Question

在重置密码时，我无法删除电子邮件验证步骤。我尝试将业务流程步骤添加到trustframeworkextensions.xml。上传政策时，我一直收到错误消息。错误为：“错误：用户旅程必须先经过声明提供者选择”。

我在Azure AD B2C Password Reset policy without email verification step看过类似的帖子。我尝试了“删除验证”中提到的解决方案，但仍然遇到相同的错误。有帮助吗？

这是从TrustFrameworkExtensions.xml移至TrustFrameworkBase.xml的UserJourney

<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="UserReadUsingEmailAddressExchange" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

Answer 1

对于密码重置策略中的电子邮件验证，可以在Azure门户中签入，然后尝试在门户中编辑此策略。有关详细信息，您可以阅读build-in policies。

Answer 2

将用户旅程从trustframeworkextensions.xml移动到TrustFrameworkBase.xml将解决此问题。

如果这样不起作用。您尝试执行以下步骤，以下更改将要求用户名和用户的电子邮件，并将针对AD进行验证。

添加以下声明

<ClaimType Id="EmailPlaceHolder"> <DisplayName>Enter your Email</DisplayName> <DataType>string</DataType> <UserHelpText>Enter your Email</UserHelpText> <UserInputType>TextBox</UserInputType> <Restriction> <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&'^_{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." /> </Restriction> </ClaimType>

<ClaimType Id="UserNamePlaceHolder"> <DisplayName>Enter your Username</DisplayName> <DataType>string</DataType> <UserHelpText>Enter your Username</UserHelpText> <UserInputType>TextBox</UserInputType> </ClaimType>

2. 添加以下用户旅程

`<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingLogonName" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>`

3. 对LocalAccountDiscoveryUsingLogonName技术资料进行更改

`<TechnicalProfile Id="LocalAccountDiscoveryUsingLogonName">
  <DisplayName>Reset password using logon name</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="UserNamePlaceHolder" Required="true" />
    <OutputClaim ClaimTypeReferenceId="EmailPlaceHolder" Required="true" />
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingLogonName" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>`

4. 添加/修改AAD-UserReadUsingLogonName技术资料

`<TechnicalProfile Id="AAD-UserReadUsingLogonName">
  <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="UserNamePlaceHolder" PartnerClaimType="signInNames.userName" Required="true" />
    <InputClaim ClaimTypeReferenceId="EmailPlaceHolder" PartnerClaimType="email" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>`

如果要添加其他要验证的属性，则将它们添加到LocalAccountDiscoveryUsingLogonName并将其用于AAD-UserReadUsingLogonName中的验证。

PartnerClaimType="Verified.Email"是要求用户通过发送验证码来验证电子邮件的电子邮件。

在Azure AD B2C中的密码重置策略中删除电子邮件验证步骤

2 个答案: