orchestration step.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"Preconditions\" type=\"tfp:Preconditions\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of preconditions that must be satisfied for the step to execute.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"ClaimsProviderSelections\" type=\"tfp:ClaimsProviderSelections\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of Claims Provider Selection options for the Orchestration Step.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"ClaimsExchanges\" type=\"tfp:ClaimsExchanges\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of Claims Exchanges for the Orchestration Step.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n      <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"JourneyList\" type=\"tfp:JourneyList\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of available journeys that can be invoked by the Orchestration Step.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"Order\" type=\"xs:int\">\n      <xs:annotation>\n        <xs:documentation>\n          The order of the Orchestration Step. Orchestration Steps must appear in increasing order, in which they are executed.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"Type\" type=\"tfp:OrchestrationStepType\">\n      <xs:annotation>\n        <xs:documentation>\n          The type of the Orchestration Step.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"ContentDefinitionReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A reference to the Content that the Orchestration Step can display to the user.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"CpimIssuerTechnicalProfileReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          Used on SendClaims steps to define the TechnicalProfileId of the claims provider\n          that will mint the token for the relyingParty.  If absent no RP token will be created.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"InputTokenSources\">\n    <xs:annotation>\n      <xs:documentation>\n        A list of sources for that can be the input assertions for the current technical profile.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"TechnicalProfile\">\n        <xs:complexType>\n          <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n            <xs:annotation>\n              <xs:documentation>\n                A machine understandable identifier that is used to uniquely identify this particular technical policy.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"CryptographicKeys\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the CryptographicKeys that are used within the Policy. Since these are sensitive secrets, the actual cryptographic\n        keys are stored outside of the Trust Framework Policy and would generally reside in a system deemed secure for\n        cryptographic storage, such as in a hardware security module (HSM) or a key management service (KMS).\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Key\">\n        <xs:complexType>\n          <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n            <xs:annotation>\n              <xs:documentation>\n                A machine understandable identifier that is used to uniquely identify this particular Cryptographic Key.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n          <xs:attribute use=\"required\" name=\"StorageReferenceId\" type=\"xs:string\">\n            <xs:annotation>\n              <xs:documentation>\n                An identifier that references the key in the underlying key storage.\n              </xs:documentation>\n            </xs:annotation>\n          </xs:attribute>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n  </xs:complexType>\n  <xs:complexType name=\"metadataTYPE\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines the element for the protocol provider metadata.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element name=\"Item\" maxOccurs=\"unbounded\" type=\"tfp:metadataItemTYPE\">\n        <xs:key name=\"UniqueMetadataItemKey\">\n          <xs:selector xpath=\"tfp:metadataItemTYPE\"/>\n          <xs:field xpath=\"@Key\"/>\n        </xs:key>\n      </xs:element>\n    </xs:sequence>\n  </xs:complexType>\n\n  <!-- Type for a keyed string value that allows large string values\n       such as CDATA or simple strings such as URLs -->\n  <xs:complexType name=\"metadataItemTYPE\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a single metadata item for the protocol provider metadata.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:simpleContent>\n      <xs:extension base=\"xs:string\">\n        <xs:attribute name=\"Key\" type=\"xs:string\" use=\"required\"/>\n      </xs:extension>\n    </xs:simpleContent>\n  </xs:complexType>\n\n  <xs:complexType name=\"ItemGroup\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a group of items of key/value pairs.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Item\" type=\"tfp:Item\"/>\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"Item\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a single key/value pair item.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Key\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A key that uniquely identifies the item.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"Value\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The value to hold in the item.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"PersistedClaim\">\n    <xs:annotation>\n      <xs:documentation>\n        The claim type in the normalized schema that is sent to the claims provider. The claim mappings are used to determine the\n        provider claim type before sending to the claims provider.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"ClaimTypeReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies a Claim Type specified in the Claims Schema.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"PartnerClaimType\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies the claim type of the external partner that the specified policy claim type maps to. If the PartnerClaimType attribute\n          is not specified, then the specified policy claim type is mapped to the partner claim type of the same name.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"DefaultValue\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an\n          input claim by the technical profile.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"OverwriteIfExists\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Provides an optional property to the claims provider indicating whether the claim can be overwritten in the claims providers\n          records if the claim provider supports overwriting.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"AlwaysUseDefaultValue\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Provides an optional property indicating whether the default claim value should always for the value of the claim.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"DisplayControl\">\n    <xs:annotation>\n      <xs:documentation>\n        A group of display elements in self asserted page that allows special interaction with the back-end.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element name=\"InputClaims\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>A list of input claims that indicate the prefilled values for user interface controls.</xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element name=\"InputClaim\" type=\"DisplayControlClaimTypeReference\" minOccurs=\"0\" maxOccurs=\"unbounded\">\n              <xs:annotation>\n                <xs:documentation>The input claim that indicates the prefilled value for user interface control.</xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element name=\"DisplayClaims\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>A list of display claims to be displayed as user interface controls.</xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element name=\"DisplayClaim\" type=\"DisplayControlDisplayClaimReference\" minOccurs=\"0\" maxOccurs=\"unbounded\">\n              <xs:annotation>\n                <xs:documentation>The display claim to be displayed as user interface control.</xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element name=\"OutputClaims\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>A list of output claims to be used by the relying technical profile.</xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element name=\"OutputClaim\" type=\"DisplayControlClaimTypeReference\" minOccurs=\"0\" maxOccurs=\"unbounded\">\n              <xs:annotation>\n                <xs:documentation>The output claim to be used by the replying technical profile.</xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n      <xs:element name=\"Actions\" minOccurs=\"0\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>A list of actions corresponding to front-end user control scenarios.</xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element name=\"Action\" type=\"DisplayControlAction\" minOccurs=\"0\" maxOccurs=\"unbounded\">\n              <xs:annotation>\n                <xs:documentation>The display control action corresponding to a front-end user control scenario.</xs:documentation>\n              </xs:annotation>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute name=\"Id\" type=\"xs:string\" use=\"required\">\n      <xs:annotation>\n        <xs:documentation>The identifier of the display control.</xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute name=\"UserInterfaceControlType\" type=\"UserInterfaceControlType\" use=\"required\">\n      <xs:annotation>\n        <xs:documentation>Type of user interface control that allows users to enter and verify claims.</xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"DisplayControlAction\">\n    <xs:sequence>\n      <xs:element name=\"ValidationClaimsExchange\" minOccurs=\"1\" maxOccurs=\"1\">\n        <xs:annotation>\n          <xs:documentation>\n            A list of technical profiles to execute sequentially when the action is invoked.\n          </xs:documentation>\n        </xs:annotation>\n        <xs:complexType>\n          <xs:sequence>\n            <xs:element name=\"ValidationClaimsExchangeTechnicalProfile\" minOccurs=\"1\" maxOccurs=\"unbounded\">\n              <xs:annotation>\n                <xs:documentation>\n                  The technical profile reference to execute when action is invoked.\n                </xs:documentation>\n              </xs:annotation>\n              <xs:complexType>\n                <xs:sequence>\n                  <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"Preconditions\" type=\"tfp:Preconditions\">\n                    <xs:annotation>\n                      <xs:documentation>\n                        A list of preconditions that must be satisfied for the validation technical profile to execute.\n                      </xs:documentation>\n                    </xs:annotation>\n                  </xs:element>\n                </xs:sequence>\n                <xs:attribute name=\"TechnicalProfileReferenceId\" type=\"xs:string\" use=\"required\">\n                  <xs:annotation>\n                    <xs:documentation>\n                      An identifier that is a reference to a Technical Profile specified in the one of the Claims Providers.\n                    </xs:documentation>\n                  </xs:annotation>\n                </xs:attribute>\n                <xs:attribute use=\"optional\" name=\"ContinueOnSuccess\" type=\"xs:boolean\">\n                  <xs:annotation>\n                    <xs:documentation>\n                      A boolean indicating whether validation of any subsequent validation profiles should continue if this\n                      profile succeeds. The default is true, meaning that the processing of further validation profiles will continue.\n                    </xs:documentation>\n                  </xs:annotation>\n                </xs:attribute>\n                <xs:attribute use=\"optional\" name=\"ContinueOnError\" type=\"xs:boolean\">\n                  <xs:annotation>\n                    <xs:documentation>\n                      A boolean indicating whether validation of any subsequent validation profiles should continue if this\n                      profile errors. The default is false, meaning that processing of further validation profiles will stop and\n                      an error returned.\n                    </xs:documentation>\n                  </xs:annotation>\n                </xs:attribute>\n              </xs:complexType>\n            </xs:element>\n          </xs:sequence>\n        </xs:complexType>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute name=\"Id\" type=\"xs:string\" use=\"required\">\n      <xs:annotation>\n        <xs:documentation>\n          The identifier of the display control action associated with a user interface scenario.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"DisplayClaimReference\">\n    <xs:attribute name=\"ClaimTypeReferenceId\" type=\"xs:string\" use=\"optional\">\n      <xs:annotation>\n        <xs:documentation>\n          An identifier that is a reference to a ClaimType specified in the ClaimsSchema.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute name=\"DisplayControlReferenceId\" type=\"xs:string\" use=\"optional\">\n      <xs:annotation>\n        <xs:documentation>An identifier that is a reference to a defined DisplayControl.</xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"Required\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies whether or not the user input is required for further actions.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"DisplayControlClaimTypeReference\">\n    <xs:attribute name=\"ClaimTypeReferenceId\" type=\"xs:string\" use=\"optional\">\n      <xs:annotation>\n        <xs:documentation>\n          An identifier that is a reference to a ClaimType specified in the ClaimsSchema.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"Required\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies whether or not the claim is required for this technical profile. If this property is not specified, false is assumed,\n          meaning that the given claim may be utilized if available, but its absence does not indicate an error. For claims that are user\n          asserted, this property controls whether or not the user is required to fill out the associated field before continuing.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"DefaultValue\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an\n          input claim by the technical profile.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"AlwaysUseDefaultValue\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Provides an optional property indicating whether the default claim value should always for the value of the claim.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"DisplayControlDisplayClaimReference\">\n    <xs:attribute name=\"ClaimTypeReferenceId\" type=\"xs:string\" use=\"optional\">\n      <xs:annotation>\n        <xs:documentation>\n          An identifier that is a reference to a ClaimType specified in the ClaimsSchema.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute name=\"ControlClaimType\" type=\"xs:string\" use=\"optional\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies the control type of the display control that is mapped to the specified policy claim type.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"Required\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies whether or not the user input is required for further actions.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsSchemaClaimTypeReference\">\n    <xs:sequence>\n      <xs:element name=\"From\" type=\"tfp:FromTechnicalProfileReference\" maxOccurs=\"unbounded\" minOccurs=\"0\">\n        <xs:annotation>\n          <xs:documentation>\n            A reference to a Technical Profile which constrains the source of the claim to one or more\n            technical profiles. If no from is specified then the claim can be sourced from any technical\n            profile.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:element>\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"ClaimTypeReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          An identifier that is a reference to a ClaimType specified in the ClaimsSchema.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"PartnerClaimType\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies the claim type of the external partner that is mapped to the specified policy claim type. If the PartnerClaimType\n          attribute is not specified, then the partner claim type of the same name as the specified policy claim type is mapped instead.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"Required\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies whether or not the claim is required for this technical profile. If this property is not specified, false is assumed,\n          meaning that the given claim may be utilized if available, but its absence does not indicate an error. For claims that are user\n          asserted, this property controls whether or not the user is required to fill out the associated field before continuing.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"DefaultValue\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an\n          input claim by the technical profile.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"AlwaysUseDefaultValue\" type=\"xs:boolean\">\n      <xs:annotation>\n        <xs:documentation>\n          Provides an optional property indicating whether the default claim value should always for the value of the claim.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsTransformationClaimTypeReference\">\n    <xs:attribute use=\"required\" name=\"ClaimTypeReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          An identifier that is a reference to a ClaimType specified in the ClaimsSchema.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"TransformationClaimType\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          Identifies the claim type of the transformation that is mapped to the specified policy claim type. If the TransformationClaimType\n          attribute is not specified, then the transformation claim type of the same name as the specified policy claim type is mapped instead.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"FromTechnicalProfileReference\">\n    <xs:attribute use=\"required\" name=\"TechnicalProfileReferenceId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          An identifier that is a reference to a Technical Profile specified in the one of the Claims Providers.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"claimMaskTYPE\">\n    <xs:annotation>\n      <xs:documentation>\n        An optional string for masking a claim when displaying the claim for example phone number\n        324-232-4343 masked as XXX-XXX-4343. Can either be a simple substitution mask or a regular\n        expression which uses named groups\n      </xs:documentation>\n    </xs:annotation>\n    <xs:simpleContent>\n      <xs:extension base=\"xs:string\">\n        <xs:attribute name=\"Type\" type=\"tfp:MaskTypeTYPE\" use=\"required\"/>\n        <xs:attribute name=\"Regex\" type=\"xs:string\" use=\"optional\"/>\n      </xs:extension>\n    </xs:simpleContent>\n  </xs:complexType>\n\n  <xs:complexType name=\"EnumerationItem\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines an available option for the user to select for a claim in the UI, such as a value in a dropdown.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:simpleContent>\n      <xs:extension base=\"xs:string\">\n        <xs:attribute use=\"required\" name=\"Text\" type=\"xs:string\">\n          <xs:annotation>\n            <xs:documentation>\n              The user-friendly display string that should be shown to the user in the UI for this option.\n            </xs:documentation>\n          </xs:annotation>\n        </xs:attribute>\n        <xs:attribute use=\"required\" name=\"Value\" type=\"xs:string\">\n          <xs:annotation>\n            <xs:documentation>\n              The claim value associated with selecting this option.\n            </xs:documentation>\n          </xs:annotation>\n        </xs:attribute>\n        <xs:attribute use=\"optional\" name=\"SelectByDefault\" type=\"xs:boolean\">\n          <xs:annotation>\n            <xs:documentation>\n              A value indicating whether or not this option should be selected by default in the UI.\n            </xs:documentation>\n          </xs:annotation>\n        </xs:attribute>\n      </xs:extension>\n    </xs:simpleContent>\n  </xs:complexType>\n\n  <xs:complexType name=\"Pattern\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a pattern restriction, such as a regular expression, to be placed on values for a specific claim type.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"RegularExpression\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A regular expression that claims of this type must match in order to be valid.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"optional\" name=\"HelpText\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          A string that can describe the pattern/regular expression for this claim to the user.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"Restriction\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines the element for specifying value restrictions for a claim, such as regular expressions or a list of acceptable values.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:choice minOccurs=\"1\">\n      <xs:sequence>\n        <xs:element minOccurs=\"0\" maxOccurs=\"unbounded\" name=\"Enumeration\" type=\"tfp:EnumerationItem\" />\n      </xs:sequence>\n      <xs:element minOccurs=\"0\" maxOccurs=\"1\" name=\"Pattern\" type=\"tfp:Pattern\" />\n    </xs:choice>\n    <xs:attribute use=\"optional\" name=\"MergeBehavior\" type=\"tfp:MergeBehavior\">\n      <xs:annotation>\n        <xs:documentation>\n          Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy\n          with the same identifier. If no value is given for this we use replaceAll by default.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"TenantListType\">\n    <xs:annotation>\n      <xs:documentation>\n        A list of tenant references used when the inheritance rule is an allow or deny list.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Tenant\" type=\"tfp:TenantReferenceType\" />\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"PolicyIdPatternType\">\n    <xs:annotation>\n      <xs:documentation>\n        A list of tenant references used when the inheritance rule is an allow or deny list.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"Type\" type=\"tfp:PatternTYPE\">\n      <xs:annotation>\n        <xs:documentation>\n          The type of pattern constraint to apply to the policy id.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"Pattern\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The actual pattern to be applied to the policy id.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"TenantReferenceType\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines a reference to a tenant using the tenant guid as the reference id.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:attribute use=\"required\" name=\"ReferenceId\" type=\"tfp:TenantObjectId\">\n      <xs:annotation>\n        <xs:documentation>\n          The unique identifier of the object ID of the Azure tenant.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"ClaimsTransformationParameter\">\n    <xs:attribute use=\"required\" name=\"Id\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          An identifier that is a reference to a parameter of the TransformationMethod.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"DataType\" type=\"tfp:DataType\">\n      <xs:annotation>\n        <xs:documentation>\n          The type of data of the parameter, such as String, Boolean, Int or DateTime. This type is used to perform arithmetic\n          operations correctly.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"Value\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n          The value that is to be provided to the TransformationMethod when invoked.\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n  </xs:complexType>\n\n  <xs:complexType name=\"Extensions\" mixed=\"false\">\n    <xs:annotation>\n      <xs:documentation>\n        An extension point for elements that allows any xml from any namespace outside of\n        the document namespaces to be included in the element\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:any namespace=\"##any\" processContents=\"skip\" minOccurs=\"0\" maxOccurs=\"unbounded\"/>\n    </xs:sequence>\n  </xs:complexType>\n\n  <xs:complexType name=\"LocalizedCollection\">\n    <xs:annotation>\n      <xs:documentation>\n\n      </xs:documentation>\n    </xs:annotation>\n    <xs:sequence>\n      <xs:element minOccurs=\"1\" maxOccurs=\"unbounded\" name=\"Item\" type=\"tfp:EnumerationItem\" />\n    </xs:sequence>\n    <xs:attribute use=\"required\" name=\"ElementType\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"ElementId\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n    <xs:attribute use=\"required\" name=\"TargetCollection\" type=\"xs:string\">\n      <xs:annotation>\n        <xs:documentation>\n\n        </xs:documentation>\n      </xs:annotation>\n    </xs:attribute>\n\n  </xs:complexType>\n\n  <xs:complexType name=\"LocalizedString\">\n    <xs:annotation>\n      <xs:documentation>\n\n      </xs:documentation>\n    </xs:annotation>\n    <xs:simpleContent>\n      <xs:extension base=\"xs:string\">\n        <xs:attribute use=\"required\" name=\"ElementType\" type=\"xs:string\">\n          <xs:annotation>\n            <xs:documentation>\n\n            </xs:documentation>\n          </xs:annotation>\n        </xs:attribute>\n        <xs:attribute name=\"ElementId\" type=\"xs:string\">\n          <xs:annotation>\n            <xs:documentation>\n\n            </xs:documentation>\n          </xs:annotation>\n        </xs:attribute>\n        <xs:attribute use=\"required\" name=\"StringId\" type=\"xs:string\">\n          <xs:annotation>\n            <xs:documentation>\n\n            </xs:documentation>\n          </xs:annotation>\n        </xs:attribute>\n      </xs:extension>\n    </xs:simpleContent>\n  </xs:complexType>\n\n  <!--\n    Enumerations and pattern restrictions\n  -->\n\n  <xs:simpleType name=\"ErrorResponseFormat\">\n    <xs:annotation>\n      <xs:documentation>\n        Specifies to format type of error response\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"json\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"JourneyOnErrorModeType\">\n    <xs:annotation>\n      <xs:documentation>\n        Specifies how journey errors are to be communicated to the user/requestor.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"ReturnToRequestor\">\n        <xs:annotation>\n          <xs:documentation>\n            Error is returned to the requestor using protocol semantics.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"DisplayInService\">\n        <xs:annotation>\n          <xs:documentation>\n            Display the error message in the service.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n  \n  <xs:simpleType name=\"ErrorHandlingAction\">\n    <xs:annotation>\n      <xs:documentation>\n        Specifies to handle error responses.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Reauthenticate\">\n        <xs:annotation>\n          <xs:documentation>\n            Ask the user to reauthenticate for a specific error case\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"InvalidClient\">\n        <xs:annotation>\n          <xs:documentation>\n            Display the message indicating client key/secret is not configured properly\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"MergeBehavior\">\n    <xs:annotation>\n      <xs:documentation>\n        Specifies how the contents of the node will be merged together with data from parent policies\n        with the same unique identifer.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Append\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies that the collection of data present should be appended to the end of the\n            collection specified in the parent policy.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Prepend\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies that the collection of data present should be added before the\n            collection specified in the parent policy.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"ReplaceAll\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies that the collection of data specified in the parent policy should be ignored,\n            using instead the data specified in the current policy.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"MaskTypeTYPE\">\n    <xs:annotation>\n      <xs:documentation>\n        The types of claim masks\n        1. Simple, a simple text mask that is\n        applied to the leading portion of a string claim.\n        2. A regular expression that can be applied\n        to the string claim as whole\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Simple\" />\n      <xs:enumeration value=\"Regex\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"ProtocolName\">\n    <xs:annotation>\n      <xs:documentation>\n        The names of the valid protocols supported by CPIM.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"None\" />\n      <xs:enumeration value=\"OAuth1\" />\n      <xs:enumeration value=\"OAuth2\" />\n      <xs:enumeration value=\"SAML2\" />\n      <xs:enumeration value=\"OpenIdConnect\" />\n      <xs:enumeration value=\"WsFed\" />\n      <xs:enumeration value=\"WsTrust\" />\n      <xs:enumeration value=\"UProve11\" />\n      <xs:enumeration value=\"Proprietary\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"EnabledForUserJourneysValues\">\n    <xs:annotation>\n      <xs:documentation>\n        The list of acceptable values for \"EnabledForUserJourneys\" property: true and Always will execute the technical profile, false and Never will\n        always skip it, and OnClaimsExistence will only execute the technical profile if the claim specified in the technical profile's metadata is\n        present in the user journey storage.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"true\" />\n      <xs:enumeration value=\"false\" />\n      <xs:enumeration value=\"OnClaimsExistence\" />\n      <xs:enumeration value=\"Always\" />\n      <xs:enumeration value=\"Never\" />\n      <xs:enumeration value=\"OnItemExistenceInStringCollectionClaim\" />\n      <xs:enumeration value=\"OnItemAbsenceInStringCollectionClaim\" />\n    </xs:restriction>\n  </xs:simpleType>\n  \n  <xs:simpleType name=\"ClaimsProviderSelectionDisplayOption\">\n    <xs:annotation>\n      <xs:documentation>\n        The list of acceptable values for how the claims provider selection page should be displayed\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"DoNotShowSingleProvider\" />\n      <xs:enumeration value=\"ShowSingleProvider\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"TokenFormat\">\n    <xs:annotation>\n      <xs:documentation>\n        The token formats supported by CPIM.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"JSON\" />\n      <xs:enumeration value=\"JWT\" />\n      <xs:enumeration value=\"SAML11\" />\n      <xs:enumeration value=\"SAML2\" />\n      <xs:enumeration value=\"CpimUnsigned\" />\n      <xs:enumeration value=\"UProve11\" />\n      <xs:enumeration value=\"OAuth2Error\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"ScriptExecutionType\">\n    <xs:annotation>\n      <xs:documentation>\n        Describes the supported script execution modes.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Disallow\">\n        <xs:annotation>\n          <xs:documentation>\n            Script execution is not allowed on the client and any 3rd party content containing script will be blocked.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Allow\">\n        <xs:annotation>\n          <xs:documentation>\n            Script execution is permitted\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"OrchestrationStepType\">\n    <xs:annotation>\n      <xs:documentation>\n        Specifies the type of the Orchestration Step.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"ConsentScreen\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step presents text to the user to which the user must consent.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"ClaimsProviderSelection\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step presents various Claims Providers to the user for the user to select one.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"CombinedSignInAndSignUp\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step presents a combined social provider signin and local account signup page.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"ClaimsExchange\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step exchanges Claims with a Claims Provider.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"ReviewScreen\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step presents a review screen for the user to review the claims which the user\n            must accept.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"SendClaims\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step sends the claims to the Relying Party.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"GetClaims\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step processes claim data sent to the service from the relying party.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"UserDialog\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step presents a user dialog to the user for the capturing of information.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"InvokeSubJourney\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step has the ability to invoke one or more SubJourneys.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Noop\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the Orchestration Step does nothing and is included to cope with errors in layering.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"UserJourneyBehaviorScopeType\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines the scope of single sign-on behavior in the user journey.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Suppressed\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the behavior is suppressed. For exmaple in the case of SSO no session is maintained for the user and the user will always\n            be prompted for identity provider selection.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"TrustFramework\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the behavior is applied for all policies in the trust framework. For example a user being put through two policy journeys\n            for a given trust framework will not be prompted for identity provider selection.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Tenant\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the behavior is applied for all policies in the tenant. For example a user being put through two policy journeys\n            for a given tenant will not be prompted for identity provider selection.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Application\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the behavior is applied for all policies for the application making the request. For example a user being put through two policy journeys\n            for a given application will not be prompted for identity provider selection.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Policy\">\n        <xs:annotation>\n          <xs:documentation>\n            Indicates that the behavior only applies to a policy. For example a user being put through two policy journeys\n            for a given trust framework will be prompted for identity provider selection when switching between policies.