电子邮件索赔未来自联盟的OIDC ADB2C IDP
我们正在使用B2C,并使用OIDC成功连接了一个广告联合会,这一切都很好。但是,我们希望启用外部B2C IDP实例以实现另一个联合会。我们配置了主机B2C与AD One相同,从联邦来源获取电子邮件,FirstName,姓氏。
这是技术配置文件,以在我们的base.xml文件中启用联邦
<ClaimsProvider>
<Domain>testdomain</Domain>
<DisplayName>Login using External Tenant</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="TestDomain">
<DisplayName>Test domain</DisplayName>
<Description>Login with your test domain account</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">Link to the federated tenant well known endpoint</Item>
<Item Key="client_id">xxx</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid email profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ClaimTypeOnWhichToEnable">identityProviders</Item>
<Item Key="ClaimValueOnWhichToEnable">testdomain</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="testdomain"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="login_hint" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<OutputClaim ClaimTypeReferenceId="objectIdExternalTenant" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="federatedGivenName" PartnerClaimType="given_name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedSurname" PartnerClaimType="family_name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedDisplayName" PartnerClaimType="name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedIDPEmailAddress" PartnerClaimType="email" DefaultValue="Not Set"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
<EnabledForUserJourneys>OnItemExistenceInStringCollectionClaim</EnabledForUserJourneys>
</TechnicalProfile>
,这是在联邦IDP端的应用程序注册的设置。注意设置说您只能启用OpenID和Offline_Access范围。
当我们通过家庭域中登录时,它将我们带到联盟的IDP,我们将登录到此,但是我们无法将电子邮件索赔回到那里,fived_name,family_name,name,sub都在那里,但没有填充电子邮件索赔。有什么想法为什么这种说法不会通过吗?
提前致谢。
We are using B2C and have successfully connected an AD federation using OIDC, that all works fine. However, we want to enable an external B2C IdP instance to enable another federation. We configured our host B2C the same as the AD one, getting the email, firstname, surname from the federation source.
Heres the technical profile to enable federation in our base.xml file
<ClaimsProvider>
<Domain>testdomain</Domain>
<DisplayName>Login using External Tenant</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="TestDomain">
<DisplayName>Test domain</DisplayName>
<Description>Login with your test domain account</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">Link to the federated tenant well known endpoint</Item>
<Item Key="client_id">xxx</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid email profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ClaimTypeOnWhichToEnable">identityProviders</Item>
<Item Key="ClaimValueOnWhichToEnable">testdomain</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="testdomain"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="login_hint" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<OutputClaim ClaimTypeReferenceId="objectIdExternalTenant" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="federatedGivenName" PartnerClaimType="given_name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedSurname" PartnerClaimType="family_name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedDisplayName" PartnerClaimType="name" DefaultValue="Not Set"/>
<OutputClaim ClaimTypeReferenceId="federatedIDPEmailAddress" PartnerClaimType="email" DefaultValue="Not Set"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
<EnabledForUserJourneys>OnItemExistenceInStringCollectionClaim</EnabledForUserJourneys>
</TechnicalProfile>
Here's the setup for the app registration on the federation idp side. Note the settings saying you can only enable openid and offline_access scopes.
When we login through our home realm discover page, it takes us to the federated Idp, we login to that but we cannot get the email claim back, given_name, family_name, name, sub are all there but it doesn't populate the email claim. Any ideas why this claim won't come through?
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
而不是“ 电子邮件”,而是尝试“ signinnames.emailaddress ”。
搜索您的 trustframeworkbase.xml 文件中的“ signInnames.emailAddress ”,以确认它在那里。
这是用户属性列表:
https:> https: //learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes
Instead of "email", try "signInNames.emailAddress".
Search your TrustFrameworkBase.xml file for "signInNames.emailAddress" to confirm that it is there.
Here is a list of user attributes:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes