未执行验证技术案例-B2C自定义策略

发布于 2025-01-28 04:27:13 字数 7314 浏览 3 评论 0原文

我试图通过使用验证技术填充来调用宁静的技术资料。我已经检查了应用程序的洞察力,并且可以看到OutputClaimStransformations正在发生,但是它跳过了验证技术方面的信息,并继续下一步。我尝试将宁静的技术配置文件作为编排步骤添加,这无问题。

谁能看到我做错了什么?

signInwithIdProvider.xml

<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="__TenantId__" PolicyId="B2C_1A_SignInWithIdProvider" PublicPolicyUri="http://__TenantId__/B2C_1A_signin_idprovider">
<BasePolicy>
    <TenantId>__TenantId__</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
    <DefaultUserJourney ReferenceId="SignInWithIdProvider"/>
    <UserJourneyBehaviors>
        <SingleSignOn Scope="Policy"/>
        <SessionExpiryType>Rolling</SessionExpiryType>
        <SessionExpiryInSeconds>1800</SessionExpiryInSeconds>
        <JourneyFraming Enabled="true" Sources="__JourneyFramingSource__"/>
        <ScriptExecution>Allow</ScriptExecution>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
        <DisplayName>PolicyProfile</DisplayName>
        <Protocol Name="OpenIdConnect"/>
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
            <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
            <OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
            <OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
        </OutputClaims>
        <SubjectNamingInfo ClaimType="sub"/>
    </TechnicalProfile>
</RelyingParty>

来自TrustFrameWorkextensions.xml的摘要

<ClaimsProvider>
<Domain>Signin</Domain>
<DisplayName>Signin using provider</DisplayName>
<TechnicalProfiles>
    <TechnicalProfile Id="OIDC-SignIn">
        <DisplayName>Sign-in</DisplayName>
        <Description>Login with provider</Description>
        <Protocol Name="OpenIdConnect"/>
        <Metadata>
            <Item Key="METADATA">__WellKnown__</Item>
            <Item Key="client_id">__SignInClientId__</Item>
            <Item Key="response_types">code</Item>
            <Item Key="scope">id profile</Item>
            <Item Key="response_mode">form_post</Item>
            <Item Key="HttpBinding">POST</Item>
            <Item Key="UsePolicyInRedirectUri">false</Item>
            <Item Key="SingleLogoutEnabled">false</Item>
        </Metadata>
        <CryptographicKeys>
            <Key Id="client_secret" StorageReferenceId="__SignInSecret__"/>
        </CryptographicKeys>
        <InputClaims>
            <InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="{Culture:RFC5646}"/>
        </InputClaims>
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
            <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
            <OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
            <OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
            <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
        </OutputClaims>
        <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
            <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
            <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
            <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
        </OutputClaimsTransformations>
        <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="REST-PostNewSession" ContinueOnError="true"/>
        </ValidationTechnicalProfiles>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
    </TechnicalProfile>
</TechnicalProfiles>
<ClaimsProvider>
<DisplayName>REST APIs</DisplayName>
<TechnicalProfiles>
    <TechnicalProfile Id="REST-PostNewSession">
        <DisplayName>Post new session</DisplayName>
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
        <Metadata>
            <Item Key="ServiceUrl">https://some.apim.url/post-method</Item>
            <Item Key="SendClaimsIn">Body</Item>
            <Item Key="AuthenticationType">Basic</Item>
        </Metadata>
        <CryptographicKeys>
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_UserName"/>
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Password"/>
        </CryptographicKeys>
        <InputClaims>
            <InputClaim ClaimTypeReferenceId="sessionId"/>
        </InputClaims>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
    </TechnicalProfile>
</TechnicalProfiles>
<UserJourney Id="SignInWithIdProvider">
<OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
        <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
                <Value>objectId</Value>
                <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
        </Preconditions>
        <ClaimsExchanges>
            <ClaimsExchange Id="idSignInExchange" TechnicalProfileReferenceId="OIDC-SignIn"/>
        </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
        <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
                <Value>authenticationSource</Value>
                <Value>localAccountAuthentication</Value>
                <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
        </Preconditions>
        <ClaimsExchanges>
            <ClaimsExchange Id="AlternativeSecurityId" TechnicalProfileReferenceId="AlternativeSecurityId-NoError"/>
        </ClaimsExchanges>
    </OrchestrationStep>
</UserJourney>

I am attempting to call a RESTful technical profile by using ValidationTechnicalProfile. I have checked application insights and I can see the OutputClaimsTransformations happening, but it skips over the ValidationTechnicalProfile and continues on with the next step. I have tried adding the RESTful technical profile as an Orchestration Step, and that works without any issues.

Can anyone see what I am doing wrong?

SignInWithIdProvider.xml

<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="__TenantId__" PolicyId="B2C_1A_SignInWithIdProvider" PublicPolicyUri="http://__TenantId__/B2C_1A_signin_idprovider">
<BasePolicy>
    <TenantId>__TenantId__</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
    <DefaultUserJourney ReferenceId="SignInWithIdProvider"/>
    <UserJourneyBehaviors>
        <SingleSignOn Scope="Policy"/>
        <SessionExpiryType>Rolling</SessionExpiryType>
        <SessionExpiryInSeconds>1800</SessionExpiryInSeconds>
        <JourneyFraming Enabled="true" Sources="__JourneyFramingSource__"/>
        <ScriptExecution>Allow</ScriptExecution>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
        <DisplayName>PolicyProfile</DisplayName>
        <Protocol Name="OpenIdConnect"/>
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
            <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
            <OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
            <OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
        </OutputClaims>
        <SubjectNamingInfo ClaimType="sub"/>
    </TechnicalProfile>
</RelyingParty>

Snippet from TrustFrameworkExtensions.xml

<ClaimsProvider>
<Domain>Signin</Domain>
<DisplayName>Signin using provider</DisplayName>
<TechnicalProfiles>
    <TechnicalProfile Id="OIDC-SignIn">
        <DisplayName>Sign-in</DisplayName>
        <Description>Login with provider</Description>
        <Protocol Name="OpenIdConnect"/>
        <Metadata>
            <Item Key="METADATA">__WellKnown__</Item>
            <Item Key="client_id">__SignInClientId__</Item>
            <Item Key="response_types">code</Item>
            <Item Key="scope">id profile</Item>
            <Item Key="response_mode">form_post</Item>
            <Item Key="HttpBinding">POST</Item>
            <Item Key="UsePolicyInRedirectUri">false</Item>
            <Item Key="SingleLogoutEnabled">false</Item>
        </Metadata>
        <CryptographicKeys>
            <Key Id="client_secret" StorageReferenceId="__SignInSecret__"/>
        </CryptographicKeys>
        <InputClaims>
            <InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="{Culture:RFC5646}"/>
        </InputClaims>
        <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
            <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
            <OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
            <OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
            <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
        </OutputClaims>
        <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
            <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
            <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
            <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
        </OutputClaimsTransformations>
        <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="REST-PostNewSession" ContinueOnError="true"/>
        </ValidationTechnicalProfiles>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
    </TechnicalProfile>
</TechnicalProfiles>
<ClaimsProvider>
<DisplayName>REST APIs</DisplayName>
<TechnicalProfiles>
    <TechnicalProfile Id="REST-PostNewSession">
        <DisplayName>Post new session</DisplayName>
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
        <Metadata>
            <Item Key="ServiceUrl">https://some.apim.url/post-method</Item>
            <Item Key="SendClaimsIn">Body</Item>
            <Item Key="AuthenticationType">Basic</Item>
        </Metadata>
        <CryptographicKeys>
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_UserName"/>
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Password"/>
        </CryptographicKeys>
        <InputClaims>
            <InputClaim ClaimTypeReferenceId="sessionId"/>
        </InputClaims>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
    </TechnicalProfile>
</TechnicalProfiles>
<UserJourney Id="SignInWithIdProvider">
<OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
        <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
                <Value>objectId</Value>
                <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
        </Preconditions>
        <ClaimsExchanges>
            <ClaimsExchange Id="idSignInExchange" TechnicalProfileReferenceId="OIDC-SignIn"/>
        </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
        <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
                <Value>authenticationSource</Value>
                <Value>localAccountAuthentication</Value>
                <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
        </Preconditions>
        <ClaimsExchanges>
            <ClaimsExchange Id="AlternativeSecurityId" TechnicalProfileReferenceId="AlternativeSecurityId-NoError"/>
        </ClaimsExchanges>
    </OrchestrationStep>
</UserJourney>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

或十年 2025-02-04 04:27:14

验证技术概况仅来自自我授权的技术资料。

只有自我授权的技术资料才能使用验证技术配置文件。如果您需要验证非自由授权的技术配置文件的输出索赔,请考虑在用户旅程中使用额外的编排步骤来容纳验证的技术配置文件。

httpps://learn.microsoft.com/ En-us/azure/Active-Directory-B2C/验证技术profile

将其添加为编排步骤。

Validation technical profiles only work from selfAsserted technical profiles.

Only self-asserted technical profiles can use validation technical profiles. If you need to validate the output claims from non-self-asserted technical profiles, consider using an additional orchestration step in your user journey to accommodate the technical profile in charge of the validation.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile

Adding it as an orchestration step would work.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文