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"PreconditionType\">\n    <xs:annotation>\n      <xs:documentation>\n        Specifies the type of query that is being performed for this precondition.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"ClaimsExist\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies that the actions should be performed if the specified Claims exist in the\n            user's current Claim set.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"ClaimEquals\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies that the actions should be performed if the specified Claim exists and its\n            values is equal to the specified value.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"PreconditionActionType\">\n    <xs:annotation>\n      <xs:documentation>\n        Specifies the action that should be taken if the Precondition check within\n        an OrchestrationStep is true.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"SkipThisOrchestrationStep\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies that the associated OrchestrationStep should not be executed.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n\t  <xs:enumeration value=\"SkipThisValidationTechnicalProfile\">\n        <xs:annotation>\n          <xs:documentation>\n            Specifies that the associated validation technical profile should not be executed.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"DataType\">\n    <xs:annotation>\n      <xs:documentation>\n        The supported data types that the claims or parameters can have. These types are a subset of the types specified by\n        W3C XML Schema documentation, which can be found at http://www.w3.org/TR/xmlschema-2.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"boolean\"/>\n      <xs:enumeration value=\"date\"/>\n      <xs:enumeration value=\"dateTime\"/>\n      <xs:enumeration value=\"duration\"/>\n      <xs:enumeration value=\"int\"/>\n      <xs:enumeration value=\"long\"/>\n      <xs:enumeration value=\"string\"/>\n      <xs:enumeration value=\"stringCollection\"/>\n      <xs:enumeration value=\"alternativeSecurityIdCollection\"/>\n      <xs:enumeration value=\"userIdentityCollection\"/>\n      <xs:enumeration value=\"userIdentity\"/>\n      <xs:enumeration value=\"phoneNumber\"/>\n      <xs:enumeration value=\"objectIdentityCollection\"/>\n      <xs:enumeration value=\"objectIdentity\"/>      \n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"UserInputType\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the type of input controls that should be available to the user when manually entering claim data.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"TextBox\"/>\n      <xs:enumeration value=\"EmailBox\"/>\n      <xs:enumeration value=\"DateTimeDropdown\"/>\n      <xs:enumeration value=\"RadioSingleSelect\"/>\n      <xs:enumeration value=\"DropdownSingleSelect\"/>\n      <xs:enumeration value=\"CheckboxMultiSelect\"/>\n      <xs:enumeration value=\"Password\"/>\n      <xs:enumeration value=\"Readonly\"/>\n      <xs:enumeration value=\"Button\"/>\n\t  <xs:enumeration value=\"Paragraph\"/>\n    </xs:restriction>\n  </xs:simpleType>\n  \n  <xs:simpleType name=\"UserInterfaceControlType\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the type of input controls that should be available to the user when manually entering claim data. This is successor of \"UserInputType\".\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"VerificationControl\" />\n      <xs:enumeration value=\"QrCodeControl\" />\n      <xs:enumeration value=\"AuthenticatorInfoControl\" />\n      <xs:enumeration value=\"AuthenticatorAppIconControl\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"TelemetryEngineType\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the telemetry engines that can be used as part of journey insights.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"ApplicationInsights\"/>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"StatementType\">\n    <xs:annotation>\n      <xs:documentation>\n        Describes the category of statement that the claim belongs to, used for comapring authentication contexts\n        and issuing tokens\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Attribute\">\n        <xs:annotation>\n          <xs:documentation>\n            A general claim about the authenticated individual\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Authentication\">\n        <xs:annotation>\n          <xs:documentation>\n            A claim providing information about how the individual\n            was authenticated\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Subject\">\n        <xs:annotation>\n          <xs:documentation>\n            A claim providing a means of identifying an individual\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"Culture\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a culture for displaying content.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:pattern value=\"[a-z]{1,3}(-[a-zA-Z0-9]{2,4}){0,2}\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"TenantId\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a tenant id.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:pattern value=\"[A-Za-z0-9\\.]{3,63}\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"TenantObjectId\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the object id of an Azure tenant.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:pattern value=\"([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}\"/>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"InstrumentationKey\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the instrumentation key for an Azure Application insights instance.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:pattern value=\"([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}\"/>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"PolicyId\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the pattern to which a policyId must conform.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:minLength value=\"1\"/>\n      <xs:pattern value=\"[A-Za-z0-9_\\-\\.]*[A-Za-z0-9_\\-]+\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"PolicyIdPattern\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a pattern that can be used to construct a valid policyId. This field supports dynamic parameters.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:minLength value=\"1\"/>\n      <xs:pattern value=\"[A-Za-z0-9_\\-{}\\.]*[A-Za-z0-9_\\-{}]+\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"Weight\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents weight of a policy.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:int\">\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"Match\">\n    <xs:annotation>\n      <xs:documentation>\n        Defines an attribute that can be passed into the query string, that will match the policy to be redirected to.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:minLength value=\"1\"/>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"FourPartVersionNumber\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a four part version number in the format 9.9.9.9.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:maxLength value=\"256\"/>\n      <xs:minLength value=\"1\" />\n      <xs:pattern value=\"[0-9][.][0-9][.][0-9][.][0-9]\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"ThreePartVersionNumber\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a three part version number in the format 9.9.9.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:maxLength value=\"256\"/>\n      <xs:minLength value=\"1\" />\n      <xs:pattern value=\"[0-9][.][0-9][.][0-9]\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"CryptographicKeyType\" >\n    <xs:annotation>\n      <xs:documentation>\n        Contains an enumeration of the key types supported by CPIM.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"UProveKey\">\n        <xs:annotation>\n          <xs:documentation>\n            A U-Prove Key.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"X509Certificate\">\n        <xs:annotation>\n          <xs:documentation>\n            A X-509 Certificate.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"Secret\">\n        <xs:annotation>\n          <xs:documentation>\n            A secret key.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"ContentUriTYPE\" >\n    <xs:annotation>\n      <xs:documentation>\n        Type that restricts a string to either an absolute or\n        relative URL. Matches https://domain/path, http://domain/path\n        and ~/path\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:pattern value=\"^(http://|https://|~/)([\\w.,@?^=%&amp;:~+#\\-_$!’();]+/)*([\\w.,@?^=%&amp;:~+#\\-_$!’();]+/?)$\" />\n      <xs:pattern value=\"^urn:[a-z0-9][a-z0-9-]{0,31}:[a-z0-9()+,\\/\\-.:=@;$_!*'%\\/?#]+$\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"urlTYPE\" >\n    <xs:annotation>\n      <xs:documentation>\n        Type that restricts a string to either an absolute https URL. Matches https://domain/path.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:pattern value=\"^(https://)([\\w.,@?^=%&amp;:~+#\\-_$!’();]+/)*([\\w.,@?^=%&amp;:~+#\\-_$!’();]+/?)$\" />\n    </xs:restriction>\n  </xs:simpleType>\n  \n  <xs:simpleType name=\"DeploymentModeType\">\n    <xs:annotation>\n      <xs:documentation>\n        The names of the valid values for a policy's DeploymentMode attribute.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Development\" />\n      <xs:enumeration value=\"Production\" />\n      <xs:enumeration value=\"Debugging\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"SessionExpiryTypeTYPE\">\n    <xs:annotation>\n      <xs:documentation>\n        The names of the valid values the single sign on session type.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Rolling\" />\n      <xs:enumeration value=\"Absolute\" />\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"DerivingPoliciesType\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the type of deriving policies that can be specified for policy inheritance.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"All\">\n        <xs:annotation>\n          <xs:documentation>Any policy can inherit from this policy.</xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"SameTenant\">\n        <xs:annotation>\n          <xs:documentation>Only policies in the same tenant can inherit from this policy. The default.</xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"AllowList\">\n        <xs:annotation>\n          <xs:documentation>Only tenants explicitly listed in the tenants list can inherit from this policy.</xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n      <xs:enumeration value=\"DenyList\">\n        <xs:annotation>\n          <xs:documentation>Only tenants explicitly listed in the tenants list are blocked from inheriting from this policy. Anyone else can.</xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"PatternTYPE\">\n    <xs:annotation>\n      <xs:documentation>\n        The types of pattern constraints that can be used when\n        constraining policies.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Prefix\" >\n        <xs:annotation>\n          <xs:documentation>\n            Specifies that a policy id needs to start with the specified prefix.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n  \n  <xs:simpleType name=\"SubJourneyTYPE\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents the types of SubJourneys that can be constructed in policy.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:enumeration value=\"Transfer\">\n        <xs:annotation>\n          <xs:documentation>\n            Represents a type of SubJourney that transfer control from the current execution context, either a SubJourney or UserJourney, into a new SubJourney execution context.\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n\t  <xs:enumeration value=\"Call\">\n        <xs:annotation>\n          <xs:documentation>\n            Represents a type of SubJourney that is executed inside of the current User Journey. The invoked SubJourney yields control back to the original User Journey or SubJourney upon completion\n          </xs:documentation>\n        </xs:annotation>\n      </xs:enumeration>\n    </xs:restriction>\n  </xs:simpleType>\n\n  <xs:simpleType name=\"nonemptystring\">\n    <xs:annotation>\n      <xs:documentation>\n        Represents a string which cannot be empty.\n      </xs:documentation>\n    </xs:annotation>\n    <xs:restriction base=\"xs:string\">\n      <xs:maxLength value=\"256\"/>\n      <xs:minLength value=\"1\" />\n    </xs:restriction>\n  </xs:simpleType>\n\t\n</xs:schema>\n"
  },
  {
    "path": "scenarios/linkedin-identity-provider/SignUpOrSignin.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_signup_signin_linkedin\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin_linkedin\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignInWithLinkedIn\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"email\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>\n\n\n\n"
  },
  {
    "path": "scenarios/linkedin-identity-provider/TrustFrameworkExtensions.xml",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<TrustFrameworkPolicy \n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" \n  PolicySchemaVersion=\"0.3.0.0\" \n  TenantId=\"yourtenant.onmicrosoft.com\" \n  PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  \n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <!-- Claim that stores the access token of the identity provider -->\n      <ClaimType Id=\"identityProviderAccessToken\">\n        <DisplayName>Identity Provider Access Token</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Stores the access token of the identity provider.</AdminHelpText>\n      </ClaimType>\n\n      <ClaimType Id=\"nullStringClaim\">\n        <DisplayName>nullClaim</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>A policy claim to store unuseful output values from ClaimsTransformations. This claim should not be used in a TechnicalProfiles.</AdminHelpText>\n        <UserHelpText>A policy claim to store unuseful output values from ClaimsTransformations. This claim should not be used in a TechnicalProfiles.</UserHelpText>\n      </ClaimType>\n    </ClaimsSchema>\n\n    <ClaimsTransformations>\n      <!-- LinkedIn Transformations -->\n      <ClaimsTransformation Id=\"ExtractGivenNameFromLinkedInResponse\" TransformationMethod=\"GetSingleItemFromJson\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"givenName\" TransformationClaimType=\"inputJson\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"nullStringClaim\" TransformationClaimType=\"key\" />\n          <OutputClaim ClaimTypeReferenceId=\"givenName\" TransformationClaimType=\"value\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"ExtractSurNameFromLinkedInResponse\" TransformationMethod=\"GetSingleItemFromJson\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"surname\" TransformationClaimType=\"inputJson\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"nullStringClaim\" TransformationClaimType=\"key\" />\n          <OutputClaim ClaimTypeReferenceId=\"surname\" TransformationClaimType=\"value\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n    </ClaimsTransformations>\n  </BuildingBlocks>\n\n  <ClaimsProviders>\n    <ClaimsProvider>\n      <Domain>linkedin.com</Domain>\n      <DisplayName>LinkedIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"LinkedIn-OAUTH\">\n          <DisplayName>LinkedIn</DisplayName>\n          <Protocol Name=\"OAuth2\" />\n          <Metadata>\n              <Item Key=\"ProviderName\">linkedin</Item>\n              <Item Key=\"authorization_endpoint\">https://www.linkedin.com/oauth/v2/authorization</Item>\n              <Item Key=\"AccessTokenEndpoint\">https://www.linkedin.com/oauth/v2/accessToken</Item>\n              <Item Key=\"ClaimsEndpoint\">https://api.linkedin.com/v2/me</Item>\n              <Item Key=\"scope\">r_emailaddress r_liteprofile</Item>\n              <Item Key=\"HttpBinding\">POST</Item>\n              <Item Key=\"external_user_identity_claim_id\">id</Item>\n              <Item Key=\"BearerTokenTransmissionMethod\">AuthorizationHeader</Item>\n              <Item Key=\"ResolveJsonPathsInJsonTokens\">true</Item>\n              <Item Key=\"UsePolicyInRedirectUri\">0</Item>\n              <Item Key=\"client_id\">LinkedIn client_id</Item>\n          </Metadata>\n          <CryptographicKeys>\n              <Key Id=\"client_secret\" StorageReferenceId=\"B2C_1A_LinkedInSecret\" />\n          </CryptographicKeys>\n          <InputClaims />\n          <OutputClaims>\n              <OutputClaim ClaimTypeReferenceId=\"issuerUserId\" PartnerClaimType=\"id\" />\n              <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"firstName.localized\" />\n              <OutputClaim ClaimTypeReferenceId=\"surname\" PartnerClaimType=\"lastName.localized\" />\n              <OutputClaim ClaimTypeReferenceId=\"identityProvider\" DefaultValue=\"linkedin.com\" AlwaysUseDefaultValue=\"true\" />\n              <OutputClaim ClaimTypeReferenceId=\"authenticationSource\" DefaultValue=\"socialIdpAuthentication\" AlwaysUseDefaultValue=\"true\" />\n              <OutputClaim ClaimTypeReferenceId=\"identityProviderAccessToken\" PartnerClaimType=\"{oauth2:access_token}\" />\n          </OutputClaims>\n          <OutputClaimsTransformations>\n              <OutputClaimsTransformation ReferenceId=\"ExtractGivenNameFromLinkedInResponse\" />\n              <OutputClaimsTransformation ReferenceId=\"ExtractSurNameFromLinkedInResponse\" />\n              <OutputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n              <OutputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n              <OutputClaimsTransformation ReferenceId=\"CreateAlternativeSecurityId\" />\n              <OutputClaimsTransformation ReferenceId=\"CreateSubjectClaimFromAlternativeSecurityId\" />\n          </OutputClaimsTransformations>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-SocialLogin\" />\n          </TechnicalProfile>\n        </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider> \n      <DisplayName>REST