如何在AD B2C中预先创建“业务客户”

时间:2019-02-16 12:09:41

标签: azure-ad-b2c azure-ad-graph-api

我正在构建一个入门Web应用程序来为我的LOB应用程序配置用户。我的大多数客户都是“业务客户”,这意味着通常将通过自定义策略将他们定向到v1通用端点,从而允许他们针对自己的AAD租户进行身份验证。挑战在于,新用户也需要在LOB应用程序中进行后续配置(创建数据库用户,分配一些权限等)。

作为入职流程的一部分,我想调用graphAPI来创建将成为b2c中的联合用户帐户的对象,然后使用新的用户objectId返回,以处理针对我的LOB应用程序的后续设置。理想情况下,当用户第一次到达时,他们将被重定向到针对自己的AAD的auth,然后映射到b2c中预先创建的用户,最后以已经配置好并准备好了的objectId进入LOB应用程序。

这是受支持的方案,可以创造性地使用自定义策略和graphAPI吗?

谢谢 标记

1 个答案:

答案 0 :(得分:3)

您可以使用以下选项:

  1. 使用外部电子邮件地址创建本地帐户用户,并将外部用户身份与此本地帐户用户相关联。
  2. 使用外部用户身份创建一个外部帐户用户。

1。使用外部电子邮件地址创建本地帐户用户

使用Azure AD Graph API,您可以create a local account user,并将 user 对象的 signInNames 属性设置为外部用户的电子邮件地址:

  getProperty(auth, x => x.Address.Address2); // okay
  getProperty(auth, x => "hello"); // error! string is not assignable to DeepDooDoo

注意:我建议将 user 对象的 accountEnabled 属性设置为 true ,以便最终用户无法使用本地帐户密码登录。

使用自定义策略,然后可以添加新逻辑以使用外部电子邮件地址查找本地帐户用户,并将外部用户身份添加到该本地帐户用户,例如:

{
  "accountEnabled": false,
  "creationType": "LocalAccount",
  "displayName": "John Smith",
  "passwordProfile": {
    "password": "a-strong-random-password",
    "forceChangePasswordNextLogin": false
  }
  "signInNames": [
    {
      "type": "emailAddress",
      "value": "john.smith@company.com"
    }
  ]
}

2。创建具有外部用户标识的外部帐户用户

使用Azure AD Graph API,您可以create an external account user,并将 user 对象的 userIdentities 属性设置为外部用户的对象标识符:

...
<!--
      Find the external account user using the external user identity.
-->
<OrchestrationStep Order="16" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>authenticationSource</Value>
      <Value>localAccountAuthentication</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
  </ClaimsExchanges>
</OrchestrationStep>
<!--
      If the external account user hasn't been found, then find the local account user using the external email address.
-->
<OrchestrationStep Order="17" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>authenticationSource</Value>
      <Value>localAccountAuthentication</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>objectId</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AADUserReadUsingEmailAddress" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress-NoError" />
  </ClaimsExchanges>
</OrchestrationStep>
<!--
      If an account user hasn't been found, then create an external account user with the external user identity.
-->
<OrchestrationStep Order="18" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>authenticationSource</Value>
      <Value>localAccountAuthentication</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>objectId</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AADUserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
  </ClaimsExchanges>
</OrchestrationStep>
<!--
      If the local account user has been found using the external email address, then add the external user identity to this local account user.
-->
<OrchestrationStep Order="19" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>authenticationSource</Value>
      <Value>localAccountAuthentication</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    <!-- The following claim is output from the AAD-UserWriteUsingAlternativeSecurityId technical profile. -->
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>newUserCreated</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    <!-- The following claim is output from the AAD-UserReadUsingEmailAddress-NoError technical profile. -->
    <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
      <Value>existingUserFoundByEmail</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AADUserWriteUserIdentity" TechnicalProfileReferenceId="AAD-UserWriteUserIdentity" />
  </ClaimsExchanges>
</OrchestrationStep>
...

其中 issuerUserId 必须设置为外部用户的对象标识符的base64编码。

注意::在Azure AD OpenID Connect技术配置文件中,您可能必须从 sub 更改 socialIdpUserId 声明的声明映射。声明 oid 声明,使其与 user 对象的 userIdentities.issuerUserId 属性匹配:

{
  "accountEnabled": false,
  "displayName": "John Smith",
  "mailNickname": "john.smith",
  "otherMails": [
    "john.smith@company.com"
  ],
  "userIdentities": [
    {
      "issuer": "https://sts.windows.net/{their-tenant-object-id}/",
      "issuerUserId": "{their-user-object-id}"
    }
  ],
  "userPrincipalName": "{guid}@{your-tenant-name}.onmicrosoft.com"
}