我们正在尝试在AAD B2C中配置自定义策略,以允许某些用户通过其公司的SSO提供商登录。提供者为Ping。使用SAML 2.0。一切正常,但在用户成功登录Ping之后,需要将它们添加到本地B2C目录中。我们不希望这些用户位于我们的B2C目录中。有办法避免这种情况吗?
<ClaimsProvider>
<Domain>Ping</Domain>
<DisplayName>Ping Login</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Ping-SAML">
<DisplayName>Sign in to Ping</DisplayName>
<Description>Login with your Ping account</Description>
<Protocol Name="SAML2"/>
<Metadata>
<Item Key="WantsEncryptedAssertions">false</Item>
<Item Key="WantsSignedAssertions">false</Item>
<Item Key="PartnerEntity">URL FOR FB2C_1A_TrustFrameworkBase</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_PingSamlCert"/>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_PingCert"/>
<Key Id="SamlAssertionDecryption" StorageReferenceId="B2C_1A_PingCert" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="uid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="fname"/>
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="lname"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="Ping.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateDisplayName"/>
<OutputClaimsTransformation ReferenceId="CreateEmail"/>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<UserJourney Id="SignUpOrSignInPing">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="PingExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PingExchange" TechnicalProfileReferenceId="Ping-SAML" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
答案 0 :(得分:0)
使用自定义策略,您可以传递外部身份,而无需在Azure AD B2C租户中为其创建引用用户。
示例:
<UserJourney Id="SignIn">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="PingExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="PingExchange" TechnicalProfileReferenceId="PingProfile" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
您可能需要从 PingProfile 技术资料中Ping已发布的声明中生成Azure AD B2C的 objectId 声明,以便Azure AD B2C的JWT发行者可以包括此如果刷新令牌中的objectId 声明给您的Azure AD B2C应用程序。