The root element within which a Trust Framework Policy is defined. This section contains the policy constraints controlling which tenants and policies can inherit from it. Contains a list of contacts who can be communicated with for notifications and issues regarding the Policy. Contains a list of references to documents for the Policy. This section contains the Claims Providers and their Technical Profiles that may be used in the various User Journeys. The User Journeys through which a user is taken to retrieve the claims that are to be presented to the relying party. The SubJourneys that are components of UserJourneys and are executed as part of a User Journey. An identifier of the User Journey which the orchestration engine will begin with. A merged trust framework policy can contain multiple user journeys and relying parties select one of them as the starting point. Defines different endpoints exposed by the policy and maps to UserJourneys to invoke. Controls the scope of various user journey behaviors. Controls the scope of the single sign on behavior of a user journey. Controls the whether the session is rolling or absolute. Controls the time of the session expiry in seconds. DEPRECATED - Use JourneyInsights indicating ApplicationInsights as the telemetry engine. Specifies the details required for journey insights. Specifies the a list of key value pairs to be appended to the content definition load uri. Specifies whether journey framing is enabled and for what sources. Controls the whether script execution is allowed for the journey. Specifies the error handling behavior of a journey. Determines the schema version published by Microsoft using which this Policy is to be executed. The unique identifier of the tenant to which this policy belongs. The unique identifier of the object ID of the Azure tenant. The unique identifier of this policy. The URI for the policy which is an appropriate name of the policy outside of the CPIM system. The name of the StateTable that should execute this policy. The mode under which the policy should be deployed. The Url in the format http://{host}?stream={guid} (where the braces are omitted) of a service able to receive http posts documenting user journey progress This section defines the base policy from which this Policy is derived. The identifier of the tenant that published the base policy. The base policy is looked up inside the tenant specified here. The identifier of the base policy. The policy is looked up using this identifier within the tenant specified by the preceding element. This section defines the constraints for policies inheriting from this policy. A list of tenant references used when the inheritance rule is an allow or deny list. A handler implementing the IConstraintHandler interface for applying more complex inheritance rules. This section defines policy rerouting rules. A list of reroute rules This section defines details of a rerouting rule The unique identifier of this policy. The weight for a policy in case of A/B testing. Defines an attribute that can be passed into the query string, that will match the policy to be redirected to. This section defines the constraints for policies inheriting from this policy. A machine understandable identifier that is used to uniquely identify this particular constraint handler. A fully-qualified name of the assembly that will be used by CPIM to determine the constraint handler. Every Claims Provider must have one or more Technical Profiles which determines the end points and the protocols needed to communicate with that Claims Provider. In fact, in CPIM, it is the Technical Profile that is referenced elsewhere for communication with a particular Claims Provider. A Claims Provider can have multiple Technical Profiles for various reasons. For example, multiple Technical Profiles may be defined because the Claims Provider supports multiple protocols, various endpoints with different capabilities, or releases different claims at different assurance levels. It may be acceptable to release sensitive claims in one User Journey, but not in another one. A Technical Profile is usually certified for a Level of Assurance and thus one Claims Provider may have multiple Technical Profiles for different Levels of Assurance. The human understandable domain names for the technical profile. The human understandable domain name for the technical profile. The human understandable domain name for the technical profile. The human understandable name of the Technical Profile that can be displayed to the users. Provides detailed user understandable text to explain the Technical Profile. The protocol used for federation. Name of the protocol used by CPIM for claims exchange with the claims provider. A fully-qualified name of the assembly that will be used by CPIM to determine the protocol handler if the protocol name is "Proprietary". It is invalid to provide this attribute with any other protocol name. Format of the input token Format of the output token Lists the assurance level of the claims that are retrieved from the Technical Profile. Lists the assurance levels that a claim must have in order for it to be used as an input claim to the Technical Profile. Requirements regarding the conscious and active participation of the subject in authentication The maximum number of minutes cached credentials can be used following an active authentication by the subject. Default is False. If True then whenever a token is issued (even using a cached credential) the expiry time is set to the current time plus the TimeToLive This is the data utilized by the protocol for communicating with the endpoint. A list of cryptographic keys used in this technical profile. A list of suppressions supported by the protocol. If the protocol supports multiple bindings, this represents binding preferred by the protocol, for example HTTP POST or HTTP GET in the case of SAML. A value indicating whether usage of this