APIs</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"API-LinkedInEmail\">\n          <DisplayName>Get LinkedIn email</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n              <Item Key=\"ServiceUrl\">https://api.linkedin.com/v2/emailAddress?q=members&amp;projection=(elements*(handle~))</Item>\n              <Item Key=\"AuthenticationType\">Bearer</Item>\n              <Item Key=\"UseClaimAsBearerToken\">identityProviderAccessToken</Item>\n              <Item Key=\"SendClaimsIn\">Url</Item>\n              <Item Key=\"ResolveJsonPathsInJsonTokens\">true</Item>\n          </Metadata>\n          <InputClaims>\n              <InputClaim ClaimTypeReferenceId=\"identityProviderAccessToken\" />\n          </InputClaims>\n          <OutputClaims>\n              <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"elements[0].handle~.emailAddress\" />\n          </OutputClaims>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <Metadata>\n            <Item Key=\"client_id\">ProxyIdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"IdTokenAudience\">IdentityExperienceFrameworkAppId</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"client_id\" DefaultValue=\"ProxyIdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"resource_id\" PartnerClaimType=\"resource\" DefaultValue=\"IdentityExperienceFrameworkAppId\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n  </ClaimsProviders>\n\n  <UserJourneys>\n\n    <UserJourney Id=\"SignUpOrSignInWithLinkedIn\">\n      <OrchestrationSteps>\n      \n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"LinkedInExchange\" />\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Check if the user has selected to sign in using one of the social providers -->\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LinkedInExchange\" TechnicalProfileReferenceId=\"LinkedIn-OAUTH\" />\n            <ClaimsExchange Id=\"SignUpWithLogonEmailExchange\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Extra step for LinkedIn to get the email -->\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>identityProvider</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"false\">\n              <Value>identityProvider</Value>\n              <Value>linkedin.com</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n              <ClaimsExchange Id=\"GetEmail\" TechnicalProfileReferenceId=\"API-LinkedInEmail\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- For social IDP authentication, attempt to find the user account in the directory. -->\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>localAccountAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadUsingAlternativeSecurityId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingAlternativeSecurityId-NoError\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). \n          This can only happen when authentication happened using a social IDP. If local account was created or authentication done\n          using ESTS in step 2, then an user account must exist in the directory by this time. -->\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SelfAsserted-Social\" TechnicalProfileReferenceId=\"SelfAsserted-Social\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent \n          in the token. -->\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimEquals\" ExecuteActionsIf=\"true\">\n              <Value>authenticationSource</Value>\n              <Value>socialIdpAuthentication</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect \n             from the user. So, in that case, create the user in the directory if one does not already exist \n             (verified using objectId which would be set from the last step if account was created in the directory. -->\n        <OrchestrationStep Order=\"7\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserWrite\" TechnicalProfileReferenceId=\"AAD-UserWriteUsingAlternativeSecurityId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n \n        <OrchestrationStep Order=\"8\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n \n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n\n  </UserJourneys>\n\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "scenarios/password-change/PasswordChange.xml",
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<TrustFrameworkPolicy\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\"\n  PolicySchemaVersion=\"0.3.0.0\"\n  TenantId=\"yourtenant.onmicrosoft.com\"\n  PolicyId=\"B2C_1A_PasswordChange\"\n  PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_PasswordChange\">\n\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>\n  </BasePolicy>\n\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"PasswordChange\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\"/>\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "scenarios/password-change/TrustFrameworkExtensions.xml",
    "content": "<TrustFrameworkPolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\n  xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" PolicySchemaVersion=\"0.3.0.0\" \n    TenantId=\"yourtenant.onmicrosoft.com\" \n    PolicyId=\"B2C_1A_TrustFrameworkExtensions\" \n    PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions\">\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>\n  </BasePolicy>\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <ClaimType Id=\"oldPassword\">\n        <DisplayName>Old Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n      </ClaimType>\n    </ClaimsSchema>\n  </BuildingBlocks>\n  <ClaimsProviders>\n    <ClaimsProvider>\n      <DisplayName>Local Account SignIn</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"login-NonInteractive-PasswordChange\">\n          <DisplayName>Local Account SignIn</DisplayName>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"oldPassword\" PartnerClaimType=\"password\" Required=\"true\" />\n          </InputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Local Account Password Change</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"LocalAccountWritePasswordChangeUsingObjectId\">\n          <DisplayName>Change password (username)</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">api.selfasserted</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"oldPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive-PasswordChange\" />\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWritePasswordUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n  </ClaimsProviders>\n  <UserJourneys>\n    <UserJourney Id=\"PasswordChange\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsProviderSelection\" ContentDefinitionReferenceId=\"api.signuporsignin\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"LocalAccountSigninEmailExchange\" />\n          </ClaimsProviderSelections>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewCredentials\" TechnicalProfileReferenceId=\"LocalAccountWritePasswordChangeUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n  </UserJourneys>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "scenarios/phone-number-passwordless/ChangePhoneNumber.xml",
    "content": "<TrustFrameworkPolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" PolicySchemaVersion=\"0.3.0.0\" TenantId=\"yourtenant.onmicrosoft.com\" PolicyId=\"B2C_1A_ChangePhoneNumber\" PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ChangePhoneNumber\" >\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_Phone_Email_Base</PolicyId>\n  </BasePolicy>\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ChangePhoneNumber\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n        <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "scenarios/phone-number-passwordless/PasswordResetEmail.xml",
    "content": "<TrustFrameworkPolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" PolicySchemaVersion=\"0.3.0.0\" TenantId=\"yourtenant.onmicrosoft.com\" PolicyId=\"B2C_1A_PasswordResetEmail\" PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_PasswordResetEmail\" >\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_Phone_Email_Base</PolicyId>\n  </BasePolicy>\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"PasswordResetEmail\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "scenarios/phone-number-passwordless/Phone_Email_Base.xml",
    "content": "<TrustFrameworkPolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" PolicySchemaVersion=\"0.3.0.0\" TenantId=\"yourtenant.onmicrosoft.com\" PolicyId=\"B2C_1A_Phone_Email_Base\" PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_Phone_Email_Base\" >\n  <BuildingBlocks>\n    <ClaimsSchema>\n      <ClaimType Id=\"tenantId\">\n        <DisplayName>User's Object's Tenant ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"tid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/tenantid\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Tenant identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"objectId\">\n        <DisplayName>User's Object ID</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"oid\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Object identifier (ID) of the user object in Azure AD.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"signInNames.phoneNumber\">\n        <DataType>phoneNumber</DataType>\n      </ClaimType>\n      <ClaimType Id=\"strongAuthenticationEmailAddress\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <AdminHelpText>Email address of the user</AdminHelpText>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>Readonly</UserInputType>\n        <PredicateValidationReference Id=\"email\" />\n      </ClaimType>\n      <ClaimType Id=\"signInNames.emailAddress\">\n        <DataType>string</DataType>\n      </ClaimType>\n      <ClaimType Id=\"phoneNumber\">\n        <DisplayName>Phone Number</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter Phone Number</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <PredicateValidationReference Id=\"internationalOrNationalPhoneNumber\" />\n      </ClaimType>\n      <ClaimType Id=\"nationalNumber\">\n        <DisplayName>Phone Number</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter National Phone Number</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <PredicateValidationReference Id=\"nationalNumber\" />\n      </ClaimType>\n      <ClaimType Id=\"signInName\">\n        <DisplayName>Phone Number or Email Address</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Please enter a valid phone number or email address.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <PredicateValidationReference Id=\"phoneOrEmailSignInName\" />\n      </ClaimType>\n      <ClaimType Id=\"email\">\n        <DisplayName>Email Address</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"email\" />\n        </DefaultPartnerClaimTypes>\n        <AdminHelpText>Email address of the user</AdminHelpText>\n        <UserHelpText>Email address that can be used to contact you.</UserHelpText>\n        <UserInputType>EmailBox</UserInputType>\n        <PredicateValidationReference Id=\"email\" />\n      </ClaimType>\n      <ClaimType Id=\"isLocalAccountSignIn\">\n        <DataType>boolean</DataType>\n      </ClaimType>\n      <ClaimType Id=\"isEmailSignUp\">\n        <DataType>boolean</DataType>\n      </ClaimType>\n      <ClaimType Id=\"isChangePhoneNumber\">\n        <DataType>boolean</DataType>\n      </ClaimType>\n      <ClaimType Id=\"changePhoneSuccessMessage\">\n        <DataType>string</DataType>\n        <UserInputType>Paragraph</UserInputType>\n      </ClaimType>\n      <ClaimType Id=\"countryCode\">\n        <DisplayName>Country</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter Country</UserHelpText>\n        <UserInputType>DropdownSingleSelect</UserInputType>\n        <Restriction>\n          <Enumeration Text=\"Albania(+355)\" Value=\"AL\" />\n          <Enumeration Text=\"Algeria(+213)\" Value=\"DZ\" />\n          <Enumeration Text=\"American Samoa(+1684)\" Value=\"AS\" />\n          <Enumeration Text=\"Andorra(+376)\" Value=\"AD\" />\n          <Enumeration Text=\"Angola(+244)\" Value=\"AO\" />\n          <Enumeration Text=\"Anguilla(+1264)\" Value=\"AI\" />\n          <Enumeration Text=\"Antarctica(+672)\" Value=\"AQ\" />\n          <Enumeration Text=\"Antigua and Barbuda(+1268)\" Value=\"AG\" />\n          <Enumeration Text=\"Argentina(+54)\" Value=\"AR\" />\n          <Enumeration Text=\"Armenia(+374)\" Value=\"AM\" />\n          <Enumeration Text=\"Aruba(+297)\" Value=\"AW\" />\n          <Enumeration Text=\"Australia(+61)\" Value=\"AU\" />\n          <Enumeration Text=\"Austria(+43)\" Value=\"AT\" />\n          <Enumeration Text=\"Azerbaijan(+994)\" Value=\"AZ\" />\n          <Enumeration Text=\"Bahamas(+1242)\" Value=\"BS\" />\n          <Enumeration Text=\"Bahrain(+973)\" Value=\"BH\" />\n          <Enumeration Text=\"Bangladesh(+880)\" Value=\"BD\" />\n          <Enumeration Text=\"Barbados(+1246)\" Value=\"BB\" />\n          <Enumeration Text=\"Belarus(+375)\" Value=\"BY\" />\n          <Enumeration Text=\"Belgium(+32)\" Value=\"BE\" />\n          <Enumeration Text=\"Belize(+501)\" Value=\"BZ\" />\n          <Enumeration Text=\"Benin(+229)\" Value=\"BJ\" />\n          <Enumeration Text=\"Bermuda(+1441)\" Value=\"BM\" />\n          <Enumeration Text=\"Bhutan(+975)\" Value=\"BT\" />\n          <Enumeration Text=\"Bolivia(+591)\" Value=\"BO\" />\n          <Enumeration Text=\"Bonaire, Sint Eustatius and Saba(+599)\" Value=\"BQ\" />\n          <Enumeration Text=\"Bosnia and Herzegovina(+387)\" Value=\"BA\" />\n          <Enumeration Text=\"Botswana(+267)\" Value=\"BW\" />\n          <Enumeration Text=\"Brazil(+55)\" Value=\"BR\" />\n          <Enumeration Text=\"British Virgin Islands (+1284)\" Value=\"VG\" />\n          <Enumeration Text=\"Brunei Darussalam(+673)\" Value=\"BN\" />\n          <Enumeration Text=\"Bulgaria(+359)\" Value=\"BG\" />\n          <Enumeration Text=\"Burkina Faso(+226)\" Value=\"BF\" />\n          <Enumeration Text=\"Burundi(+257)\" Value=\"BI\" />\n          <Enumeration Text=\"Cambodia(+855)\" Value=\"KH\" />\n          <Enumeration Text=\"Cameroon(+237)\" Value=\"CM\" />\n          <Enumeration Text=\"Canada(+1)\" Value=\"CA\" />\n          <Enumeration Text=\"Cape Verde(+238)\" Value=\"CV\" />\n          <Enumeration Text=\"Cayman Islands(+1345)\" Value=\"KY\" />\n          <Enumeration Text=\"Central African Republic(+236)\" Value=\"CF\" />\n          <Enumeration Text=\"Chad(+235)\" Value=\"TD\" />\n          <Enumeration Text=\"Chile(+56)\" Value=\"CL\" />\n          <Enumeration Text=\"China(+86)\" Value=\"CN\" />\n          <Enumeration Text=\"Colombia(+57)\" Value=\"CO\" />\n          <Enumeration Text=\"Comoros(+269)\" Value=\"KM\" />\n          <Enumeration Text=\"Congo(+242)\" Value=\"CG\" />\n          <Enumeration Text=\"Cook Islands(+682)\" Value=\"CK\" />\n          <Enumeration Text=\"Costa Rica(+506)\" Value=\"CR\" />\n          <Enumeration Text=\"Côte d'Ivoire(+225)\" Value=\"CI\" />\n          <Enumeration Text=\"Croatia(+385)\" Value=\"HR\" />\n          <Enumeration Text=\"Cuba(+53)\" Value=\"CU\" />\n          <Enumeration Text=\"Curaçao(+599)\" Value=\"CZ\" />\n          <Enumeration Text=\"Cyprus(+357)\" Value=\"CW\" />\n          <Enumeration Text=\"Czech Republic(+420)\" Value=\"CZ\" />\n          <Enumeration Text=\"Congo (+243)\" Value=\"CD\" />\n          <Enumeration Text=\"Denmark(+45)\" Value=\"DK\" />\n          <Enumeration Text=\"Djibouti(+253)\" Value=\"DJ\" />\n          <Enumeration Text=\"Dominica(+1767)\" Value=\"DM\" />\n          <Enumeration Text=\"Dominican Republic(+1)\" Value=\"DO\" />\n          <Enumeration Text=\"Timor-Leste(+670)\" Value=\"TL\" />\n          <Enumeration Text=\"Ecuador(+593)\" Value=\"EC\" />\n          <Enumeration Text=\"Egypt(+20)\" Value=\"EG\" />\n          <Enumeration Text=\"El Salvador(+503)\" Value=\"SV\" />\n          <Enumeration Text=\"Equatorial Guinea(+240)\" Value=\"GQ\" />\n          <Enumeration Text=\"Eritrea(+291)\" Value=\"ER\" />\n          <Enumeration Text=\"Estonia(+372)\" Value=\"EE\" />\n          <Enumeration Text=\"Ethiopia(+251)\" Value=\"ET\" />\n          <Enumeration Text=\"Falkland Islands (Malvinas)(+500)\" Value=\"FK\" />\n          <Enumeration Text=\"Faroe Islands(+298)\" Value=\"FO\" />\n          <Enumeration Text=\"Fiji(+679)\" Value=\"FJ\" />\n          <Enumeration Text=\"Finland(+358)\" Value=\"FI\" />\n          <Enumeration Text=\"France(+33)\" Value=\"FR\" />\n          <Enumeration Text=\"French Guiana(+594)\" Value=\"GF\" />\n          <Enumeration Text=\"French Polynesia(+689)\" Value=\"PF\" />\n          <Enumeration Text=\"Gabon(+241)\" Value=\"GA\" />\n          <Enumeration Text=\"Gambia(+220)\" Value=\"GM\" />\n          <Enumeration Text=\"Georgia(+995)\" Value=\"GE\" />\n          <Enumeration Text=\"Germany(+49)\" Value=\"DE\" />\n          <Enumeration Text=\"Ghana(+233)\" Value=\"GH\" />\n          <Enumeration Text=\"Gibraltar(+350)\" Value=\"GI\" />\n          <Enumeration Text=\"Greece(+30)\" Value=\"GR\" />\n          <Enumeration Text=\"Greenland(+299)\" Value=\"GL\" />\n          <Enumeration Text=\"Grenada(+1473)\" Value=\"GD\" />\n          <Enumeration Text=\"Guadeloupe(+590)\" Value=\"GP\" />\n          <Enumeration Text=\"Guam(+1671)\" Value=\"GU\" />\n          <Enumeration Text=\"Guatemala(+502)\" Value=\"GT\" />\n          <Enumeration Text=\"Guinea(+224)\" Value=\"GN\" />\n          <Enumeration Text=\"Guinea-Bissau(+245)\" Value=\"GW\" />\n          <Enumeration Text=\"Guyana(+592)\" Value=\"GY\" />\n          <Enumeration Text=\"Haiti(+509)\" Value=\"HT\" />\n          <Enumeration Text=\"Honduras(+504)\" Value=\"HN\" />\n          <Enumeration Text=\"Hong Kong(+852)\" Value=\"HK\" />\n          <Enumeration Text=\"Hungary(+36)\" Value=\"HU\" />\n          <Enumeration Text=\"Iceland(+354)\" Value=\"IS\" />\n          <Enumeration Text=\"India(+91)\" Value=\"IN\" />\n          <Enumeration Text=\"Indonesia(+62)\" Value=\"ID\" />\n          <Enumeration Text=\"Iran(+98)\" Value=\"IR\" />\n          <Enumeration Text=\"Iraq(+964)\" Value=\"IQ\" />\n          <Enumeration Text=\"Ireland(+353)\" Value=\"IE\" />\n          <Enumeration Text=\"Israel(+972)\" Value=\"IL\" />\n          <Enumeration