Azure AD B2C注册,无用户条目

时间:2018-01-16 20:14:49

标签: azure-ad-b2c identity-experience-framework

我已经设置了Azure AD B2C,允许用户使用自定义策略从“常规”AAD目录进行身份验证,如https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom所述。在一个场景中,我希望用户进行注册(使用他们的AAD信誉进行身份验证,在AAD B2C目录中创建相应的对象,并将objectidentifier作为声明传递给我的应用程序),而不提供任何进一步的信息。从示例开始,我无法弄清楚如何完全跳过自我断言步骤。我试过的两种方法是

1)删除 SelfAsserted-Social ClaimsExchange,和 2)修改(实际上,复制到TrustFrameworkExtensions,重命名和编辑) SelfAsserted-Social AAD-UserReadUsingObjectId ClaimsExchanges,以便唯一的OutputClaim条目不是需要用户提示。

在这两种方法中,从UI角度来看,注册似乎有效,但在B2C目录中没有创建用户对象。使用App Insights,在这两种方法中, AAD-UserReadUsingObjectId 似乎都会生成 Microsoft.Cpim.Common.PolicyException

完整的用户旅程

<UserJourney Id="SignUpAAD">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="KDEWEbAppTestExchange"   />
          </ClaimsProviderSelections>
        </OrchestrationStep>

        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="KDEWebAppTestExchange" TechnicalProfileReferenceId="KDEWebAppTestProfile" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="3" Type="ClaimsExchange">
           <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>

         <!-- prepare ground for searching for user -->
        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Social-Silent" TechnicalProfileReferenceId="SelfAsserted-Social-Silent" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent 
          in the token. -->
        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectIdLimited" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- create the user in the directory if one does not already exist 
             (verified using objectId which would be set from the last step if account was created in the directory. -->
        <OrchestrationStep Order="6" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

      </OrchestrationSteps> 
    </UserJourney>

有什么想法吗?

感谢

马丁

1 个答案:

答案 0 :(得分:4)

您必须使用以下业务流程步骤替换业务流程步骤4:

<OrchestrationStep Order="4" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>objectId</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
  </ClaimsExchanges>
</OrchestrationStep>

如果在编排步骤3中未检索到用户对象,则此编排步骤会创建一个用户对象(即&#34; objectId&#34;声明不存在)。

相关问题
最新问题