Azure AD B2C 注册 w/no 用户条目
Azure AD B2C Sign-Up w/no user entry
我已将 Azure AD B2C 设置为允许来自 "regular" AAD 目录的用户使用此处所述的自定义策略进行身份验证 https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom。在一种情况下,我希望用户进行注册(使用他们的 AAD 凭据进行身份验证,在 AAD B2C 目录中创建相应的对象,并将 objectidentifier 作为声明传递给我的应用程序)而不提供任何进一步的信息。从示例开始,我无法弄清楚如何完全跳过自我断言步骤。我尝试过的两种方法是
1) 删除 SelfAsserted-Social ClaimsExchange,以及
2) 修改(实际上,复制到 TrustFrameworkExtensions、重命名和编辑)SelfAsserted-Social 和 AAD-UserReadUsingObjectId ClaimsExchanges,以便只有 OutputClaim 条目是不需要用户提示的。
在这两种方法中,从 UI 的角度来看,注册似乎有效,但没有在 B2C 目录中创建用户对象。使用 App Insights,在这两种方法中,AAD-UserReadUsingObjectId 似乎生成 Microsoft.Cpim.Common.PolicyException。
完整的用户旅程是
<UserJourney Id="SignUpAAD">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="KDEWEbAppTestExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="KDEWebAppTestExchange" TechnicalProfileReferenceId="KDEWebAppTestProfile" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- prepare ground for searching for user -->
<OrchestrationStep Order="4" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="SelfAsserted-Social-Silent" TechnicalProfileReferenceId="SelfAsserted-Social-Silent" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent
in the token. -->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectIdLimited" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- create the user in the directory if one does not already exist
(verified using objectId which would be set from the last step if account was created in the directory. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
有什么想法吗?
谢谢
马丁
您必须用以下编排步骤替换编排步骤 4:
<OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
如果在编排步骤 3 中未检索到用户对象(即 "objectId" 声明不存在),则此编排步骤会创建一个用户对象。
我已将 Azure AD B2C 设置为允许来自 "regular" AAD 目录的用户使用此处所述的自定义策略进行身份验证 https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom。在一种情况下,我希望用户进行注册(使用他们的 AAD 凭据进行身份验证,在 AAD B2C 目录中创建相应的对象,并将 objectidentifier 作为声明传递给我的应用程序)而不提供任何进一步的信息。从示例开始,我无法弄清楚如何完全跳过自我断言步骤。我尝试过的两种方法是
1) 删除 SelfAsserted-Social ClaimsExchange,以及 2) 修改(实际上,复制到 TrustFrameworkExtensions、重命名和编辑)SelfAsserted-Social 和 AAD-UserReadUsingObjectId ClaimsExchanges,以便只有 OutputClaim 条目是不需要用户提示的。
在这两种方法中,从 UI 的角度来看,注册似乎有效,但没有在 B2C 目录中创建用户对象。使用 App Insights,在这两种方法中,AAD-UserReadUsingObjectId 似乎生成 Microsoft.Cpim.Common.PolicyException。
完整的用户旅程是
<UserJourney Id="SignUpAAD">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="KDEWEbAppTestExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="KDEWebAppTestExchange" TechnicalProfileReferenceId="KDEWebAppTestProfile" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- prepare ground for searching for user -->
<OrchestrationStep Order="4" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="SelfAsserted-Social-Silent" TechnicalProfileReferenceId="SelfAsserted-Social-Silent" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent
in the token. -->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectIdLimited" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- create the user in the directory if one does not already exist
(verified using objectId which would be set from the last step if account was created in the directory. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
有什么想法吗?
谢谢
马丁
您必须用以下编排步骤替换编排步骤 4:
<OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
如果在编排步骤 3 中未检索到用户对象(即 "objectId" 声明不存在),则此编排步骤会创建一个用户对象。