technical profile should apply single-signon behavior for the session and instead require explicit interaction CPIM can send the original token from one claims provider to another claims provider. InputTokenSources are the list of technical profiles of the claims providers from which the original tokens are to be sent. ClaimsTransformations can be used to modify existing ClaimsSchema claims or generate new ones. This element contains the list of references to ClaimsTransformations that should be executed before any claims are sent to the claims provider or the relying party. A list of the ClaimsSchema claim types that are sent as input to the claims provider or the relying party. Defines a list of display claims for user interface controls. A list of the ClaimsSchema claim types that are persisted by the claims provider. A list of the ClaimsSchema claim types that are received as output from the claims provider. ClaimsTransformations can be used to modify existing ClaimsSchema claims or generate new ones. This element contains the list of references to ClaimsTransformations that should be executed after claims are received from the claims provider. A TechnicalProfile can have a set of other TechnicalProfiles that it uses for validation purposes. This section lists all such technical profiles. The technical profile to be used for validating some or all of the output claims of the referencing technical profile. Therefore, all the input claims of the referenced technical profile must appear in the output claims of the referencing technical profile. A list of preconditions that must be satisfied for the validation technical profile to execute. A boolean indicating whether validation of any subsequent validation profiles should continue if this profile succeeds. The default is true, meaning that the processing of further validation profiles will continue. A boolean indicating whether validation of any subsequent validation profiles should continue if this profile errors. The default is false, meaning that processing of further validation profiles will stop and an error returned. Information that controls production of the subject name in tokens (e.g. SAML) where subject name is specified separately from claims. An element for including additional information specific to a particular technical profile A id of different technical profile. All input and output claims from referenced technical profile will be added to this technical profile. Referenced technical profile must be defined in the same trust framework policy. A id of different technical profile. All data from referenced technical profile will be added to this technical profile. Referenced technical profile must exists in trust framework policy. An id of a technical profile to be used for session managemetn. Error handlers to take action based on different error responses. Format of error response. Used to indicate the reader of the error response for path matching. Default is json. Match path for the response to trigger the action. JSONPath is used for json response. XPath is used for XML response. Action to perform when the error response matches the pattern. Additional query string to send for reauthentication action. A boolean indicating if the technical provile should be used within a user journey, this includes ClaimProviderSelections. If this value is set to true, it will disable the selection. A machine understandable identifier that is used to uniquely identify this particular TechnicalProfile, and reference it from other sections of the document, for example OrchestrationSteps and InputTokenSources. A User Journey defines all the constructs necessary for a complete user flow. Specifies a measurement of identity assurance when the claims are presented to the Relying Party at the conclusion of the orchestration steps contained in the User Journey. Claims are presented to the Relying Party Application in a token generated by CPIM. However, a Technical Policy may state, using a true or a false for this element, that the original assertion which was returned from the Claims Provider(s) must also be preserved so that if needed, it can be looked at by Relying Party for auditing or diagnostic purposes. Specifies relevent information required for the Authorization elements of a UserJourney. This can point to other element references in policy for validating information about the request in order to assert the request is allowed. A TechnicalProfile can be used to extract information from a request and perform authorization of the request. This section lists all such technical profiles. The technical profile to be used for validating/authorizing incoming data to assert the information is valid for the UserJourney. If the information is invalid, the UserJourney will not execute and the request is Forbidden. This section lists the orchestration sequence that must be followed through for a successful transaction (i.e. a complete user flow). Thus, every User Journey consists of an ordered list of Orchestration Steps (OS) that are executed in sequence. If any step fails, the transaction fails. References settings definition section that determines the client behavior. The identifier of the policy to use. A list of cryptographic keys used in this User Journey. A machine understandable identifier that is used to uniquely identify this particular User Journey. A boolean that is used to indicate whether this particular User Journey is non interactive. The default Issuer TechnicalProfileId of the claims provider that will mint the token for the relyingParty. If absent then CpimIssuerTechicalProfileReferenceId from first SendClaims step would be considered as default. A SubJourney describes a part of the User Journey This section lists the orchestration sequence that must be followed through for a successful transaction (i.e. a complete user flow). Thus, every SubJourney consists of an ordered list of Orchestration Steps (OS) that are executed in sequence. If any step fails, the transaction fails. A machine understandable identifier that is used to uniquely identify this particular SubJourney. The type of the SubJourney that governs how it is executed in the context of the policy. An Endpoint that describes what UserJourney should be invoked when a user agent lands on the endpoint. A machine understandable identifier that is used to uniquely identify this particular Endpoint. The unique identifier of the UserJourney to be executed on invoking the endpoint. This section contains all the definitions that are used by the Technical Policies. This section defines all the claim types that can be referenced from other sections of the document. This section defines all the predicates that are used to validate input strings. This section defines input validations that combine predicates to create a string validation logic. This section defines predicate validations that combine predicates to create a string validation logic. Contains a list of claims transforms that can be used in Technical Policies. ClientDefinitions specify various properties specific to the end-user device for which the policy is being executed. Content definitions contain URLs to external content (for example, URLs to pages used in claims providers such as Phone Factor). Defines the supported cultures and contains strings and collections in those cultures. Defines all the cultures that are supported by this policy. Contains all the translated strings for a specific culture. If set to true, the Localization section is used for rendering the strings and collections in appropriate languages, otherwise this section is not used. This section defines all display controls associated with user interface controls. Defines the display control associated with user interface control. Represents the set of supported language including the default language. Represents one supported language This is the default language that the customer will see user journeys in, if he doesnt specify any other supported culture. This is the the language the default values in the policy are written in. Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy with the same identifier. A collection can have different number of items, and different strings for various cultures. This element allows defining the entire collections in various cultures. Examples of collections include the enumerations that appear in claim types, e.g. country/region list, and are shown to the user in a drop down list. This section is used to define all the strings, except those that appear in collections, in various cultures. Defines whether content journey framing is supported and the the corresponding domains allowed to frame. Attribute indicating whether journey framing is enabled. A space seperated list of sources used to populate the CSP frame-ancestors directive and the X-Frame-Options headers. In the case if X-Frame-Options if more than one source is specified only the first source is included for X-Frame-Options and must be an absolute URL. Defines whether errors should be returned to the requestor or displayed in service. Attribute the error handling mode. Defines the behavior of the single sign-on functionality for this application policy Defines the scope of the single sign-on behavior. Defines the number of days to keep the session alive for when a user selects to be remembered. Attribute indicating whether the presence of the id_token_hint parameter is required for OIDC logout. DEPRECATED - Use JourneyInsights indicating ApplicationInsights as the telemetry engine. Defines the instrumentation key for the application insights element. Defines the Azure Applications Insight element which includes the application insights script in the user journeys. Defines the instrumentation key for the application insights element. Values indicating which telemetry engine to use. Values indicating whether the aplication insights should operate in developer mode. Default if not specified is false. Values indicating whether the aplication insights should be run on the client via JavaScript. Default if not specified is false. Values indicating whether the server-side journey recording is enabled. Default if not specified is false. Values indicating whether the version of journey telemetry to use. If not specified the lastest version is used. Defines a list of key value pairs to be appended to the query string of the content definition load uris. Defines a key value pair that is to be appended to the query string of content definition load uri. Transforms take a set of claims, process them, and output another set of claims. A list of the Claim Types that are taken as input to the Claims Transformation. Each of these elements contains reference to a ClaimType already defined in the ClaimsSchema section. A list of the parameters that are provided as input to the Claims Transformation. Each of these elements contains a value that is passed verbatim to the transformation. A list of the Claim Types that are taken as input to the Claims Transformation. Each of these elements contains reference to a ClaimType already defined in the ClaimsSchema section. The Claim Type that is outputted by the Claims Transformation. This element contains reference to a ClaimType already defined in the ClaimsSchema section. A machine understandable identifier that is used to uniquely identify this particular Claims Transform, and reference it from other sections of the document. A machine understandable identifier to reference the published transformation method to be used. Metadata section that can be used to override API settings and content Contains a list of references to localized resources. The reference can be of the form of URL or a machine understandable identifier that is used to uniquely identify the specific localized resource in the policy. Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy with the same identifier. A machine understandable identifier that is used to uniquely identify this particular Content Definition, and reference it from other sections of the document. The url to a localized resource hosted on a CORS enabled endpoint. This resource will be fetched by the clientside code. A machine understandable identifier that is used to uniquely identify this particular Localized Resource, and reference it from other sections of the document. Contains settings for a User Journey on a client. These flags are used for indicate the client's UI behavior. A unique identifier that allows this client definition to be referenced from a User Journey. Represents a Claims Provider, along with its technical profiles. Domain names for the claim provider. The human understandable domain name for the claim provider. The human understandable domain name for the claim provider. The human understandable name of the claims provider that can be displayed to the users. List of Technical Profiles for exchanging claims with this claims provider. A collection of Precondition elements. Represents a conditional check should is performed to determine if an OrchestrationStep or a validation technical profile should be executed. The data that is used by the check. For example, if the Type of this check is "ClaimsExist", this field will specify a ClaimTypeReferenceId to query for. Specifies the action that should be taken if the Precondition check is true, such as "SkipThisOrchestrationStep" and "SkipThisValidationTechnicalProfile" The type of check to perform. Specifies if the actions in this precondition should be performed if the test is true or false. A reference to a predicate element. A machine readable identifier that references a predicate in the policy. A combination of predicate groups and predicates that will define how to validate an input. A machine readable identifier that can be used to reference the input validation in the policy. A set of predicates. A machine readable identifier for the pattern group that cannot be refrenced. The help text shown for the predicate group in case of an error. The least number of predicates that must match for the prediate group to take effect. The least number of predicates that must match for the prediate group to take effect. Represents a single parameter that will be passed to a predicate method. The value of the parameter. The name of the parameter. A collection of Parameters passed to a predicate. Defines a single predicate that will be used to create an input validation. A description of the predicate that can be helpful for the users to know what password they should type. A machine understandable identifier that is used to uniquely identify this particular Predicate, and reference it from other sections of the document. The method that will be called to validate this predicate, it takes as input the param elements and a string value and returns a boolean. The help text that will be shown to the user if the input validation that the predicate is in fails. A set of predicate group. A reference to a predicate element. A description of the predicate that can be helpful for the users to know what password they should type. A machine readable identifier that can be used to indicate the name of predicate group, it can not be referenced. A combination of predicate groups and predicates that will define how to validate an input. A machine readable identifier that can be used to reference the predicate validation in the policy. A reference to an predicate validation element. A machine readable identifier that references a predicate validation in the policy. A collection of ClaimsProviderSelection elements. Shows options for the selection between various claims providers in a given step (such as Google/Facebook/Microsoft Account). A collection of ClaimsExchange elements. Depending on the Technical Profile being used, a Claims Exchange either redirects the user’s client corresponding to the ClaimsProviderSelection that the user may have selected, or makes a server call to exchange claims. A machine understandable identifier that is used to uniquely identify this particular Claims Exchange step, and reference it from a ClaimsProviderSelection step. The unique identifier of the Technical Profile which is used for claims exchange. A list of SubJourneys that are able to be executed during an Orchestration Step A candidate is a single journey type that can be invoked on it's own during an Orchestration Step The unique identifier for the SubJourney that can be executed ClaimsTransformations may be used in a TechnicalProfile for transforming claims when they are sent to and received from a claims provider. A ClaimsTransformation must be defined in this section before it can be referenced in a TechnicalProfile. A reference to an input validation element. A machine readable identifier that references a predicate in the policy. Defines a single claim type. The human understandable name of the claim type that is displayed to the users on various screens. The type of data stored in the claim type, such as String, Boolean, Int or DateTime. This type may be used by claims transforms and may thus participate in comparison or arithmetic operations. Associating an appropriate type ensures that these operations are performed correctly by the transforms. If a partner claim type is not provided in a claim mapping, then these partner claim types are used for the specified protocol. The list of technical profiles that is allowed to be used against a claims provider selection. An optional string of masking characters that can be applied to the claim when displaying the claim for example phone number 324-232-4343 masked as XXX-XXX-4343 A description of the claim type that can be helpful for the administrators to understand the purpose and/or usage of the claim type. A description of the claim type that can be helpful for the users to understand the