使用登录名和经过验证的电子邮件的B2C密码重置策略

时间:2019-01-15 22:31:51

标签: azure-ad-b2c

使用signinName(而非电子邮件)的我的自定义密码重置策略失败,并且验证的电子邮件地址失败。从门户中,我可以看到我的用户是使用正确的用户名创建的,并且在“身份验证联系信息”部分中包含电子邮件。运行重置策略时,我可以使用一次性代码来验证电子邮件,但是当我按“继续”时,我会得到“无法验证所提供的信息”。我假设我的TP AAD-UserReadUsingSigninName(在收集用户ID和电子邮件的步骤中用作验证配置文件)失败了。为什么?

    <UserJourney Id="PasswordResetUsingUserId">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingUserIdAddressExchange" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingUserId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>  

<TechnicalProfile Id="LocalAccountDiscoveryUsingUserId">
  <DisplayName>Reset password using user id and address</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
    <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="signinName" Required="true" />
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingSigninName" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>     

<TechnicalProfile Id="AAD-UserReadUsingSigninName">
  <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
    <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="signinName" PartnerClaimType="signInNames.userName" Required="true" />
    <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" Required="true" />         
  </InputClaims>
  <OutputClaims>
    <!-- Required claims -->
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <!-- Optional claims -->
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="otherMails" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

1 个答案:

答案 0 :(得分:1)

之所以会这样,是因为an AzureActiveDirectory technical profile仅接受一项输入声明。

您应该修改 AAD-UserReadUsingSigninName 技术资料,以通过登录名找到 user 对象,然后断言输入的电子邮件地址与保存的电子邮件地址匹配:< / p> 

<ClaimsTransformation Id="AssertEmailAndStrongAuthenticationEmailAddressAreEqual" TransformationMethod="AssertStringClaimsAreEqual">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" TransformationClaimType="inputClaim1" />
    <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim2" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="stringComparison" DataType="string" Value="ordinalIgnoreCase" />
  </InputParameters>
</ClaimsTransformation>

和:

<TechnicalProfile Id="AAD-UserReadUsingSigninName">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="signinName" PartnerClaimType="signInNames.userName" Required="true" />
  </InputClaims>
  <OutputClaims>
    <!-- Required claims -->
    <OutputClaim ClaimTypeReferenceId="objectId" />
    ...
    <!-- Optional claims -->
    ...
    <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />         
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="AssertEmailAndStrongAuthenticationEmailAddressAreEqual" />
  </OutputClaimsTransformations>
</TechnicalProfile>

然后,您可以修改 LocalAccountDiscoveryUsingUserId 技术配置文件,以在字符串比较失败时显示错误消息:

<TechnicalProfile Id="LocalAccountDiscoveryUsingUserId">
  <Metadata>
    ...
    <Item Key="UserMessageIfClaimsTransformationStringsAreNotEqual">Custom error message the email addresses you provided are not the same.</Item>
  </Metadata>
</TechnicalProfile>

有关此特定模式的更多信息,请参见the AssertStringClaimsAreEqual section in the String Claims Transformations article

相关问题
最新问题