Text=\"Italy(+39)\" Value=\"IT\" />\n          <Enumeration Text=\"Jamaica(+1)\" Value=\"JM\" />\n          <Enumeration Text=\"Japan(+81)\" Value=\"JP\" />\n          <Enumeration Text=\"Jordan(+962)\" Value=\"JO\" />\n          <Enumeration Text=\"Kazakhstan(+7)\" Value=\"KZ\" />\n          <Enumeration Text=\"Kenya(+254)\" Value=\"KE\" />\n          <Enumeration Text=\"Kiribati(+686)\" Value=\"KI\" />\n          <Enumeration Text=\"Kuwait(+965)\" Value=\"KW\" />\n          <Enumeration Text=\"Kyrgyzstan(+996)\" Value=\"KG\" />\n          <Enumeration Text=\"Lao People's Democratic Republic(+856)\" Value=\"LA\" />\n          <Enumeration Text=\"Latvia(+371)\" Value=\"LV\" />\n          <Enumeration Text=\"Lebanon(+961)\" Value=\"LB\" />\n          <Enumeration Text=\"Lesotho(+266)\" Value=\"LS\" />\n          <Enumeration Text=\"Liberia(+231)\" Value=\"LR\" />\n          <Enumeration Text=\"Libya(+218)\" Value=\"LY\" />\n          <Enumeration Text=\"Liechtenstein(+423)\" Value=\"LI\" />\n          <Enumeration Text=\"Lithuania(+370)\" Value=\"LT\" />\n          <Enumeration Text=\"Luxembourg(+352)\" Value=\"LU\" />\n          <Enumeration Text=\"Macao(+853)\" Value=\"MO\" />\n          <Enumeration Text=\"North Macedonia, Republic of (+389)\" Value=\"MK\" />\n          <Enumeration Text=\"Madagascar(+261)\" Value=\"MG\" />\n          <Enumeration Text=\"Malawi(+265)\" Value=\"MW\" />\n          <Enumeration Text=\"Malaysia(+60)\" Value=\"MY\" />\n          <Enumeration Text=\"Maldives(+960)\" Value=\"MV\" />\n          <Enumeration Text=\"Mali(+223)\" Value=\"ML\" />\n          <Enumeration Text=\"Malta(+356)\" Value=\"MT\" />\n          <Enumeration Text=\"Marshall Islands(+692)\" Value=\"MH\" />\n          <Enumeration Text=\"Martinique(+596)\" Value=\"MQ\" />\n          <Enumeration Text=\"Mauritania(+222)\" Value=\"MR\" />\n          <Enumeration Text=\"Mauritius(+230)\" Value=\"MU\" />\n          <Enumeration Text=\"Mexico(+52)\" Value=\"MX\" />\n          <Enumeration Text=\"Micronesia(+691)\" Value=\"FM\" />\n          <Enumeration Text=\"Moldova, Republic of(+373)\" Value=\"MD\" />\n          <Enumeration Text=\"Monaco(+377)\" Value=\"MC\" />\n          <Enumeration Text=\"Mongolia(+976)\" Value=\"MN\" />\n          <Enumeration Text=\"Montenegro(+382)\" Value=\"ME\" />\n          <Enumeration Text=\"Montserrat(+1664)\" Value=\"MS\" />\n          <Enumeration Text=\"Morocco(+212)\" Value=\"MA\" />\n          <Enumeration Text=\"Mozambique(+258)\" Value=\"MZ\" />\n          <Enumeration Text=\"Myanmar(+95)\" Value=\"MM\" />\n          <Enumeration Text=\"Namibia(+264)\" Value=\"NA\" />\n          <Enumeration Text=\"Nauru(+674)\" Value=\"NR\" />\n          <Enumeration Text=\"Nepal(+977)\" Value=\"NP\" />\n          <Enumeration Text=\"Netherlands(+31)\" Value=\"NL\" />\n          <Enumeration Text=\"New Caledonia(+687)\" Value=\"NC\" />\n          <Enumeration Text=\"New Zealand(+64)\" Value=\"NZ\" />\n          <Enumeration Text=\"Nicaragua(+505)\" Value=\"NI\" />\n          <Enumeration Text=\"Niger(+227)\" Value=\"NE\" />\n          <Enumeration Text=\"Nigeria(+234)\" Value=\"NG\" />\n          <Enumeration Text=\"Niue(+683)\" Value=\"NU\" />\n          <Enumeration Text=\"Korea, Democratic People's Republic of (North Korea)(+850)\" Value=\"KP\" />\n          <Enumeration Text=\"Norway(+47)\" Value=\"NO\" />\n          <Enumeration Text=\"Oman(+968)\" Value=\"OM\" />\n          <Enumeration Text=\"Pakistan(+92)\" Value=\"PK\" />\n          <Enumeration Text=\"Palau(+680)\" Value=\"PW\" />\n          <Enumeration Text=\"Palestine, State of(+970)\" Value=\"PS\" />\n          <Enumeration Text=\"Panama(+507)\" Value=\"PA\" />\n          <Enumeration Text=\"Papua New Guinea(+675)\" Value=\"PG\" />\n          <Enumeration Text=\"Paraguay(+595)\" Value=\"PY\" />\n          <Enumeration Text=\"Peru(+51)\" Value=\"PE\" />\n          <Enumeration Text=\"Philippines(+63)\" Value=\"PH\" />\n          <Enumeration Text=\"Poland(+48)\" Value=\"PL\" />\n          <Enumeration Text=\"Portugal(+351)\" Value=\"PT\" />\n          <Enumeration Text=\"Puerto Rico(+1)\" Value=\"PR\" />\n          <Enumeration Text=\"Qatar(+974)\" Value=\"QA\" />\n          <Enumeration Text=\"Réunion(+262)\" Value=\"RE\" />\n          <Enumeration Text=\"Romania(+40)\" Value=\"RO\" />\n          <Enumeration Text=\"Russian Federation(+7)\" Value=\"RU\" />\n          <Enumeration Text=\"Rwanda(+250)\" Value=\"RW\" />\n          <Enumeration Text=\"Saint Helena, Ascension and Tristan da Cunha(+290)\" Value=\"SH\" />\n          <Enumeration Text=\"Saint Kitts and Nevis(+1869)\" Value=\"KN\" />\n          <Enumeration Text=\"Saint Lucia(+1758)\" Value=\"LC\" />\n          <Enumeration Text=\"Saint Pierre and Miquelon(+508)\" Value=\"PM\" />\n          <Enumeration Text=\"Saint Vincent and the Grenadines(+1784)\" Value=\"VC\" />\n          <Enumeration Text=\"Northern Mariana Islands(CNMI)(+1670)\" Value=\"MP\" />\n          <Enumeration Text=\"Samoa(+685)\" Value=\"WS\" />\n          <Enumeration Text=\"San Marino(+378)\" Value=\"SM\" />\n          <Enumeration Text=\"Sao Tome and Principe(+239)\" Value=\"ST\" />\n          <Enumeration Text=\"Saudi Arabia(+966)\" Value=\"SA\" />\n          <Enumeration Text=\"Senegal(+221)\" Value=\"SN\" />\n          <Enumeration Text=\"Serbia(+381)\" Value=\"RS\" />\n          <Enumeration Text=\"Seychelles(+248)\" Value=\"SC\" />\n          <Enumeration Text=\"Sierra Leone(+232)\" Value=\"SL\" />\n          <Enumeration Text=\"Singapore(+65)\" Value=\"SG\" />\n          <Enumeration Text=\"Slovakia(+421)\" Value=\"SK\" />\n          <Enumeration Text=\"Slovenia(+386)\" Value=\"SI\" />\n          <Enumeration Text=\"Solomon Islands(+677)\" Value=\"SB\" />\n          <Enumeration Text=\"Somalia(+252)\" Value=\"SO\" />\n          <Enumeration Text=\"South Africa(+27)\" Value=\"ZA\" />\n          <Enumeration Text=\"Korea, Republic of(+82)\" Value=\"KR\" />\n          <Enumeration Text=\"South Sudan(+211)\" Value=\"SS\" />\n          <Enumeration Text=\"Spain(+34)\" Value=\"ES\" />\n          <Enumeration Text=\"Sri Lanka(+94)\" Value=\"LK\" />\n          <Enumeration Text=\"Sudan(+249)\" Value=\"SD\" />\n          <Enumeration Text=\"Suriname(+597)\" Value=\"SR\" />\n          <Enumeration Text=\"Swaziland(+268)\" Value=\"SZ\" />\n          <Enumeration Text=\"Sweden(+46)\" Value=\"SE\" />\n          <Enumeration Text=\"Switzerland(+41)\" Value=\"CH\" />\n          <Enumeration Text=\"Syrian Arab Republic(+963)\" Value=\"SY\" />\n          <Enumeration Text=\"Taiwan, Province of China(+886)\" Value=\"TW\" />\n          <Enumeration Text=\"Tajikistan(+992)\" Value=\"TJ\" />\n          <Enumeration Text=\"Tanzania, United Republic of(+255)\" Value=\"TZ\" />\n          <Enumeration Text=\"Thailand(+66)\" Value=\"TH\" />\n          <Enumeration Text=\"Togo(+228)\" Value=\"TG\" />\n          <Enumeration Text=\"Tokelau(+690)\" Value=\"TK\" />\n          <Enumeration Text=\"Tonga(+676)\" Value=\"TO\" />\n          <Enumeration Text=\"Trinidad and Tobago(+1868)\" Value=\"TT\" />\n          <Enumeration Text=\"Tunisia(+216)\" Value=\"TN\" />\n          <Enumeration Text=\"Turkey(+90)\" Value=\"TR\" />\n          <Enumeration Text=\"Turkmenistan(+993)\" Value=\"TM\" />\n          <Enumeration Text=\"Turks and Caicos Islands(+1649)\" Value=\"TC\" />\n          <Enumeration Text=\"Tuvalu(+688)\" Value=\"TV\" />\n          <Enumeration Text=\"Uganda(+256)\" Value=\"UG\" />\n          <Enumeration Text=\"Ukraine(+380)\" Value=\"UA\" />\n          <Enumeration Text=\"United Arab Emirates(+971)\" Value=\"UA\" />\n          <Enumeration Text=\"United Kingdom(+44)\" Value=\"GB\" />\n          <Enumeration Text=\"United States(+1)\" Value=\"US\" />\n          <Enumeration Text=\"Virgin Islands, U.S.(+1340)\" Value=\"VI\" />\n          <Enumeration Text=\"Uruguay(+598)\" Value=\"UY\" />\n          <Enumeration Text=\"Uzbekistan(+998)\" Value=\"UZ\" />\n          <Enumeration Text=\"Vanuatu(+678)\" Value=\"VU\" />\n          <Enumeration Text=\"Holy See (Vatican City State)(+379)\" Value=\"VA\" />\n          <Enumeration Text=\"Venezuela, Bolivarian Republic of(+58)\" Value=\"VE\" />\n          <Enumeration Text=\"Viet Nam(+84)\" Value=\"VN\" />\n          <Enumeration Text=\"Wallis and Futuna(+681)\" Value=\"WF\" />\n          <Enumeration Text=\"Yemen(+967)\" Value=\"YE\" />\n          <Enumeration Text=\"Zambia(+260)\" Value=\"ZM\" />\n          <Enumeration Text=\"Zimbabwe(+263)\" Value=\"ZW\" />\n        </Restriction>\n      </ClaimType>\n      <ClaimType Id=\"verificationCode\">\n        <DisplayName>Verification Code</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter your verification code</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n        <!--Restriction>\n          <Pattern RegularExpression=\"^[0-9]{1,15}$\" HelpText=\"Please enter digits\" />\n        </Restriction-->\n      </ClaimType>\n      <ClaimType Id=\"password\">\n        <DisplayName>Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n      </ClaimType>\n      <ClaimType Id=\"newPassword\">\n        <DisplayName>New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Enter new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\"8-16 characters, containing 3 out of 4 of the following: Lowercase characters, uppercase characters, digits (0-9), and one or more of the following symbols: @ # $ % ^ &amp; * - _ + = [ ] { } | \\ : ' , ? / ` ~ &quot; ( ) ; .\" />\n        </Restriction>\n      </ClaimType>\n      <ClaimType Id=\"reenterPassword\">\n        <DisplayName>Confirm New Password</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Confirm new password</UserHelpText>\n        <UserInputType>Password</UserInputType>\n        <Restriction>\n          <Pattern RegularExpression=\"^((?=.*[a-z])(?=.*[A-Z])(?=.*\\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z0-9]))([A-Za-z\\d@#$%^&amp;*\\-_+=[\\]{}|\\\\:',?/`~&quot;();!]|\\.(?!@)){8,16}$\" HelpText=\" \" />\n        </Restriction>\n      </ClaimType>\n      <ClaimType Id=\"passwordPolicies\">\n        <DisplayName>Password Policies</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Password policies used by Azure AD to determine password strength, expiry etc.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"client_id\">\n        <DisplayName>client_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"resource_id\">\n        <DisplayName>resource_id</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>Special parameter passed to EvoSTS.</AdminHelpText>\n        <UserHelpText>Special parameter passed to EvoSTS.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"sub\">\n        <DisplayName>Subject</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"sub\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText />\n      </ClaimType>\n      <ClaimType Id=\"displayName\">\n        <DisplayName>Display Name</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"unique_name\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"name\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" />\n        </DefaultPartnerClaimTypes>\n        <UserHelpText>Your display name.</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n      <ClaimType Id=\"hasFullProfile\">\n        <DataType>boolean</DataType>\n      </ClaimType>\n      <ClaimType Id=\"strongAuthEmailExists\">\n        <DataType>boolean</DataType>\n      </ClaimType>\n      <!-- SECTION II: Claims required to pass on special parameters (including some query string parameters) to other claims providers -->\n      <ClaimType Id=\"nca\">\n        <DisplayName>nca</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"grant_type\">\n        <DisplayName>grant_type</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"scope\">\n        <DisplayName>scope</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Special parameter passed for local account authentication to login.microsoftonline.com.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"objectIdFromSession\">\n        <DisplayName>objectIdFromSession</DisplayName>\n        <DataType>boolean</DataType>\n        <UserHelpText>Parameter provided by the default session management provider to indicate that the object id has been retrieved from an SSO session.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"upnUserName\">\n        <DisplayName>UPN User Name</DisplayName>\n        <DataType>string</DataType>\n        <AdminHelpText>The user name for creating user principal name.</AdminHelpText>\n        <UserHelpText>The user name for creating user principal name.</UserHelpText>\n      </ClaimType>\n      <ClaimType Id=\"userPrincipalName\">\n        <DisplayName>UserPrincipalName</DisplayName>\n        <DataType>string</DataType>\n        <DefaultPartnerClaimTypes>\n          <Protocol Name=\"OAuth2\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"OpenIdConnect\" PartnerClaimType=\"upn\" />\n          <Protocol Name=\"SAML2\" PartnerClaimType=\"http://schemas.microsoft.com/identity/claims/userprincipalname\" />\n        </DefaultPartnerClaimTypes>\n        <AdminHelpText>The user name as stored in the Azure Active Directory.</AdminHelpText>\n        <UserHelpText>Your user name as stored in the Azure Active Directory.</UserHelpText>\n      </ClaimType>\n      <!-- SECTION III: Additional claims that can be collected from the users, stored in the directory, and sent in the token. Add additional claims here. -->\n      <ClaimType Id=\"givenName\">\n        <DisplayName>Given Name</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Your given name (also known as first name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n      <ClaimType Id=\"surname\">\n        <DisplayName>Surname</DisplayName>\n        <DataType>string</DataType>\n        <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>\n        <UserInputType>TextBox</UserInputType>\n      </ClaimType>\n    </ClaimsSchema>\n    <Predicates>\n      <Predicate Id=\"email\" Method=\"MatchesRegex\">\n        <UserHelpText>Please enter a valid email address.</UserHelpText>\n        <Parameters>\n          <!--\n            This regex is constructed mostly from RFC 5322 for email, with intentional omissions based on discovery of characters that don't work for other services we use\n            # the below two lines cover the local part of the email, before the '@' sign\n            [a-zA-Z0-9!#$%&amp;'+^_`{}~-]+         # matches lower or upper case letters, digits, and certain special characters\n            (?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*  # same list as above, but including an optional '.' character at the beginning, repeated\n            # together, the above two lines prevent the '.' character from appearing at the start, end, or twice in a row in the local part\n            @                                      # the '@' symbol appears exactly once, seperating the local and domain sections\n            (?:[a-zA-Z0-9]                         # matches lower and uppercase letters and digits\n            (?:[a-zA-Z0-9-]*                       # same as above, but also allowing '-'\n            [a-zA-Z0-9])                           # only lower and uppercase letters and digits again\n            ?\\.)+                                  # allows for a '.' character to terminate a section\n            # the above lines mean that '.' can create segments, and segments can't begin or end with a '-'. Also, no repeating '.' chars\n            [a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$\n            # the above line is the essentially same as the previous section, but forces the email to not end with a '.'\n          -->\n          <Parameter Id=\"RegularExpression\">^[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+(?:\\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$</Parameter>\n        </Parameters>\n      </Predicate>\n      <Predicate Id=\"internationalOrNationalPhoneNumber\" Method=\"MatchesRegex\">\n        <UserHelpText>The value entered needs to be a phone number.</UserHelpText>\n        <Parameters>\n          <!--\n              This regex will match a string with an optional leading \"+\", 4 to 16 digits, and any number of dashes, parentheses, and spaces, in any order.\n              It is intentionally overinclusive to allow the user to continue their journey with any input that might be an international or national phone number \n              in any country with any customary punctuation/formatting. In this policy, the ConvertStringToPhoneNumberClaim claims converter will do the the final validation, \n              ignoring the dashes, parentheses, and spaces.\n            -->\n          <Parameter Id=\"RegularExpression\">^\\+?(?:[-()\\s]*\\d[-()\\s]*){4,16}$</Parameter>\n        </Parameters>\n      </Predicate>\n      <Predicate Id=\"noLeadingPlus\" Method=\"MatchesRegex\">\n        <UserHelpText>The national number should not include a country code.</UserHelpText>\n        <Parameters>\n          <!-- Combine this with the predicate above to match only a national phone number -->\n          <Parameter Id=\"RegularExpression\">^[^\\\\+]+$</Parameter>\n        </Parameters>\n      </Predicate>\n    </Predicates>\n    <PredicateValidations>\n      <PredicateValidation Id=\"email\">\n        <PredicateGroups>\n          <PredicateGroup Id=\"email\">\n            <PredicateReferences>\n              <PredicateReference Id=\"email\" />\n            </PredicateReferences>\n          </PredicateGroup>\n        </PredicateGroups>\n      </PredicateValidation>\n      <PredicateValidation Id=\"phoneOrEmailSignInName\">\n        <PredicateGroups>\n          <PredicateGroup Id=\"phoneOrEmailSignInName\">\n            <UserHelpText>Please enter a valid email address or phone number.