如何使用B2C自定义策略对手机进行身份验证

Question

我试图创建一个自定义策略来复制默认passwordReset策略的行为。我已设置MFA，默认策略将要求对移动电话号码进行身份验证（如果尚未进行身份验证）。

我的自定义passwordReset策略不要求对移动用户进行验证，而且我不确定如何进行更改。

PasswordReset.xml

<TrustFrameworkPolicy 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" 
  PolicySchemaVersion="0.3.0.0" 
  TenantId="onmicrosoft.com" 
  PolicyId="B2C_1A_Branded_MFA_PasswordReset" 
  PublicPolicyUri="http://onmicrosoft.com/B2C_1A_Branded_MFA_PasswordReset" 
  TenantObjectId="">
  <BasePolicy>
    <TenantId>onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_Branded_MFA_SignIn_FrameworkExtensions</PolicyId>
  </BasePolicy>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="PasswordReset" />
    <UserJourneyBehaviors>
      <SingleSignOn Scope="Tenant" KeepAliveInDays="14" />
      <SessionExpiryType>Absolute</SessionExpiryType>
      <SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
      <ContentDefinitionParameters>
        <Parameter Name="branding">{OAUTH-KV:branding}</Parameter>
      </ContentDefinitionParameters>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

这里是所有策略XML文件Policy Files

的链接

Answer 1

在 B2C_1A_Branded_MFA_SignIn_TrustFrameworkBase.xml 文件中，您必须在 PasswordResetUsingEmailAddressExchange 和 NewCredentials 编排步骤之间添加更多编排步骤。 > PasswordReset 用户旅程，如下所示：

<OrchestrationSteps>
  <OrchestrationStep Order="1" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="2" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="3" Type="ClaimsExchange">
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
        <Value>newPhoneNumberEntered</Value>
        <Action>SkipThisOrchestrationStep</Action>
      </Precondition>
    </Preconditions>
    <ClaimsExchanges>
      <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="4" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>

业务流程的第一步必须为最终用户加载身份验证电话号码（如果已注册）。必须将 strongAuthenticationPhoneNumber 声明作为输出声明添加到correlation和LocalAccountDiscoveryUsingEmailAddress技术资料中，如下所示：

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
  </OutputClaims>
</TechnicalProfile>

和：

<TechnicalProfile Id="AAD-UserReadUsingEmailAddress">
  <OutputClaims>
    ...
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
  </OutputClaims>
</TechnicalProfile>

第二个编排步骤会提示最终用户输入新的身份验证电话号码（如果尚未注册），或者验证现有电话号码。 AAD-UserReadUsingEmailAddress技术资料的声明如下：

<ClaimsProvider>
  <DisplayName>PhoneFactor</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="PhoneFactor-InputOrVerify">
      <DisplayName>PhoneFactor</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.phonefactor</Item>
        <Item Key="ManualPhoneNumberEntryAllowed">true</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="CreateUserIdForMFA" />
      </InputClaimsTransformations>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="userIdForMFA" PartnerClaimType="UserId" />
        <InputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="Verified.OfficePhone" />
        <OutputClaim ClaimTypeReferenceId="newPhoneNumberEntered" PartnerClaimType="newPhoneNumberEntered" />
      </OutputClaims>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-MFA" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

有关以下内容的更多信息，请参见PhoneFactor-InputOrVerify文件

• SocialAndLocalAccountsWithMFA内容定义
• api.phonefactor声明转换
• CreateUserIdForMFA技术简介

第三个编排步骤将为最终用户保存身份验证电话号码（如果尚未注册）。 SM-MFA技术资料的声明如下：

<TechnicalProfile Id="AAD-UserWritePhoneNumberUsingObjectId">
  <Metadata>
    <Item Key="Operation">Write</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  </InputClaims>
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <PersistedClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" PartnerClaimType="strongAuthenticationPhoneNumber" />
  </PersistedClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>