如何在迁移前检查用户是否存在于 AD 中

时间:2021-02-21 04:52:07

标签: azure-ad-b2c azure-ad-b2c-custom-policy

我正在使用此处的指南执行用户从旧版 Idp 到 azure 广告 b2c 的即时迁移:https://github.com/azure-ad-b2c/user-migration/tree/master/jit-migration-v2。我使用我用来查询旧 IdP 并返回预期声明的服务,使其自身正常工作。

但是,我想修改上面的内容,在尝试迁移之前首先检查用户是否存在于 AD 中。我曾尝试声明一个 ValidationTechnicalProfile,但它似乎并没有真正起作用:

<TechnicalProfile Id="AAD-UserCheckUsingEmailAddress">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided user ID.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
      </InputClaims>
      <OutputClaims>
        <!-- Required claims -->
        <OutputClaim ClaimTypeReferenceId="objectId" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

下面,我使用上面定义的配置文件来检查迁移前声明中是否存在 objectId:

<!-- SIGN-IN -->
    <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
      <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="needToMigrate" />
      </OutputClaims>  
      <ValidationTechnicalProfiles>
      <!--First check if user exists in AD-->
      <ValidationTechnicalProfile ReferenceId="AAD-UserCheckUsingEmailAddress" />

        <!--Demo: Add user migration validation technical profile before login-NonInteractive. 
        Only execute migration if user does not exist in AD-->
        <ValidationTechnicalProfile ReferenceId="REST-UserMigration-LocalAccount-SignIn" ContinueOnError="false" >
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>                  
              <Action>SkipThisValidationTechnicalProfile</Action>
            </Precondition>
          </Preconditions>          
        </ValidationTechnicalProfile>

1 个答案:

答案 0 :(得分:0)

改变这个

<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />

<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.emailAddress" Required="true" />

还有这个

<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>

<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>

这假设用户将他们的电子邮件输入到一个文本框(或以其他方式获得),声明名称为 signInName,并且用户标识符存储在 signInNames.emailAddress 中。

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#inputclaims

PartnerClaimType username 无效。名为 username 的用户没有属性。

这个示例做了类似的事情 https://github.com/azure-ad-b2c/user-migration/tree/master/seamless-account-migration

https://github.com/azure-ad-b2c/user-migration/blob/master/seamless-account-migration/policy/TrustFrameworkExtensionsSeamlessMigration.xml#L52