我已使用支持两个身份提供程序的自定义策略设置了Azure AD B2C:
这意味着在登录页面中,用户将能够选择使用本地帐户登录或单击Azure AD登录按钮。
假设我有2个使用此B2C登录的门户,即门户A和门户B。我现在遇到的问题是,当用户转到门户A并选择Azure AD登录时,他们将能够正常登录。但是,当用户转到门户B时,不是直接登录到门户,而是向他们显示B2C登录页面,并且必须再次单击Azure AD登录按钮。我在这里想念什么吗?由于用户之前选择了Azure AD登录(令牌/会话超时之前的几分钟),是否可以跳过登录页面?
我所做的是根据入门包样本配置自定义策略。如果有帮助,请参见以下登录用户旅程的摘录:
<UserJourney Id="SignInOrSignUp">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="AzureAdTenantExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
<ClaimsExchange Id="AzureAdTenantExchange" TechnicalProfileReferenceId="login-AzureAD" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>localAccountAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<!--<ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />-->
<ClaimsExchange Id="SelfAsserted-Social-NoInput" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>AzureADAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
-更新2018年7月22日-
这是login-AzureAD技术简介,其中包含敏感信息<renamed>:
<TechnicalProfile Id="login-AzureAD">
<DisplayName>Azure AD Login</DisplayName>
<Description>Login with your <renamed></Description>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="METADATA">https://login.windows.net/<renamed>.onmicrosoft.com/.well-known/openid-configuration</Item>
<Item Key="ProviderName">https://sts.windows.net/<renamed>/</Item>
<Item Key="client_id">c5ca1fc8-05ad-4be4-b7b1-77de430e1099</Item>
<Item Key="IdTokenAudience">c5ca1fc8-05ad-4be4-b7b1-77de430e1099</Item>
<Item Key="response_types">id_token</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_<renamed>"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="AzureADAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="<renamed>" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
<OutputClaim ClaimTypeReferenceId="groups" PartnerClaimType="groups"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
由于来自@Chris Padgett的更新请求,我注意到了错误,该错误是引用为SM-Noop的会话技术资料。在我更改为SM-SocialLogin(基于其他人的示例)之后,它现在似乎可以工作了。仅供参考,技术资料是根据Microsoft here的指南创建的。
@Chris Padgett,这是您要找的东西吗?如果这是正确的,我希望对此做出一些解释,并接受它作为答案。可能也会帮助别人。
答案 0 :(得分:1)
login-AzureAD 技术资料的UseTechnicalProfileForSessionManagement元素必须引用 SM-SocialLogin SSO会话提供程序,以禁止选择身份提供程序步骤:
<TechnicalProfile Id="login-AzureAD">
...
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
这不会绕过由身份验证的用户与外部身份提供者举行的SSO会话。它只记得该用户与此身份提供者可能举行了SSO会话。
有关SSO会话提供程序的信息,请参见the "Azure AD B2C: Single sign-on (SSO) session management" article。