我使用B2C自定义策略登录用户。是否可以限制用户,使其只能从指定的IP地址(或范围)登录?
答案 0 :(得分:3)
您还可以创建声明转换,如下所述检查客户端IP是否受信任。
<ClaimType Id="clientIP">
<DisplayName>Client IP Address</DisplayName>
<DataType>string</DataType>
</ClaimType>
以及另一种声明类型,例如 isTrustedIP ,其类型为 boolean ,它表示客户端IP是否为可信IP。
<ClaimType Id="isTrustedIP">
<DisplayName>Is Trusted IP Address</DisplayName>
<DataType>boolean</DataType>
</ClaimType>
true
或false
:<ClaimsTransformation Id="SetIsTrustedIPClaim" TransformationMethod="SetClaimsIfRegexMatch">
<InputClaims>
<InputClaim ClaimTypeReferenceId="clientIP" TransformationClaimType="claimToMatch" />
</InputClaims>
<InputParameters>
<InputParameter Id="matchTo" DataType="string" Value="^216\.3\.128\.12$" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isTrustedIP" TransformationClaimType="regexCompareResultClaim" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsProvider>
<DisplayName>Claims Transformation</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="ClaimsTransformation-SetIsTrustedIPClaim">
<DisplayName>Set Is Trusted IP Claims Transformation</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="clientIP" DefaultValue="{Context:IPAddress}" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isTrustedIP" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="SetIsTrustedIPClaim" />
</OutputClaimsTransformations>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="ClaimsTransformation-SetIsTrustedIPClaim" TechnicalProfileReferenceId="ClaimsTransformation-SetIsTrustedIPClaim" />
</ClaimsExchanges>
</OrchestrationStep>
然后,根据 isTrustedIP 声明是否设置为true
或false
,以下编排步骤可以允许或拒绝访问。
您可以创建充当阻止页面的selfAsserted页面:
<TechnicalProfile Id="SelfAsserted-BlockUser">
<DisplayName>Block page</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
<Item Key="setting.showContinueButton">false</Item>
<Item Key="setting.showCancelButton">false</Item>
</Metadata>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="CreateError"/>
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="UserMessageDenied"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="UserMessageDenied" Required="true"/>
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
创建要显示的错误消息
<ClaimsTransformation Id="CreateError" TransformationMethod="CreateStringClaim">
<InputParameters>
<InputParameter Id="value" DataType="string" Value="Your IP is blocked." />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="UserMessageDenied" TransformationClaimType="createdClaim" />
</OutputClaims>
</ClaimsTransformation>
然后从userJourney调用它以评估isTrustedIP
,然后调用阻止页面:
<OrchestrationStep Order="3" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isTrustedIP</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="BlockUser" TechnicalProfileReferenceId="Selfasserted-Blockuser" />
</ClaimsExchanges>
</OrchestrationStep>
答案 1 :(得分:2)
当前,Azure AD B2C中没有此类功能。您可以提交有关Microsoft Azure Forum的反馈。
您可以尝试自己实施此操作,请参考以下想法。
您可以调用REST API并将IP地址传递给它。可以使用Claims Resolver解析IP地址。如果是一个IP地址,则可以在策略中进行声明转换,以检查用户ip是否匹配。否则,如果需要检查ip范围内的用户ip,则需要在REST API中执行该逻辑。
与此类似的方法:
https://github.com/azure-ad-b2c/samples/tree/master/policies/relying-party-rbac https://docs.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview