使用用户名重置B2C / IEF密码

时间:2017-12-12 14:33:33

标签: azure-ad-b2c identity-experience-framework

我正在创建自定义B2C策略,我正在尝试复制使用用户名创建的本地帐户的密码重置过程。

我可以从AD读取用户名,但我不确定如何针对该帐户验证已验证的电子邮件地址。

目前,如果用户名正确,则可以使用任何电子邮件地址进行验证。

技术资料:

https

验证技术资料:

<TechnicalProfile Id="SA-LocalAccountDiscoveryUsingLogonName">
      <DisplayName>Reset password using logon name</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
        <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
      </OutputClaims>
      <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingLogonName" />
      </ValidationTechnicalProfiles>
    </TechnicalProfile>

用户之旅:

<TechnicalProfile Id="AAD-UserReadUsingLogonName">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
      </Metadata>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
    </TechnicalProfile>

1 个答案:

答案 0 :(得分:2)

如果在注册策略期间将电子邮件地址写入“otherMails”和“strongAuthenticationEmailAddress”属性,则可以使用REST API验证密码重置策略期间电子邮件地址是否与用户名相关联

必须将此REST API声明为声明提供程序:

<ClaimsProvider>
    <DisplayName>REST APIs</DisplayName>
    <TechnicalProfiles>
        <TechnicalProfile Id="RestApi-CheckUser">
            <DisplayName>Check User REST API</DisplayName>
            <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
            <Metadata>
                <Item Key="ServiceUrl">Insert the REST API endpoint URL</Item>
                <Item Key="AuthenticationType">None</Item>
                <Item Key="SendClaimsIn">Body</Item>
            </Metadata>
            <InputClaims>
                <InputClaim ClaimTypeReferenceId="signInName" />
                <InputClaim ClaimTypeReferenceId="email" />
            </InputClaims>
            <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
    </TechnicalProfiles>
</ClaimsProvider>

REST API可以使用Azure AD Graph API通过“signInNames”和“otherMails”属性查询用户对象(您无法使用此Graph API读取“strongAuthenticationEmailAddress”属性),并且如{{ 3}},如果电子邮件地址与用户名相关联,则返回200 OK;如果不是,则返回409 Conflict

然后可以从“SA-LocalAccountDiscoveryUsingLogonName”技术配置文件中调用REST API技术配置文件作为验证技术配置文件:

<TechnicalProfile Id="SA-LocalAccountDiscoveryUsingLogonName">
    <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="RestApi-CheckUser" />
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingLogonName" />
    </ValidationTechnicalProfiles>
</TechnicalProfile>

如果“RestApi-CheckUser”技术配置文件返回200 OK,则调用“AAD-UserReadUsingLogonName”技术配置文件,最终用户可以继续密码重置。如果“RestApi-CheckUser”技术配置文件返回409 Conflict,则不会调用“AAD-UserReadUsingLogonName”技术配置文件,最终用户无法继续。

相关问题
最新问题