purpose and/or usage of the claim type. The type of input control that should be available to the user when manually entering claim data for this claim type. The value restrictions for this claim, such as a regular expression or a list of acceptable values. A machine understandable identifier that is used to uniquely identify this particular Claim Type, and reference it from other sections of the document. The type of statement the claim type represents, such as Attribute, Authentication or Subject, the default being Attribute. This type may be used by claims transforms and may thus participate in comparison or arithmetic operations. Associating an appropriate type ensures that these operations are performed correctly by the transforms. The display name. The telephone number. The email address. The role of the contact. A machine understandable identifier that is used to uniquely identify this particular Contact. Certain documents, such as terms of use or privacy policy, may be made available to the Relying Parties or even the users before they sign up to the use one of the services provided by CPIM. The RPs may use these documents to determine whether the TF is appropriate for the purposes it intends to use it for. The users may view these documents to look at the parameters within which RPs and the TF will operate and determine whether they want to participate or not. The display name of the document. The url where the document is located. Specifies the orchestration step. A list of preconditions that must be satisfied for the step to execute. A list of Claims Provider Selection options for the Orchestration Step. A list of Claims Exchanges for the Orchestration Step. A list of available journeys that can be invoked by the Orchestration Step. The order of the Orchestration Step. Orchestration Steps must appear in increasing order, in which they are executed. The type of the Orchestration Step. A reference to the Content that the Orchestration Step can display to the user. Used on SendClaims steps to define the TechnicalProfileId of the claims provider that will mint the token for the relyingParty. If absent no RP token will be created. A list of sources for that can be the input assertions for the current technical profile. A machine understandable identifier that is used to uniquely identify this particular technical policy. Represents the CryptographicKeys that are used within the Policy. Since these are sensitive secrets, the actual cryptographic keys are stored outside of the Trust Framework Policy and would generally reside in a system deemed secure for cryptographic storage, such as in a hardware security module (HSM) or a key management service (KMS). A machine understandable identifier that is used to uniquely identify this particular Cryptographic Key. An identifier that references the key in the underlying key storage. Defines the element for the protocol provider metadata. Defines a single metadata item for the protocol provider metadata. Defines a group of items of key/value pairs. Defines a single key/value pair item. A key that uniquely identifies the item. The value to hold in the item. The claim type in the normalized schema that is sent to the claims provider. The claim mappings are used to determine the provider claim type before sending to the claims provider. Identifies a Claim Type specified in the Claims Schema. Identifies the claim type of the external partner that the specified policy claim type maps to. If the PartnerClaimType attribute is not specified, then the specified policy claim type is mapped to the partner claim type of the same name. If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an input claim by the technical profile. Provides an optional property to the claims provider indicating whether the claim can be overwritten in the claims providers records if the claim provider supports overwriting. Provides an optional property indicating whether the default claim value should always for the value of the claim. A group of display elements in self asserted page that allows special interaction with the back-end. A list of input claims that indicate the prefilled values for user interface controls. The input claim that indicates the prefilled value for user interface control. A list of display claims to be displayed as user interface controls. The display claim to be displayed as user interface control. A list of output claims to be used by the relying technical profile. The output claim to be used by the replying technical profile. A list of actions corresponding to front-end user control scenarios. The display control action corresponding to a front-end user control scenario. The identifier of the display control. Type of user interface control that allows users to enter and verify claims. A list of technical profiles to execute sequentially when the action is invoked. The technical profile reference to execute when action is invoked. A list of preconditions that must be satisfied for the validation technical profile to execute. An identifier that is a reference to a Technical Profile specified in the one of the Claims Providers. A boolean indicating whether validation of any subsequent validation profiles should continue if this profile succeeds. The default is true, meaning that the processing of further validation profiles will continue. A boolean indicating whether validation of any subsequent validation profiles should continue if this profile errors. The default is false, meaning that processing of further validation profiles will stop and an error returned. The identifier of the display control action associated with a user interface scenario. An identifier that is a reference to a ClaimType specified in the ClaimsSchema. An identifier that is a reference to a defined DisplayControl. Identifies whether or not the user input is required for further actions. An identifier that is a reference to a ClaimType specified