我正在尝试将Azure B2C本地帐户与多个(Facebook,Google)社交服务提供商关联。
我已经成功设置了示例here。
但是它始终只将一个社交提供程序写入本地帐户。如果我先链接Facebook,然后又尝试链接Google,则Facebook userIdentities项将被覆盖。反之亦然。
我尝试将Protocol替换为AAD-UserWriteProfileUsingObjectId,但用户对象未更新。
我认为该协议可能存在问题,该问题仅覆盖而不是附加。
仅包含一个社交提供者:
"userIdentities": [
{
"issuer": "google.com",
"issuerUserId": "MDExMDk2RTg3NTM0OTk3Mjk5OTI3"
}
],
这里是用户旅程部分,可为本地用户更新社交帐户
<!-- Demo: Updates the social account for a user, identified by the object
identifier for the user, in the Azure AD identity store.
An error is raised if the user does not exist. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId-ThrowIfNotExists" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId-ThrowIfNotExists" />
</ClaimsExchanges>
</OrchestrationStep>
And here is the corresponding Technical profile:
<TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId-ThrowIfNotExists">
<Metadata>
<Item Key="Operation">Write</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" Required="true" />
</InputClaims>
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="objectId" />
<!-- Demo: Persist the alternativeSecurityId claim -->
<PersistedClaim ClaimTypeReferenceId="alternativeSecurityId" />
</PersistedClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
但是用户对象应该同时包含Google和Facebook:
"userIdentities": [
{
"issuer": "google.com",
"issuerUserId": "MDExMDk2RTg3NTM0OTk3Mjk5OTI3"
},
{
"issuer": "facebook.com",
"issuerUserId": "KVExMDk2RTg3NTM0OTk3Mjk5OTI4"
}
],
答案 0 :(得分:1)
您可以使用the social accounts claims transformations在 userIdentities 属性中添加和删除。
首先,声明一个 alternativeSecurityIds 声明:
<ClaimType Id="alternativeSecurityIds">
<DisplayName>Alternative Security IDs</DisplayName>
<DataType>alternativeSecurityIdCollection</DataType>
</ClaimType>
下一步,将 alternativeSecurityIds 声明作为输出声明添加到the AAD-UserReadUsingObjectId technical profile,以获取用户的现有用户身份:
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="alternativeSecurityIds" />
</OutputClaims>
</TechnicalProfile>
接下来,声明一个 AddAlternativeSecurityIdToAlternativeSecurityIds 声明转换,以将新的替代安全ID项添加到现有的替代安全ID集合中:
<ClaimsTransformation Id="AddAlternativeSecurityIdToAlternativeSecurityIds" TransformationMethod="AddItemToAlternativeSecurityIdCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="alternativeSecurityId" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="alternativeSecurityIds" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
接下来,将 AddAlternativeSecurityIdToAlternativeSecurityIds 声明转换作为输出声明转换添加到每个社交帐户声明提供程序,以添加新的用户身份(由 CreateAlternativeSecurityId 创建>声明转换)到用户的现有用户身份(已通过 AAD-UserReadUsingObjectId 技术资料检索):
<ClaimsProvider>
<Domain>facebook.com</Domain>
<DisplayName>Facebook</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Facebook-OAUTH">
<OutputClaimsTransformations>
...
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="AddAlternativeSecurityIdToAlternativeSecurityIds" />
</OutputClaimsTransformations>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
最后,将 alternativeSecurityIds 声明(而不是 alternativeSecurityId 声明)作为the AAD-UserWriteUsingAlternativeSecurityId-ThrowIfNotExists technical profile中的保留声明,以更新该用户的现有用户身份。用户:
<TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId-ThrowIfNotExists">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="objectId" />
<PersistedClaim ClaimTypeReferenceId="alternativeSecurityIds" />
</PersistedClaims>
</TechnicalProfile>