</UserHelpText>\n            <PredicateReferences MatchAtLeast=\"1\">\n              <PredicateReference Id=\"email\" />\n              <PredicateReference Id=\"internationalOrNationalPhoneNumber\" />\n            </PredicateReferences>\n          </PredicateGroup>\n        </PredicateGroups>\n      </PredicateValidation>\n      <PredicateValidation Id=\"nationalNumber\">\n        <PredicateGroups>\n          <PredicateGroup Id=\"internationalOrNationalPhoneNumber\">\n            <PredicateReferences>\n              <PredicateReference Id=\"internationalOrNationalPhoneNumber\" />\n            </PredicateReferences>\n          </PredicateGroup>\n          <PredicateGroup Id=\"noLeadingPlus\">\n            <PredicateReferences>\n              <PredicateReference Id=\"noLeadingPlus\" />\n            </PredicateReferences>\n          </PredicateGroup>\n        </PredicateGroups>\n      </PredicateValidation>\n      <PredicateValidation Id=\"internationalOrNationalPhoneNumber\">\n        <PredicateGroups>\n          <PredicateGroup Id=\"internationalOrNationalPhoneNumber\">\n            <UserHelpText>Please enter a valid phone number.</UserHelpText>\n            <PredicateReferences>\n              <PredicateReference Id=\"internationalOrNationalPhoneNumber\" />\n            </PredicateReferences>\n          </PredicateGroup>\n        </PredicateGroups>\n      </PredicateValidation>\n    </PredicateValidations>\n    <ClaimsTransformations>\n      <ClaimsTransformation Id=\"CreateRandomUPNUserName\" TransformationMethod=\"CreateRandomString\">\n        <InputParameters>\n          <InputParameter Id=\"randomGeneratorType\" DataType=\"string\" Value=\"GUID\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"CreateUserPrincipalName\" TransformationMethod=\"FormatStringClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"upnUserName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"stringFormat\" DataType=\"string\" Value=\"cpim_{0}@{RelyingPartyTenantId}\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"ConvertStringToPhoneNumber\" TransformationMethod=\"ConvertStringToPhoneNumberClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"countryCode\" TransformationClaimType=\"country\" />\n          <InputClaim ClaimTypeReferenceId=\"nationalNumber\" TransformationClaimType=\"phoneNumberString\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"SetPhoneNumberIfPredicateMatch\" TransformationMethod=\"CopyClaimIfPredicateMatch\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"signInName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"phoneNumber\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"SetEmailIfPredicateMatch\" TransformationMethod=\"CopyClaimIfPredicateMatch\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"signInName\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"email\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"GetNationalNumberAndCountryCodeIfInternationalFormat\" TransformationMethod=\"GetNationalNumberAndCountryCodeFromPhoneNumberString\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"phoneNumber\" TransformationClaimType=\"phoneNumber\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"throwExceptionOnFailure\" DataType=\"boolean\" Value=\"false\" />\n          <InputParameter Id=\"countryCodeType\" DataType=\"string\" Value=\"ISO3166\" />\n        </InputParameters>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"phoneNumber\" TransformationClaimType=\"nationalNumber\" />\n          <OutputClaim ClaimTypeReferenceId=\"countryCode\" TransformationClaimType=\"countryCode\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"PhoneNumberToNationalNumber\" TransformationMethod=\"CopyClaim\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"phoneNumber\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"nationalNumber\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"CheckIfStrongAuthEmailExists\" TransformationMethod=\"DoesClaimExist\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <OutputClaims>\n          <OutputClaim ClaimTypeReferenceId=\"strongAuthEmailExists\" TransformationClaimType=\"outputClaim\" />\n        </OutputClaims>\n      </ClaimsTransformation>\n      <ClaimsTransformation Id=\"ThrowErrorIfStrongAuthEmailDoesNotExist\" TransformationMethod=\"AssertBooleanClaimIsEqualToValue\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"strongAuthEmailExists\" TransformationClaimType=\"inputClaim\" />\n        </InputClaims>\n        <InputParameters>\n          <InputParameter Id=\"valueToCompareTo\" DataType=\"boolean\" Value=\"true\" />\n        </InputParameters>\n      </ClaimsTransformation>\n    </ClaimsTransformations>\n    <ClientDefinitions>\n      <ClientDefinition Id=\"DefaultWeb\">\n        <ClientUIFilterFlags>LineMarkers, MetaRefresh</ClientUIFilterFlags>\n      </ClientDefinition>\n    </ClientDefinitions>\n    <ContentDefinitions>\n      <!-- This content definition is to render an error page that displays unhandled errors. -->\n      <ContentDefinition Id=\"api.error\">\n        <LoadUri>~/tenant/templates/AzureBlue/exception.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Error page</Item>\n        </Metadata>\n      </ContentDefinition>\n      <ContentDefinition Id=\"phoneInput\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Enter phone number to continue</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"phoneInput.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"newPhoneNumber\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Verify new phone number</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"newPhoneNumber.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"phoneSignIn\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Verify phone to sign in</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"phoneSignIn.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"phoneSignUp\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Verify phone to sign up</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"phoneSignUp.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"changePhoneNumberVerifyEmailAddress\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Verify email address</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"changePhoneNumberVerifyEmailAddress.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"phoneSignUpCollectEmailAddress\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Collect email address during phone sign up</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"phoneSignUpCollectEmailAddress.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"emailSignIn\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Use email to sign in</Item>\n        </Metadata>\n      </ContentDefinition>\n      <ContentDefinition Id=\"emailSignUp\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Verify email to sign up</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"emailSignUp.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"emailDiscovery\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Verify email address</Item>\n        </Metadata>\n      </ContentDefinition>\n      <ContentDefinition Id=\"signuporsignin-phone\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup using phone</Item>\n          <Item Key=\"setting.bottomUnderFormClaimsProviderSelections\">ChangePhoneNumber</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"signuporsignin-phone.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"signuporsignin-phone-email\">\n        <LoadUri>~/tenant/templates/AzureBlue/unified.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Signin and Signup using phone or email</Item>\n          <Item Key=\"setting.bottomUnderFormClaimsProviderSelections\">ChangePhoneNumber</Item>\n        </Metadata>\n        <LocalizedResourcesReferences MergeBehavior=\"Prepend\">\n          <LocalizedResourcesReference Language=\"en\" LocalizedResourcesReferenceId=\"signuporsignin-phone-email.en\" />\n        </LocalizedResourcesReferences>\n      </ContentDefinition>\n      <ContentDefinition Id=\"resetemailpassword\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Change password for email account</Item>\n        </Metadata>\n      </ContentDefinition>\n      <ContentDefinition Id=\"profileUpdate\">\n        <LoadUri>~/tenant/templates/AzureBlue/selfAsserted.cshtml</LoadUri>\n        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>\n        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.1</DataUri>\n        <Metadata>\n          <Item Key=\"DisplayName\">Update profile</Item>\n        </Metadata>\n      </ContentDefinition>\n    </ContentDefinitions>\n    <Localization Enabled=\"true\">\n      <LocalizedResources Id=\"signuporsignin-phone.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your existing account</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Continue</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <LocalizedResources Id=\"signuporsignin-phone-email.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"local_intro_generic\">Sign in with your existing account</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_signin\">Continue</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <LocalizedResources Id=\"emailSignUp.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <LocalizedResources Id=\"phoneSignIn.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please verify your country code and phone number</LocalizedString>\n          <!-- The following elements will display a message and two links at the bottom of the signin page. \n          For policies that you intend to show to users in the United States, we suggest displaying the following text. Replace the content of the disclaimer_link_X_url elements with links to your organization's privacy statement and terms and conditions. \n          Remove any of these lines if you do not wish to display them.  -->\n          <LocalizedString ElementType=\"UxElement\" StringId=\"disclaimer_msg_intro\">By providing your phone number, you consent to receiving a one-time passcode sent by text message to help you sign into {insert your application name}. Standard messsage and data rates may apply.</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"disclaimer_link_1_text\">Privacy Statement</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"disclaimer_link_1_url\">{insert your privacy statement URL}</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"disclaimer_link_2_text\">Terms and Conditions</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"disclaimer_link_2_url\">{insert your terms and conditions URL}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <LocalizedResources Id=\"phoneSignUp.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please verify your country code and phone number</LocalizedString>\n          <!-- The following elements will display a message and two links at the bottom of the signup page. \n          For policies that you intend to show to users in the United States, we suggest displaying the following text. Replace the content of the disclaimer_link_X_url elements with links to your organization's privacy statement and terms and conditions. \n          Remove any of these lines if you do not wish to display them.  -->\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"phoneVerificationControl\" StringId=\"disclaimer_msg_intro\">By providing your phone number, you consent to receiving a one-time passcode sent by text message to help you sign into {insert your application name}. Standard messsage and data rates may apply.</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"phoneVerificationControl\" StringId=\"disclaimer_link_1_text\">Privacy Statement</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"phoneVerificationControl\" StringId=\"disclaimer_link_1_url\">{insert your privacy statement URL}</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"phoneVerificationControl\" StringId=\"disclaimer_link_2_text\">Terms and Conditions</LocalizedString>\n          <LocalizedString ElementType=\"DisplayControl\" ElementId=\"phoneVerificationControl\" StringId=\"disclaimer_link_2_url\">{insert your terms and conditions URL}</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <LocalizedResources Id=\"phoneInput.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"initial_intro\">Please enter your old country code and phone number</LocalizedString>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"nationalNumber\" StringId=\"DisplayName\">Old phone number</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <LocalizedResources Id=\"newPhoneNumber.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"ClaimType\" ElementId=\"nationalNumber\" StringId=\"DisplayName\">New phone number</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <LocalizedResources Id=\"changePhoneNumberVerifyEmailAddress.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Continue</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_intro_msg\">We need to verify the email address you used to sign up with</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n      <LocalizedResources Id=\"phoneSignUpCollectEmailAddress.en\">\n        <LocalizedStrings>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"button_continue\">Create</LocalizedString>\n          <LocalizedString ElementType=\"UxElement\" StringId=\"ver_intro_msg\">Add a recovery email now so you can recover your account if your phone number changes. Note that this email address is for recovery purposes and not for signing in.</LocalizedString>\n        </LocalizedStrings>\n      </LocalizedResources>\n    </Localization>\n    <DisplayControls>\n      <DisplayControl Id=\"phoneVerificationControl\" UserInterfaceControlType=\"VerificationControl\">\n        <InputClaims>\n          <InputClaim ClaimTypeReferenceId=\"nationalNumber\" />\n          <InputClaim ClaimTypeReferenceId=\"countryCode\" />\n        </InputClaims>\n        <DisplayClaims>\n          <DisplayClaim ClaimTypeReferenceId=\"countryCode\" ControlClaimType=\"CountryCode\" Required=\"true\" />\n          <DisplayClaim ClaimTypeReferenceId=\"nationalNumber\" ControlClaimType=\"Phone\" Required=\"true\" />\n          <DisplayClaim ClaimTypeReferenceId=\"verificationCode\" ControlClaimType=\"VerificationCode\" Required=\"true\" />\n        </DisplayClaims>\n        <Actions>\n          <Action Id=\"SendCode\">\n            <ValidationClaimsExchange>\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"CombineCountryCodeAndNationalNumber\" />\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"AzureMfa-SendSms\" />\n            </ValidationClaimsExchange>\n          </Action>\n          <Action Id=\"VerifyCode\">\n            <ValidationClaimsExchange>\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"CombineCountryCodeAndNationalNumber\" />\n              <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId=\"AzureMfa-VerifySms\" />\n            </ValidationClaimsExchange>\n          </Action>\n        </Actions>\n      </DisplayControl>\n    </DisplayControls>\n  </BuildingBlocks>\n  <!--\n        A list of all the claim providers that can be used in the technical policies. If a claims provider is not listed \n        in this section, then it cannot be used in a technical policy.\n    -->\n  <ClaimsProviders>\n    <ClaimsProvider>\n      <DisplayName>Azure Active Directory</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"AAD-Common\">\n          <DisplayName>Azure Active Directory</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <!-- We need this here to suppress the SelfAsserted provider from invoking SSO on validation profiles. -->\n          <IncludeInSso>false</IncludeInSso>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n        <!-- The following technical profile is used to read data after user authenticates with ESTS. -->\n        <TechnicalProfile Id=\"AAD-UserReadUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"hasFullProfile\" DefaultValue=\"true\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profiles for phone number discovery -->\n        <TechnicalProfile Id=\"AAD-UserDiscoveryUsingLogonPhoneNumber-Common\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n            <Item Key=\"UserMessageIfClaimsPrincipalDoesNotExist\">That phone number doesn't exist in our system. Please try signing up with the number.</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for discover phone number that raises error if number exists -->\n        <TechnicalProfile Id=\"AAD-UserDiscoveryUsingLogonPhoneNumber-RaiseErrorIfExists\">\n          <Metadata>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n            <Item Key=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-UserDiscoveryUsingLogonPhoneNumber-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for reading user profile using phone number-->\n        <TechnicalProfile Id=\"AAD-UserDiscoveryUsingLogonPhoneNumber-FullProfile\">\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n            <OutputClaim ClaimTypeReferenceId=\"hasFullProfile\" DefaultValue=\"true\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-UserDiscoveryUsingLogonPhoneNumber-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for creating user using phone number -->\n        <TechnicalProfile Id=\"AAD-UserWriteUsingLogonPhoneNumber\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n            <Item Key=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"hasFullProfile\" DefaultValue=\"true\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for creating user using phone number -->\n        <TechnicalProfile Id=\"AAD-UserWriteRecoveryEmailUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"strongAuthenticationEmailAddress\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for creating user using email address -->\n        <TechnicalProfile Id=\"AAD-UserWriteUsingLogonEmail\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">true</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">false</Item>\n            <Item Key=\"UserMessageIfClaimsPrincipalAlreadyExists\">You are already registered, please press the back button and sign in instead.</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" DefaultValue=\"unknown\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n            <PersistedClaim ClaimTypeReferenceId=\"passwordPolicies\" DefaultValue=\"DisablePasswordExpiration,DisableStrongPassword\" />\n          </PersistedClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"hasFullProfile\" DefaultValue=\"true\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for reading user using email address-->\n        <TechnicalProfile Id=\"AAD-UserReadUsingEmailAddress\">\n          <Metadata>\n            <Item Key=\"Operation\">Read</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n            <Item Key=\"UserMessageIfClaimsPrincipalDoesNotExist\">An account could not be found for the provided email address.