in the ClaimsSchema. Identifies whether or not the claim is required for this technical profile. If this property is not specified, false is assumed, meaning that the given claim may be utilized if available, but its absence does not indicate an error. For claims that are user asserted, this property controls whether or not the user is required to fill out the associated field before continuing. If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an input claim by the technical profile. Provides an optional property indicating whether the default claim value should always for the value of the claim. An identifier that is a reference to a ClaimType specified in the ClaimsSchema. Identifies the control type of the display control that is mapped to the specified policy claim type. Identifies whether or not the user input is required for further actions. A reference to a Technical Profile which constrains the source of the claim to one or more technical profiles. If no from is specified then the claim can be sourced from any technical profile. An identifier that is a reference to a ClaimType specified in the ClaimsSchema. Identifies the claim type of the external partner that is mapped to the specified policy claim type. If the PartnerClaimType attribute is not specified, then the partner claim type of the same name as the specified policy claim type is mapped instead. Identifies whether or not the claim is required for this technical profile. If this property is not specified, false is assumed, meaning that the given claim may be utilized if available, but its absence does not indicate an error. For claims that are user asserted, this property controls whether or not the user is required to fill out the associated field before continuing. If the claim indicated by ClaimTypeReferenceId does not exist, then the DefaultValue is used to create one so it can be used as an input claim by the technical profile. Provides an optional property indicating whether the default claim value should always for the value of the claim. An identifier that is a reference to a ClaimType specified in the ClaimsSchema. Identifies the claim type of the transformation that is mapped to the specified policy claim type. If the TransformationClaimType attribute is not specified, then the transformation claim type of the same name as the specified policy claim type is mapped instead. An identifier that is a reference to a Technical Profile specified in the one of the Claims Providers. An optional string for masking a claim when displaying the claim for example phone number 324-232-4343 masked as XXX-XXX-4343. Can either be a simple substitution mask or a regular expression which uses named groups Defines an available option for the user to select for a claim in the UI, such as a value in a dropdown. The user-friendly display string that should be shown to the user in the UI for this option. The claim value associated with selecting this option. A value indicating whether or not this option should be selected by default in the UI. Defines a pattern restriction, such as a regular expression, to be placed on values for a specific claim type. A regular expression that claims of this type must match in order to be valid. A string that can describe the pattern/regular expression for this claim to the user. Defines the element for specifying value restrictions for a claim, such as regular expressions or a list of acceptable values. Specifies how the enumeration values will be merged together with any ClaimType present in a parent policy with the same identifier. If no value is given for this we use replaceAll by default. A list of tenant references used when the inheritance rule is an allow or deny list. A list of tenant references used when the inheritance rule is an allow or deny list. The type of pattern constraint to apply to the policy id. The actual pattern to be applied to the policy id. Defines a reference to a tenant using the tenant guid as the reference id. The unique identifier of the object ID of the Azure tenant. An identifier that is a reference to a parameter of the TransformationMethod. The type of data of the parameter, such as String, Boolean, Int or DateTime. This type is used to perform arithmetic operations correctly. The value that is to be provided to the TransformationMethod when invoked. An extension point for elements that allows any xml from any namespace outside of the document namespaces to be included in the element Specifies to format type of error response Specifies how journey errors are to be communicated to the user/requestor. Error is returned to the requestor using protocol semantics. Display the error message in the service. Specifies to handle error responses. Ask the user to reauthenticate for a specific error case Display the message indicating client key/secret is not configured properly Specifies how the contents of the node will be merged together with data from parent policies with the same unique identifer. Specifies that the collection of data present should be appended to the end of the collection specified in the parent policy. Specifies that the collection of data present should be added before the collection specified in the parent policy. Specifies that the collection of data specified in the parent policy should be ignored, using instead the data specified in the current policy. The types of claim masks 1. Simple, a simple text mask that is applied to the leading portion of a string claim. 