Azure AD B2C自定义策略集扩展属性值

时间:2018-11-10 08:44:27

标签: azure-ad-b2c

我有B2C自定义策略登录UserJouney,它检查用户是否需要在首次登录时重置密码。我们正在使用扩展属性来执行此操作,因为B2C有一个bug,其中“ forceChangePasswordNextLogin”值完全阻止用户登录。

这是登录用户旅程。

<UserJourney Id="SignUpOrSignInSaml">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
      <ClaimsProviderSelections>
        <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninUsernameExchange" />
      </ClaimsProviderSelections>
      <ClaimsExchanges>
        <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="SignUpWithLogonUsernameExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonName" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!-- This step reads any user attributes that we may not have received when in the token. -->
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
          <Value>extension_ChangePasswordRequired</Value>
          <Value>true</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
        </Preconditions>
        <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="5" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="UpdatePasswordResetValue" TechnicalProfileReferenceId="LocalAccountUpdatePasswordResetStateValue" />
    </ClaimsExchanges>
  </OrchestrationStep>
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

UserJourney中的第4步评估扩展属性“ extension_ChangePasswordRequired”是否设置为“ true”,并在用户读取“ true”时提示用户更改密码。一切正常。

然后使用第5步将扩展属性更新为除“ true”之外的其他内容,以便在下次登录时不再提示用户,但似乎不起作用。

这是我的“ LocalAccountUpdatePasswordResetStateValue”技术资料

    <TechnicalProfile Id="LocalAccountUpdatePasswordResetStateValue">
        <DisplayName>Update Password Set Value</DisplayName>
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" Required="true" />
        </OutputClaims>
        <OutputClaimsTransformations>
          <OutputClaimsTransformation ReferenceId="SetPasswordResetStatus" />
        </OutputClaimsTransformations>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
      </TechnicalProfile>

这是它正在调用的Output Claims转换

<ClaimsTransformation Id="SetPasswordResetStatus" TransformationMethod="FormatStringClaim">
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="inputClaim" />
      </InputClaims>
      <InputParameters>
        <InputParameter Id="stringFormat" DataType="string" Value="abc123" />
      </InputParameters>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="outputClaim" />
      </OutputClaims>
    </ClaimsTransformation>

策略在上载时通过验证,但是在重置密码后未在用户上设置扩展属性。

有人知道我在做什么错吗,或者是否有更好的方法来实现这一目标?

-----更新-----

我能够通过持久声明将值成功写入不同的扩展属性,如此处所示

<TechnicalProfile Id="AAD-UserUpdateStateValue">
   <Metadata>
      <Item Key="Operation">Write</Item>
      <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
      <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
   </Metadata>
   <IncludeInSso>false</IncludeInSso>
 <InputClaims>
   <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
 </InputClaims>
 <PersistedClaims>
    <!-- Required claims -->
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <!-- Optional claims -->
    <PersistedClaim ClaimTypeReferenceId="extension_Flag" DefaultValue="abc1234567"/>
    </PersistedClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

但是,正如克里斯在post中所提到的那样,如果我在上一步中已阅读该声明,这将不起作用。

1 个答案:

答案 0 :(得分:2)

DefaultValue 属性在且仅当未设置声明值时才有效。

要强制使用默认值,请将 AlwaysUseDefaultValue 属性设置为true

<PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />

在您的特定情况下,应在 AAD-UserWritePasswordUsingObjectId 技术资料中将 extension_ChangePasswordRequired 声明设置为此默认值,并写入新密码:

<TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
  <Metadata>
    <Item Key="Operation">Write</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  </InputClaims>
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
    <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />
  </PersistedClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

然后您可以从用户旅程中删除业务流程步骤5。