如何预先创建“商业客户"?在广告B2C中 [英] How to pre-create "business customers" in AD B2C

查看:43
本文介绍了如何预先创建“商业客户"?在广告B2C中的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在构建一个入门Web应用程序来为我的LOB应用程序配置用户.我的大多数客户都是业务客户",这意味着通常将通过自定义策略将他们定向到v1公用端点,从而允许他们针对自己的AAD租户进行身份验证.挑战在于,新用户也需要在LOB应用程序中进行后续配置(创建数据库用户,分配一些权限等).

I'm building an on-boarding webapp to provision users for my LOB app. Most of my customers are "business customers", meaning they will ordinarily be directed to the v1 common endpoint by a custom policy, allowing them to auth against their own AAD tenant. The challenge is new users need follow-on provisioning in the LOB app as well (create db user, assign some permissions, etc).

我希望在入职时要做的是调用graphAPI来创建将成为b2c中的联合用户帐户的对象,然后使用新的用户objectId来处理特定于我的LOB应用程序的后续设置.理想情况下,当用户首次到达时,他们将被重定向到针对自己的AAD的auth,然后映射到b2c中预先创建的用户,最后以已经配置好并准备好了的objectId进入LOB应用程序.

What I'd like to do as part of on-boarding is call graphAPI to create what will become the federated user account in b2c, then with the new user objectId that comes back handle follow-on setup specific to my LOB app. Ideally when the user arrives for the first time, they would be redirected to auth against their own AAD, then map to the pre-created user in b2c, and finally land in the LOB app with an objectId that is already provisioned and ready.

这是受支持的方案,可以创造性地使用自定义策略和graphAPI吗?

Is this a supported scenario with some creative use of custom policies and graphAPI?

谢谢 标记

推荐答案

您可以使用以下选项:

  1. 使用外部电子邮件地址创建本地帐户用户,并将外部用户身份与此本地帐户用户相关联.
  2. 使用外部用户身份创建一个外部帐户用户.

1.使用外部电子邮件地址创建本地帐户用户

使用Azure AD Graph API,您可以

Using Azure AD Graph API, you can create a local account user, with the signInNames property of the user object being set to the email address of the external user:

{
  "accountEnabled": false,
  "creationType": "LocalAccount",
  "displayName": "John Smith",
  "passwordProfile": {
    "password": "a-strong-random-password",
    "forceChangePasswordNextLogin": false
  }
  "signInNames": [
    {
      "type": "emailAddress",
      "value": "john.smith@company.com"
    }
  ]
}

注意:我建议将 user 对象的 accountEnabled 属性设置为 true ,以便最终用户无法使用本地帐户密码登录.

Note: I recommend the accountEnabled property of the user object is set to true so that the end user can't log in with the local account password.

使用自定义策略,然后可以添加新逻辑以使用外部电子邮件地址查找本地帐户用户,并将外部用户身份添加到该本地帐户用户,例如:

Using a custom policy, you can then add a new logic to find the local account user using the external email address and add the external user identity to this local account user, such as:

...
<!--
      Find the external account user using the external user identity.
-->
<OrchestrationStep Order="16" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>authenticationSource</Value>
      <Value>localAccountAuthentication</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
  </ClaimsExchanges>
</OrchestrationStep>
<!--
      If the external account user hasn't been found, then find the local account user using the external email address.
-->
<OrchestrationStep Order="17" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>authenticationSource</Value>
      <Value>localAccountAuthentication</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>objectId</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AADUserReadUsingEmailAddress" TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress-NoError" />
  </ClaimsExchanges>
</OrchestrationStep>
<!--
      If an account user hasn't been found, then create an external account user with the external user identity.
-->
<OrchestrationStep Order="18" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>authenticationSource</Value>
      <Value>localAccountAuthentication</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>objectId</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AADUserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
  </ClaimsExchanges>
</OrchestrationStep>
<!--
      If the local account user has been found using the external email address, then add the external user identity to this local account user.
-->
<OrchestrationStep Order="19" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
      <Value>authenticationSource</Value>
      <Value>localAccountAuthentication</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    <!-- The following claim is output from the AAD-UserWriteUsingAlternativeSecurityId technical profile. -->
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>newUserCreated</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
    <!-- The following claim is output from the AAD-UserReadUsingEmailAddress-NoError technical profile. -->
    <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
      <Value>existingUserFoundByEmail</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="AADUserWriteUserIdentity" TechnicalProfileReferenceId="AAD-UserWriteUserIdentity" />
  </ClaimsExchanges>
</OrchestrationStep>
...

2.使用外部用户身份创建一个外部帐户用户

使用Azure AD Graph API,您可以

Using Azure AD Graph API, you can create an external account user, with the userIdentities property of the user object being set to the object identifier of the external user:

{
  "accountEnabled": false,
  "displayName": "John Smith",
  "mailNickname": "john.smith",
  "otherMails": [
    "john.smith@company.com"
  ],
  "userIdentities": [
    {
      "issuer": "https://sts.windows.net/{their-tenant-object-id}/",
      "issuerUserId": "{their-user-object-id}"
    }
  ],
  "userPrincipalName": "{guid}@{your-tenant-name}.onmicrosoft.com"
}

其中 issuerUserId 必须设置为外部用户的对象标识符的base64编码.

where issuerUserId must be set to the base64 encoding for the object identifier of the external user.

注意:在Azure AD OpenID Connect技术配置文件中,您可能必须从 sub 更改 socialIdpUserId 声明的声明映射.声明 oid 声明,以使其与 user 对象的 userIdentities.issuerUserId 属性匹配:

Note: In the Azure AD OpenID Connect technical profile, you might have to change the claim mapping for the socialIdpUserId claim from the sub claim to the oid claim, so that it matches the userIdentities.issuerUserId property of the user object:

<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />

这篇关于如何预先创建“商业客户"?在广告B2C中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