2. A regular expression that can be applied to the string claim as whole The names of the valid protocols supported by CPIM. The list of acceptable values for "EnabledForUserJourneys" property: true and Always will execute the technical profile, false and Never will always skip it, and OnClaimsExistence will only execute the technical profile if the claim specified in the technical profile's metadata is present in the user journey storage. The list of acceptable values for how the claims provider selection page should be displayed The token formats supported by CPIM. Describes the supported script execution modes. Script execution is not allowed on the client and any 3rd party content containing script will be blocked. Script execution is permitted Specifies the type of the Orchestration Step. Indicates that the Orchestration Step presents text to the user to which the user must consent. Indicates that the Orchestration Step presents various Claims Providers to the user for the user to select one. Indicates that the Orchestration Step presents a combined social provider signin and local account signup page. Indicates that the Orchestration Step exchanges Claims with a Claims Provider. Indicates that the Orchestration Step presents a review screen for the user to review the claims which the user must accept. Indicates that the Orchestration Step sends the claims to the Relying Party. Indicates that the Orchestration Step processes claim data sent to the service from the relying party. Indicates that the Orchestration Step presents a user dialog to the user for the capturing of information. Indicates that the Orchestration Step has the ability to invoke one or more SubJourneys. Indicates that the Orchestration Step does nothing and is included to cope with errors in layering. Defines the scope of single sign-on behavior in the user journey. Indicates that the behavior is suppressed. For exmaple in the case of SSO no session is maintained for the user and the user will always be prompted for identity provider selection. Indicates that the behavior is applied for all policies in the trust framework. For example a user being put through two policy journeys for a given trust framework will not be prompted for identity provider selection. Indicates that the behavior is applied for all policies in the tenant. For example a user being put through two policy journeys for a given tenant will not be prompted for identity provider selection. Indicates that the behavior is applied for all policies for the application making the request. For example a user being put through two policy journeys for a given application will not be prompted for identity provider selection. Indicates that the behavior only applies to a policy. For example a user being put through two policy journeys for a given trust framework will be prompted for identity provider selection when switching between policies. Specifies the type of query that is being performed for this precondition. Specifies that the actions should be performed if the specified Claims exist in the user's current Claim set. Specifies that the actions should be performed if the specified Claim exists and its values is equal to the specified value. Specifies the action that should be taken if the Precondition check within an OrchestrationStep is true. Specifies that the associated OrchestrationStep should not be executed. Specifies that the associated validation technical profile should not be executed. The supported data types that the claims or parameters can have. These types are a subset of the types specified by W3C XML Schema documentation, which can be found at http://www.w3.org/TR/xmlschema-2. Represents the type of input controls that should be available to the user when manually entering claim data. Represents the type of input controls that should be available to the user when manually entering claim data. This is successor of "UserInputType". Represents the telemetry engines that can be used as part of journey insights. Describes the category of statement that the claim belongs to, used for comapring authentication contexts and issuing tokens A general claim about the authenticated individual A claim providing information about how the individual was authenticated A claim providing a means of identifying an individual Represents a culture for displaying content. Represents a tenant id. Represents the object id of an Azure tenant. Represents the instrumentation key for an Azure Application insights instance. Represents the pattern to which a policyId must conform. Represents a pattern that can be used to construct a valid policyId. This field supports dynamic parameters. Represents weight of a policy. Defines an attribute that can be passed into the query string, that will match the policy to be redirected to. Represents a four part version number in the format 9.9.9.9. Represents a three part version number in the format 9.9.9. Contains an enumeration of the key types supported by CPIM. A U-Prove Key. A X-509 Certificate. A secret key. Type that restricts a string to either an absolute or relative URL. Matches https://domain/path, http://domain/path and ~/path Type that restricts a string to either an absolute https URL. Matches https://domain/path. The names of the valid values for a policy's DeploymentMode attribute. The names of the valid values the single sign on session type. Represents the type of deriving policies that can be specified for policy inheritance. Any policy can inherit from this policy. Only policies in the same tenant can inherit from this policy. The default. Only tenants explicitly listed in the tenants list can inherit from this policy. Only tenants explicitly listed in the tenants list are blocked from inheriting from this policy. Anyone else can. The types of pattern constraints that can be used when constraining policies. Specifies that a policy id needs to start with the specified prefix. Represents the types of SubJourneys that can be constructed in policy. Represents a type of SubJourney that transfer control from the current execution context, either a SubJourney or UserJourney, into a new SubJourney execution context. Represents a type of SubJourney that is executed inside of the current User Journey. The invoked SubJourney yields control back to the original User Journey or SubJourney upon completion Represents a string which cannot be empty.