Azure AD B2C-“电子邮件"在自定义政策中声明 [英] Azure AD B2C - "emails" claim in custom policy
问题描述
我正在寻找一种将emails
声明(电子邮件集合)添加到Azure AD B2C的自定义策略中的方法.可以直接从Azure门户获得此应用程序声明,但是我找不到在我需要创建的自定义策略中实现此方法的方法.
I'm looking for a way to add an emails
claim (collection of emails) to a custom policy for Azure AD B2C. This application claim is available from the Azure Portal directly but I cannot find a way to implement this in a custom policy which I need to create.
我想要实现的是为我的WebApp用户提供Azure AD B2C身份验证,并为员工提供自定义身份验证提供程序作为Azure身份验证提供者,因此这意味着我将需要两次添加emails
声明-对于本地帐户和Azure AD .
What I want to achieve is to have Azure AD B2C authentication for my WebApp users and Azure AD authentication as custom Authentication Provider for employees so It means I will need to add emails
claim twice - for Local accounts and for Azure AD.
我遵循了本指南以制定自定义策略,因此我在TrustFrameworkExtensions.xml文件中添加了一个新的ClaimsProvider
.
I followed this guide to make custom policy so I've added a new ClaimsProvider
to TrustFrameworkExtensions.xml file.
当我下载注册并添加"时在Azure Portal中创建的登录策略,然后我会看到以下输出声明:
When I download Sign Up & Sign In policy created in Azure Portal then I can see the following Output Claim:
<OutputClaim ClaimTypeReferenceId="emails" />
我试图将这行代码放入我的自定义政策中,但没有返回emails
声明.
I tried to put that line to my custom policy but it does not return emails
claim.
有什么想法吗?
推荐答案
我也找不到答案-看来自定义OutputClaimsTransformation返回了电子邮件"声明,该声明的配置不是样本中可用.
I couldn't find an answer this either - it looks like the "emails" claim is being returned by a custom OutputClaimsTransformation, the configuration of which isn't available in the samples.
我确实在SO上找到了这个答案,但有帮助,但是它涵盖了针对新用户的"otherMails"声明的更新,并且我已有无法以这种方式更新的基本策略的现有用户.
I did find the this answer on SO which helped, but it covers updated the "otherMails" claim for NEW users and I had existing users on the basic policies who I couldn't update in that way.
似乎是通过将"otherMails"(在社交注册的情况下)与"signInNames"数组中的第一个条目连接起来来填充电子邮件的.
It seems that emails is being populated by concatenating "otherMails" (in the case of social signups) with the first entry in the "signInNames" array.
我最终做了以下操作来动态创建电子邮件"声明.
I ended up doing the following to get the "emails" claim dynamically created.
在TrustFrameworkExtensions.xml中创建两个新的ClaimTypes
<ClaimType Id="emails">
<DisplayName>Emails</DisplayName>
<DataType>stringCollection</DataType>
<UserHelpText>User's email addresses</UserHelpText>
</ClaimType>
<ClaimType Id="firstOtherMail">
<DisplayName>First Other mail</DisplayName>
<DataType>string</DataType>
<UserHelpText>Other Mail</UserHelpText>
</ClaimType>
在TrustFrameworkExtensions.xml中创建3个新的ClaimsTransformations
<ClaimsTransformation Id="GetFirstOtherMail" TransformationMethod="GetSingleItemFromStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="firstOtherMail" TransformationClaimType="extractedItem" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="CopyFirstOtherMailToEmail" TransformationMethod="AddItemToStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="firstOtherMail" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="CopySignInNamesEmailToEmails" TransformationMethod="AddItemToStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInNames.emailAddress" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
在TrustFrameworkExtensions.xml中创建新的TechnicalProfile:
<!-- The following technical profile is used to create the emails collection after user authenticates. -->
<TechnicalProfile Id="AAD-UserCreateEmailsClaim">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" Required="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="emails" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="GetFirstOtherMail"/>
<OutputClaimsTransformation ReferenceId="CopySignInNamesEmailToEmails"/>
<OutputClaimsTransformation ReferenceId="CopyFirstOtherMailToEmail"/>
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
在SignUpOrSignIn的最后一步(SendClaims)之前,向SignUpOrSignIn UserJourney添加新的OrchestrationStep
<OrchestrationStep Order="8" Type="ClaimsExchange">
<ClaimsExchanges>
<!-- create the emails claim combining signInNames and otherMails -->
<ClaimsExchange Id="AADUserCreateEmailsClaim" TechnicalProfileReferenceId="AAD-UserCreateEmailsClaim" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
编辑PolicyProfile TechnicalProfile并添加OutputClaim:
<OutputClaim ClaimTypeReferenceId="emails" />
这篇关于Azure AD B2C-“电子邮件"在自定义政策中声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!