</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"signInNames.emailAddress\" Required=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n            <OutputClaim ClaimTypeReferenceId=\"hasFullProfile\" DefaultValue=\"true\" AlwaysUseDefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for modifying user profile using object id -->\n        <TechnicalProfile Id=\"AAD-UserWriteProfileUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"givenName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"displayName\" />\n            <PersistedClaim ClaimTypeReferenceId=\"surname\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for modifying user profile using object id -->\n        <TechnicalProfile Id=\"AAD-UserUpdatePhoneNumberUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n        <!-- Technical profile for modifying user password using object id -->\n        <TechnicalProfile Id=\"AAD-UserWritePasswordUsingObjectId\">\n          <Metadata>\n            <Item Key=\"Operation\">Write</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalAlreadyExists\">false</Item>\n            <Item Key=\"RaiseErrorIfClaimsPrincipalDoesNotExist\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"objectId\" Required=\"true\" />\n          </InputClaims>\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n            <PersistedClaim ClaimTypeReferenceId=\"newPassword\" PartnerClaimType=\"password\" />\n          </PersistedClaims>\n          <IncludeTechnicalProfile ReferenceId=\"AAD-Common\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Azure MFA</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"AzureMfa-SendSms\">\n          <DisplayName>Send Sms</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"Operation\">OneWaySMS</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <InputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" PartnerClaimType=\"phoneNumber\" />\n          </InputClaims>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"AzureMfa-VerifySms\">\n          <DisplayName>Verify Sms</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"Operation\">Verify</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"verificationCode\" />\n            <InputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" PartnerClaimType=\"phoneNumber\" />\n          </InputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Local Account Sign Up With Phone</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"LocalAccountInputNewPhoneNumber\">\n          <DisplayName>Phone</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">newPhoneNumber</Item>\n            <Item Key=\"UserMessageIfClaimsTransformationInvalidPhoneNumber\">Please enter a valid phone number and country code.</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <DisplayClaims>\n            <DisplayClaim DisplayControlReferenceId=\"phoneVerificationControl\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"CombineCountryCodeAndNationalNumber\" />\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserUpdatePhoneNumberUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonPhoneNumber\">\n          <DisplayName>Phone</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">phoneSignUp</Item>\n            <Item Key=\"ClaimsProviderSelectionDisplayType\">TextLink</Item>\n            <Item Key=\"UserMessageIfClaimsTransformationInvalidPhoneNumber\">Please enter a valid phone number and country code.</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n            <InputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n          </InputClaimsTransformations>\n          <DisplayClaims>\n            <DisplayClaim DisplayControlReferenceId=\"phoneVerificationControl\" />\n            <DisplayClaim ClaimTypeReferenceId=\"displayName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"givenName\" />\n            <DisplayClaim ClaimTypeReferenceId=\"surName\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"CombineCountryCodeAndNationalNumber\" />\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonPhoneNumber\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonPhoneNumber_CollectEmailAddress\">\n          <DisplayName>Phone</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">phoneSignUpCollectEmailAddress</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteRecoveryEmailUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"ChangePhoneNumber_VerifyEmailAddress\">\n          <DisplayName>Phone</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">changePhoneNumberVerifyEmailAddress</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Local Account Sign Up With Email</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"LocalAccountSignUpWithLogonEmail\">\n          <DisplayName>Email</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">emailSignUp</Item>\n            <Item Key=\"ClaimsProviderSelectionDisplayType\">TextLink</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" />\n            <OutputClaim ClaimTypeReferenceId=\"hasFullProfile\" />\n            <OutputClaim ClaimTypeReferenceId=\"isEmailSignUp\" DefaultValue=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteUsingLogonEmail\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Local Account Sign In With Phone</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Phone-Only\">\n          <DisplayName>Local Account Signin Using Phone Only</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"setting.operatingMode\">Username</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"phoneNumber\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"phoneNumber\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"isLocalAccountSignIn\" DefaultValue=\"true\" />\n          </OutputClaims>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSigninForProfileEdit-Phone-Only\">\n          <Metadata>\n            <Item Key=\"setting.showSignupLink\">false</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"SelfAsserted-LocalAccountSignin-Phone-Only\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Phone-Email\">\n          <DisplayName>Local Account Signin Using Phone Email</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"setting.operatingMode\">Username</Item>\n            <Item Key=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">Please enter a valid phone number or email address.</Item>\n            <Item Key=\"IncludeClaimResolvingInClaimsHandling\">true</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"signInName\" DefaultValue=\"{OIDC:LoginHint}\" AlwaysUseDefaultValue=\"true\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"signInName\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"phoneNumber\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"isLocalAccountSignIn\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"ValidateUsernameType\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSigninForProfileEdit-Phone-Email\">\n          <Metadata>\n            <Item Key=\"setting.showSignupLink\">false</Item>\n          </Metadata>\n          <IncludeTechnicalProfile ReferenceId=\"SelfAsserted-LocalAccountSignin-Phone-Email\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"PhoneInput-ChangePhoneNumber-Common\">\n          <DisplayName>Phone</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">phoneInput</Item>\n            <Item Key=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">We don't have a recovery email address listed under the phone number you entered. Contact your organization's IT administrator to change your phone number.</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"countryCode\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"nationalNumber\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"CombineCountryCodeAndNationalNumber\" />\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserDiscoveryUsingLogonPhoneNumber-Common\" />\n            <ValidationTechnicalProfile ReferenceId=\"DoesStrongAuthEmailExist\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"PhoneInputPage-ChangePhoneNumberPolicy\">\n          <DisplayName>Phone</DisplayName>\n          <IncludeTechnicalProfile ReferenceId=\"PhoneInput-ChangePhoneNumber-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"PhoneInputPage-ChangePhoneNumberClaimsProviderSelection\">\n          <DisplayName>Change Phone Number</DisplayName>\n          <Metadata>\n            <Item Key=\"ClaimsProviderSelectionDisplayType\">TextLink</Item>\n          </Metadata>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"isChangePhoneNumber\" DefaultValue=\"true\" AlwaysUseDefaultValue=\"true\" />\n          </OutputClaims>\n          <IncludeTechnicalProfile ReferenceId=\"PhoneInput-ChangePhoneNumber-Common\" />\n        </TechnicalProfile>\n\n        <TechnicalProfile Id=\"PhoneVerificationPage1\">\n          <DisplayName>Phone</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">phoneSignIn</Item>\n          </Metadata>\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"GetNationalNumberAndCountryCodeIfInternationalFormat\" />\n            <InputClaimsTransformation ReferenceId=\"PhoneNumberToNationalNumber\" />\n            <InputClaimsTransformation ReferenceId=\"CreateRandomUPNUserName\" />\n            <InputClaimsTransformation ReferenceId=\"CreateUserPrincipalName\" />\n          </InputClaimsTransformations>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"countryCode\" />\n            <InputClaim ClaimTypeReferenceId=\"nationalNumber\" />\n          </InputClaims>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"countryCode\" Required=\"true\" />\n            <DisplayClaim ClaimTypeReferenceId=\"nationalNumber\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n            <OutputClaim ClaimTypeReferenceId=\"hasFullProfile\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"CombineCountryCodeAndNationalNumber\" />\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserDiscoveryUsingLogonPhoneNumber-FullProfile\" />\n            <ValidationTechnicalProfile ReferenceId=\"AzureMfa-SendSms\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"PhoneVerificationPage2\">\n          <DisplayName>Phone</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">phoneSignIn</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <DisplayClaims>\n            <DisplayClaim ClaimTypeReferenceId=\"verificationCode\" Required=\"true\" />\n          </DisplayClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"verificationCode\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AzureMfa-VerifySms\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n        <!-- This technical profile forces the user to verify the email address that they provide on the UI. Only after email is verified, the user account is\n        read from the directory. -->\n        <TechnicalProfile Id=\"LocalAccountDiscoveryUsingEmailAddress\">\n          <DisplayName>Reset password using email address</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"IpAddressClaimReferenceId\">IpAddress</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">emailDiscovery</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <IncludeInSso>false</IncludeInSso>\n          <!-- The email address needs to be read only if pre-filled, otherwise the self-asserted attribute provider will not verify it-->\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"Verified.Email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserReadUsingEmailAddress\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"LocalAccountWritePasswordUsingObjectId\">\n          <DisplayName>Change password (username)</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">resetemailpassword</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n          </CryptographicKeys>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"newPassword\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"reenterPassword\" Required=\"true\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWritePasswordUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"SelfAsserted-LocalAccountSignin-Email\">\n          <DisplayName>Local Account Signin</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"setting.operatingMode\">Email</Item>\n            <Item Key=\"ContentDefinitionReferenceId\">emailSignIn</Item>\n            <Item Key=\"UserMessageIfClaimsTransformationBooleanValueIsNotEqual\">Please enter a valid email address.</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"email\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"email\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"login-NonInteractive\" />\n          </ValidationTechnicalProfiles>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-AAD\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"ChangePhoneNumberSuccessPage\">\n          <DisplayName>Local Account Signin</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">emailSignIn</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"changePhoneSuccessMessage\" DefaultValue=\"Your phone number has been updated.\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"changePhoneSuccessMessage\" />\n          </OutputClaims>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"login-NonInteractive\">\n          <DisplayName>Local Account SignIn</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <Metadata>\n            <Item Key=\"client_id\">ProxyIdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"IdTokenAudience\">IdentityExperienceFrameworkAppId</Item>\n            <Item Key=\"UserMessageIfClaimsPrincipalDoesNotExist\">We can't seem to find your account</Item>\n            <Item Key=\"UserMessageIfInvalidPassword\">Your password is incorrect</Item>\n            <Item Key=\"UserMessageIfOldPasswordUsed\">Looks like you used an old password</Item>\n            <Item Key=\"DefaultMessage\">Invalid email or password</Item>\n            <Item Key=\"ProviderName\">https://sts.windows.net/</Item>\n            <Item Key=\"METADATA\">https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration</Item>\n            <Item Key=\"authorization_endpoint\">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>\n            <Item Key=\"response_types\">id_token</Item>\n            <Item Key=\"response_mode\">query</Item>\n            <Item Key=\"scope\">email openid</Item>\n            <!-- Policy Engine Clients -->\n            <Item Key=\"UsePolicyInRedirectUri\">false</Item>\n            <Item Key=\"HttpBinding\">POST</Item>\n          </Metadata>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"client_id\" DefaultValue=\"ProxyIdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"resource_id\" PartnerClaimType=\"resource\" DefaultValue=\"IdentityExperienceFrameworkAppId\" />\n            <InputClaim ClaimTypeReferenceId=\"email\" PartnerClaimType=\"username\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"password\" Required=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"grant_type\" DefaultValue=\"password\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"scope\" DefaultValue=\"openid\" AlwaysUseDefaultValue=\"true\" />\n            <InputClaim ClaimTypeReferenceId=\"nca\" PartnerClaimType=\"nca\" DefaultValue=\"1\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"oid\" />\n            <OutputClaim ClaimTypeReferenceId=\"tenantId\" PartnerClaimType=\"tid\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" PartnerClaimType=\"given_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"surName\" PartnerClaimType=\"family_name\" />\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" PartnerClaimType=\"name\" />\n            <OutputClaim ClaimTypeReferenceId=\"userPrincipalName\" PartnerClaimType=\"upn\" />\n          </OutputClaims>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"SelfAsserted-ProfileUpdate\">\n          <DisplayName>User ID signup</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <Metadata>\n            <Item Key=\"ContentDefinitionReferenceId\">profileUpdate</Item>\n            <Item Key=\"AllowGenerationOfClaimsWithNullValues\">true</Item>\n          </Metadata>\n          <IncludeInSso>false</IncludeInSso>\n          <InputClaims>\n            <InputClaim ClaimTypeReferenceId=\"displayName\" />\n            <InputClaim ClaimTypeReferenceId=\"givenName\" />\n            <InputClaim ClaimTypeReferenceId=\"surname\" />\n          </InputClaims>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n            <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n            <OutputClaim ClaimTypeReferenceId=\"surname\" />\n          </OutputClaims>\n          <ValidationTechnicalProfiles>\n            <ValidationTechnicalProfile ReferenceId=\"AAD-UserWriteProfileUsingObjectId\" />\n          </ValidationTechnicalProfiles>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Claims Transformation</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"ValidateUsernameType\">\n          <DisplayName>Validate UserName Type</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"SetPhoneNumberIfPredicateMatch\" />\n            <InputClaimsTransformation ReferenceId=\"SetEmailIfPredicateMatch\" />\n          </InputClaimsTransformations>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"phoneNumber\" />\n            <OutputClaim ClaimTypeReferenceId=\"email\" />\n            <OutputClaim ClaimTypeReferenceId=\"isLocalAccountSignIn\" DefaultValue=\"true\" />\n          </OutputClaims>\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"CombineCountryCodeAndNationalNumber\">\n          <DisplayName>Combine country code and national number</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"ConvertStringToPhoneNumber\" />\n          </InputClaimsTransformations>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n          </OutputClaims>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-Noop\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"DoesStrongAuthEmailExist\">\n          <DisplayName>Does recovery email exist</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <InputClaimsTransformations>\n            <InputClaimsTransformation ReferenceId=\"CheckIfStrongAuthEmailExists\" />\n            <InputClaimsTransformation ReferenceId=\"ThrowErrorIfStrongAuthEmailDoesNotExist\" />\n          </InputClaimsTransformations>\n          <OutputClaims>\n            <OutputClaim ClaimTypeReferenceId=\"strongAuthEmailExists\" />\n          </OutputClaims>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Session Management</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"SM-Noop\">\n          <DisplayName>Noop Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.NoopSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n        <TechnicalProfile Id=\"SM-AAD\">\n          <DisplayName>Session Mananagement Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n          <PersistedClaims>\n            <PersistedClaim ClaimTypeReferenceId=\"objectId\" />\n          </PersistedClaims>\n          <OutputClaims></OutputClaims>\n        </TechnicalProfile>\n\n        <!