ValidationTechnicalProfile 未执行 - B2C 自定义策略
ValidationTechnicalProfile is not executed - B2C Custom Policy
我正在尝试使用 ValidationTechnicalProfile 调用 RESTful 技术配置文件。我检查了应用程序洞察,我可以看到 OutputClaimsTransformations 发生,但它跳过 ValidationTechnicalProfile 并继续下一步。我已尝试将 RESTful 技术配置文件添加为编排步骤,并且没有任何问题。
谁能看出我做错了什么?
SignInWithIdProvider.xml
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="__TenantId__" PolicyId="B2C_1A_SignInWithIdProvider" PublicPolicyUri="http://__TenantId__/B2C_1A_signin_idprovider">
<BasePolicy>
<TenantId>__TenantId__</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignInWithIdProvider"/>
<UserJourneyBehaviors>
<SingleSignOn Scope="Policy"/>
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>1800</SessionExpiryInSeconds>
<JourneyFraming Enabled="true" Sources="__JourneyFramingSource__"/>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
<OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub"/>
</TechnicalProfile>
</RelyingParty>
来自 TrustFrameworkExtensions.xml
的片段
<ClaimsProvider>
<Domain>Signin</Domain>
<DisplayName>Signin using provider</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="OIDC-SignIn">
<DisplayName>Sign-in</DisplayName>
<Description>Login with provider</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">__WellKnown__</Item>
<Item Key="client_id">__SignInClientId__</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">id profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="SingleLogoutEnabled">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="__SignInSecret__"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="{Culture:RFC5646}"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
<OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-PostNewSession" ContinueOnError="true"/>
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
<ClaimsProvider>
<DisplayName>REST APIs</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="REST-PostNewSession">
<DisplayName>Post new session</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="ServiceUrl">https://some.apim.url/post-method</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">Basic</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_UserName"/>
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Password"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="sessionId"/>
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
<UserJourney Id="SignInWithIdProvider">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="idSignInExchange" TechnicalProfileReferenceId="OIDC-SignIn"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>localAccountAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AlternativeSecurityId" TechnicalProfileReferenceId="AlternativeSecurityId-NoError"/>
</ClaimsExchanges>
</OrchestrationStep>
</UserJourney>
验证技术配置文件仅适用于 selfAsserted 技术配置文件。
Only self-asserted technical profiles can use validation technical profiles. If you need to validate the output claims from non-self-asserted technical profiles, consider using an additional orchestration step in your user journey to accommodate the technical profile in charge of the validation.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile
将其添加为编排步骤即可。
我正在尝试使用 ValidationTechnicalProfile 调用 RESTful 技术配置文件。我检查了应用程序洞察,我可以看到 OutputClaimsTransformations 发生,但它跳过 ValidationTechnicalProfile 并继续下一步。我已尝试将 RESTful 技术配置文件添加为编排步骤,并且没有任何问题。
谁能看出我做错了什么?
SignInWithIdProvider.xml
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="__TenantId__" PolicyId="B2C_1A_SignInWithIdProvider" PublicPolicyUri="http://__TenantId__/B2C_1A_signin_idprovider">
<BasePolicy>
<TenantId>__TenantId__</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignInWithIdProvider"/>
<UserJourneyBehaviors>
<SingleSignOn Scope="Policy"/>
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>1800</SessionExpiryInSeconds>
<JourneyFraming Enabled="true" Sources="__JourneyFramingSource__"/>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
<OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub"/>
</TechnicalProfile>
</RelyingParty>
来自 TrustFrameworkExtensions.xml
的片段<ClaimsProvider>
<Domain>Signin</Domain>
<DisplayName>Signin using provider</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="OIDC-SignIn">
<DisplayName>Sign-in</DisplayName>
<Description>Login with provider</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">__WellKnown__</Item>
<Item Key="client_id">__SignInClientId__</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">id profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="SingleLogoutEnabled">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="__SignInSecret__"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="{Culture:RFC5646}"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
<OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-PostNewSession" ContinueOnError="true"/>
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
<ClaimsProvider>
<DisplayName>REST APIs</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="REST-PostNewSession">
<DisplayName>Post new session</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="ServiceUrl">https://some.apim.url/post-method</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">Basic</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_UserName"/>
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Password"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="sessionId"/>
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
<UserJourney Id="SignInWithIdProvider">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="idSignInExchange" TechnicalProfileReferenceId="OIDC-SignIn"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>localAccountAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AlternativeSecurityId" TechnicalProfileReferenceId="AlternativeSecurityId-NoError"/>
</ClaimsExchanges>
</OrchestrationStep>
</UserJourney>
验证技术配置文件仅适用于 selfAsserted 技术配置文件。
Only self-asserted technical profiles can use validation technical profiles. If you need to validate the output claims from non-self-asserted technical profiles, consider using an additional orchestration step in your user journey to accommodate the technical profile in charge of the validation.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile
将其添加为编排步骤即可。