-- Session management technical profile for OIDC based tokens -->\n        <TechnicalProfile Id=\"SM-jwt-issuer\">\n          <DisplayName>Session Management Provider</DisplayName>\n          <Protocol Name=\"Proprietary\" Handler=\"Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Trustframework Policy Engine TechnicalProfiles</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13\">\n          <DisplayName>Trustframework Policy Engine Default Technical Profile</DisplayName>\n          <Protocol Name=\"None\" />\n          <Metadata>\n            <Item Key=\"url\">{service:te}</Item>\n          </Metadata>\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n    <ClaimsProvider>\n      <DisplayName>Token Issuer</DisplayName>\n      <TechnicalProfiles>\n        <TechnicalProfile Id=\"JwtIssuer\">\n          <DisplayName>JWT Issuer</DisplayName>\n          <Protocol Name=\"OpenIdConnect\" />\n          <OutputTokenFormat>JWT</OutputTokenFormat>\n          <Metadata>\n            <Item Key=\"client_id\">{service:te}</Item>\n            <Item Key=\"issuer_refresh_token_user_identity_claim_type\">objectId</Item>\n            <Item Key=\"SendTokenResponseBodyWithJsonNumbers\">true</Item>\n          </Metadata>\n          <CryptographicKeys>\n            <Key Id=\"issuer_secret\" StorageReferenceId=\"B2C_1A_TokenSigningKeyContainer\" />\n            <Key Id=\"issuer_refresh_token_key\" StorageReferenceId=\"B2C_1A_TokenEncryptionKeyContainer\" />\n          </CryptographicKeys>\n          <UseTechnicalProfileForSessionManagement ReferenceId=\"SM-jwt-issuer\" />\n        </TechnicalProfile>\n      </TechnicalProfiles>\n    </ClaimsProvider>\n  </ClaimsProviders>\n  <UserJourneys>\n    <UserJourney Id=\"SignUpOrSignInWithPhone\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"signuporsignin-phone\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"SignUpWithPhone\" />\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"ChangePhoneNumber\" />\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninPhoneExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninPhoneExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Phone-Only\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isLocalAccountSignIn</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithPhone\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonPhoneNumber\" />\n            <ClaimsExchange Id=\"ChangePhoneNumber\" TechnicalProfileReferenceId=\"PhoneInputPage-ChangePhoneNumberClaimsProviderSelection\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isLocalAccountSignIn</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isChangePhoneNumber</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithPhone_CollectEmailAddress\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonPhoneNumber_CollectEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"4\" Type=\"InvokeSubJourney\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>isLocalAccountSignIn</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <JourneyList>\n            <Candidate SubJourneyReferenceId=\"SignInWithPhone\" />\n          </JourneyList>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"InvokeSubJourney\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>isChangePhoneNumber</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <JourneyList>\n            <Candidate SubJourneyReferenceId=\"ChangePhoneNumber\" />\n          </JourneyList>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>hasFullProfile</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n    <UserJourney Id=\"SignUpOrSignInWithPhoneOrEmail\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"signuporsignin-phone-email\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninPhoneEmailExchange\" />\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"SignUpWithEmail\" />\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"SignUpWithPhone\" />\n            <ClaimsProviderSelection TargetClaimsExchangeId=\"ChangePhoneNumber\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninPhoneEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Phone-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isLocalAccountSignIn</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>objectId</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithPhone\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonPhoneNumber\" />\n            <ClaimsExchange Id=\"SignUpWithEmail\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonEmail\" />\n            <ClaimsExchange Id=\"ChangePhoneNumber\" TechnicalProfileReferenceId=\"PhoneInputPage-ChangePhoneNumberClaimsProviderSelection\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isLocalAccountSignIn</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isEmailSignUp</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>isChangePhoneNumber</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithPhone_CollectEmailAddress\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonPhoneNumber_CollectEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"InvokeSubJourney\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>isLocalAccountSignIn</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <JourneyList>\n            <Candidate SubJourneyReferenceId=\"SignInWithPhoneOrEmail\" />\n          </JourneyList>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"InvokeSubJourney\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>isChangePhoneNumber</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <JourneyList>\n            <Candidate SubJourneyReferenceId=\"ChangePhoneNumber\" />\n          </JourneyList>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>hasFullProfile</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n\n        <OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n    <UserJourney Id=\"ProfileEditPhoneOnly\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"signuporsignin-phone\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninPhoneExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninPhoneExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSigninForProfileEdit-Phone-Only\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneVerificationExchangePart1\" TechnicalProfileReferenceId=\"PhoneVerificationPage1\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneVerificationExchangePart2\" TechnicalProfileReferenceId=\"PhoneVerificationPage2\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>strongAuthenticationEmailAddress</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithPhone_CollectEmailAddress\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonPhoneNumber_CollectEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>hasFullProfile</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"6\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"7\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n    <UserJourney Id=\"ProfileEditPhoneEmail\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"CombinedSignInAndSignUp\" ContentDefinitionReferenceId=\"signuporsignin-phone-email\">\n          <ClaimsProviderSelections>\n            <ClaimsProviderSelection ValidationClaimsExchangeId=\"LocalAccountSigninPhoneEmailExchange\" />\n          </ClaimsProviderSelections>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"LocalAccountSigninPhoneEmailExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSigninForProfileEdit-Phone-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>email</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"EmailInputExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"InvokeSubJourney\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>phoneNumber</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <JourneyList>\n            <Candidate SubJourneyReferenceId=\"SignInWithPhone\" />\n          </JourneyList>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>hasFullProfile</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"5\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"B2CUserProfileUpdateExchange\" TechnicalProfileReferenceId=\"SelfAsserted-ProfileUpdate\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"6\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n    <UserJourney Id=\"PasswordResetEmail\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PasswordResetUsingEmailAddressExchange\" TechnicalProfileReferenceId=\"LocalAccountDiscoveryUsingEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewCredentials\" TechnicalProfileReferenceId=\"LocalAccountWritePasswordUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n    <UserJourney Id=\"ChangePhoneNumber\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"OldPhoneInputExchange\" TechnicalProfileReferenceId=\"PhoneInputPage-ChangePhoneNumberPolicy\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"InvokeSubJourney\">\n          <JourneyList>\n            <Candidate SubJourneyReferenceId=\"ChangePhoneNumber\" />\n          </JourneyList>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>hasFullProfile</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"AADUserReadWithObjectId\" TechnicalProfileReferenceId=\"AAD-UserReadUsingObjectId\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"SendClaims\" CpimIssuerTechnicalProfileReferenceId=\"JwtIssuer\" />\n      </OrchestrationSteps>\n      <ClientDefinition ReferenceId=\"DefaultWeb\" />\n    </UserJourney>\n  </UserJourneys>\n  <SubJourneys>\n    <SubJourney Id=\"ChangePhoneNumber\" Type=\"Call\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"VerifyEmailAddress\" TechnicalProfileReferenceId=\"ChangePhoneNumber_VerifyEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"NewPhoneInputExchange\" TechnicalProfileReferenceId=\"LocalAccountInputNewPhoneNumber\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"ChangePhoneNumberSuccessPage\" TechnicalProfileReferenceId=\"ChangePhoneNumberSuccessPage\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n      </OrchestrationSteps>\n    </SubJourney>\n    <SubJourney Id=\"SignInWithPhoneOrEmail\" Type=\"Call\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>email</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"EmailInputExchange\" TechnicalProfileReferenceId=\"SelfAsserted-LocalAccountSignin-Email\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>phoneNumber</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneVerificationExchangePart1\" TechnicalProfileReferenceId=\"PhoneVerificationPage1\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>phoneNumber</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneVerificationExchangePart2\" TechnicalProfileReferenceId=\"PhoneVerificationPage2\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"4\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>strongAuthenticationEmailAddress</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"false\">\n              <Value>phoneNumber</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithPhone_CollectEmailAddress\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonPhoneNumber_CollectEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n      </OrchestrationSteps>\n    </SubJourney>\n    <SubJourney Id=\"SignInWithPhone\" Type=\"Call\">\n      <OrchestrationSteps>\n        <OrchestrationStep Order=\"1\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneVerificationExchangePart1\" TechnicalProfileReferenceId=\"PhoneVerificationPage1\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"2\" Type=\"ClaimsExchange\">\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"PhoneVerificationExchangePart2\" TechnicalProfileReferenceId=\"PhoneVerificationPage2\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n        <OrchestrationStep Order=\"3\" Type=\"ClaimsExchange\">\n          <Preconditions>\n            <Precondition Type=\"ClaimsExist\" ExecuteActionsIf=\"true\">\n              <Value>strongAuthenticationEmailAddress</Value>\n              <Action>SkipThisOrchestrationStep</Action>\n            </Precondition>\n          </Preconditions>\n          <ClaimsExchanges>\n            <ClaimsExchange Id=\"SignUpWithPhone_CollectEmailAddress\" TechnicalProfileReferenceId=\"LocalAccountSignUpWithLogonPhoneNumber_CollectEmailAddress\" />\n          </ClaimsExchanges>\n        </OrchestrationStep>\n      </OrchestrationSteps>\n    </SubJourney>\n  </SubJourneys>\n</TrustFrameworkPolicy>\n"
  },
  {
    "path": "scenarios/phone-number-passwordless/ProfileEditPhoneEmail.xml",
    "content": "<TrustFrameworkPolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" PolicySchemaVersion=\"0.3.0.0\" TenantId=\"yourtenant.onmicrosoft.com\" PolicyId=\"B2C_1A_ProfileEditPhoneEmail\" PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEditPhoneEmail\" >\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_Phone_Email_Base</PolicyId>\n  </BasePolicy>\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEditPhoneEmail\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n        <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n        <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "scenarios/phone-number-passwordless/ProfileEditPhoneOnly.xml",
    "content": "<TrustFrameworkPolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" PolicySchemaVersion=\"0.3.0.0\" TenantId=\"yourtenant.onmicrosoft.com\" PolicyId=\"B2C_1A_ProfileEditPhoneOnly\" PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_ProfileEditPhoneOnly\" >\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_Phone_Email_Base</PolicyId>\n  </BasePolicy>\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"ProfileEditPhoneOnly\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n        <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "scenarios/phone-number-passwordless/README.md",
    "content": "# Password-less Sign-up or sign-in with phone number and/or email\n\n## Instructions\n* In all policies, replace instances of ```yourtenant.onmicrosoft.com``` with your tenant.\n* In Phone_Email_Base, replace instances of ```ProxyIdentityExperienceFrameworkAppId``` and ```IdentityExperienceFrameworkAppId``` with the appropriate application IDs.\n* In Phone_Email_Base, replace ```{insert your privacy statement URL}``` and ```{insert your terms and conditions URL}``` with the appropriate URLs. Alternatively, delete the lines containing this text if you do not want these links shown on your phone signup/signin pages.\n* For policies in China, in Phone_Email_Base, replace occurrences of ```sts.windows.net``` with ```sts.chinacloudapi.cn``` and ```login.microsoftonline.com``` with ```login.chinacloudapi.cn```\n\n## Contributing\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\n"
  },
  {
    "path": "scenarios/phone-number-passwordless/SignUpOrSignInWithPhone.xml",
    "content": "<TrustFrameworkPolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" PolicySchemaVersion=\"0.3.0.0\" TenantId=\"yourtenant.onmicrosoft.com\" PolicyId=\"B2C_1A_SignUpOrSignInWithPhone\" PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_SignUpOrSignInWithPhone\" >\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_Phone_Email_Base</PolicyId>\n  </BasePolicy>\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignInWithPhone\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n        <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>"
  },
  {
    "path": "scenarios/phone-number-passwordless/SignUpOrSignInWithPhoneOrEmail.xml",
    "content": "<TrustFrameworkPolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns=\"http://schemas.microsoft.com/online/cpim/schemas/2013/06\" PolicySchemaVersion=\"0.3.0.0\" TenantId=\"yourtenant.onmicrosoft.com\" PolicyId=\"B2C_1A_SignUpOrSignInWithPhoneOrEmail\" PublicPolicyUri=\"http://yourtenant.onmicrosoft.com/B2C_1A_SignUpOrSignInWithPhoneOrEmail\" >\n  <BasePolicy>\n    <TenantId>yourtenant.onmicrosoft.com</TenantId>\n    <PolicyId>B2C_1A_Phone_Email_Base</PolicyId>\n  </BasePolicy>\n  <RelyingParty>\n    <DefaultUserJourney ReferenceId=\"SignUpOrSignInWithPhoneOrEmail\" />\n    <TechnicalProfile Id=\"PolicyProfile\">\n      <DisplayName>PolicyProfile</DisplayName>\n      <Protocol Name=\"OpenIdConnect\" />\n      <OutputClaims>\n        <OutputClaim ClaimTypeReferenceId=\"displayName\" />\n        <OutputClaim ClaimTypeReferenceId=\"givenName\" />\n        <OutputClaim ClaimTypeReferenceId=\"surname\" />\n        <OutputClaim ClaimTypeReferenceId=\"signInNames.phoneNumber\" />\n        <OutputClaim ClaimTypeReferenceId=\"signInNames.emailAddress\" />\n        <OutputClaim ClaimTypeReferenceId=\"strongAuthenticationEmailAddress\" />\n        <OutputClaim ClaimTypeReferenceId=\"objectId\" PartnerClaimType=\"sub\" />\n        <OutputClaim ClaimTypeReferenceId=\"tenantId\" AlwaysUseDefaultValue=\"true\" DefaultValue=\"{Policy:TenantObjectId}\" />\n      </OutputClaims>\n      <SubjectNamingInfo ClaimType=\"sub\" />\n    </TechnicalProfile>\n  </RelyingParty>\n</TrustFrameworkPolicy>"
  }
]