Azure B2C:检查本地帐户创建过程中是否还存在其他声明 [英] Azure B2C: Checking if another claim exists during local account creation
问题描述
除了通常根据所使用的电子邮件是否不存在创建帐户外,我想知道如何检查Azure Active Directory中是否不存在另一个声明值./p>
例如,对于我们的应用程序,创建帐户的任何人都必须提供组织名称.他们一旦注册,便成为其组织组的所有者.
在创建帐户之前,我要检查组织名称是否未与任何其他帐户关联(如果所有者希望将人员添加到组织中,我们将通过邀请进行注册).如果不存在,请创建一个帐户.否则,我想抛出一个错误并阻止创建帐户.
浏览Azure B2C技术配置文件文档后,我认为修改 AAD-UserWriteUsingLogonEmail 是我的最佳猜测.
到目前为止,我已经尝试了两种方法.第一种方法是包括对组织名称的输入声明.但是,这只会冻结测试流程:
< TechnicalProfile Id =" AAD-UserWriteUsingLogonEmail"><元数据>< Item Key =操作">写</Item>< Item Key ="RaiseErrorIfClaimsPrincipalAlreadyExists"< true</Item></Metadata>< IncludeInSso> false</IncludeInSso>< InputClaims>< InputClaim ClaimTypeReferenceId ="email";PartnerClaimType =" signInNames.emailAddress"必需=真"/>< InputClaim ClaimTypeReferenceId ="extension_organizationName";必需=真"/></InputClaims>< PersistedClaims><!-必填声明->< PersistedClaim ClaimTypeReferenceId =电子邮件";PartnerClaimType =" signInNames.emailAddress"/>< PersistedClaim ClaimTypeReferenceId ="newPassword";PartnerClaimType =密码"/>< PersistedClaim ClaimTypeReferenceId ="displayName"DefaultValue =未知"./>< PersistedClaim ClaimTypeReferenceId ="passwordPolicies";DefaultValue ="DisablePasswordExpiration";/><!-可选的声明.->< PersistedClaim ClaimTypeReferenceId ="givenName";/>< PersistedClaim ClaimTypeReferenceId =姓";/>< PersistedClaim ClaimTypeReferenceId ="extension_organizationName";/></PersistedClaims>< OutputClaims>< OutputClaim ClaimTypeReferenceId ="objectId";/>< OutputClaim ClaimTypeReferenceId ="newUser";PartnerClaimType ="newClaimsPrincipalCreated";/>< OutputClaim ClaimTypeReferenceId ="authenticationSource";DefaultValue ="localAccountAuthentication";/>< OutputClaim ClaimTypeReferenceId ="userPrincipalName";/>< OutputClaim ClaimTypeReferenceId =" signInNames.emailAddress"/></OutputClaims>< IncludeTechnicalProfile ReferenceId ="AAD-Common";/>< UseTechnicalProfileForSessionManagement ReferenceId ="SM-AAD";/></TechnicalProfile> 第二种方法类似,但是使用< InputClaimsTransformations> 来通过DidClaimExist操作检查组织名称是否存在.使用这种方法时,出现以下错误:
无法验证所提供的信息.
由于我不熟悉创建自定义策略,因此是否在正确的轨道上修改了 AAD-UserWriteUsingLogonEmail 配置文件,还是我需要一种完全不同的方法?
跟随Barbara的链接,我能够使验证工作.但是,尝试阻止某个帐户使用的组织已经与另一个帐户相关联时,我仍然遇到问题.似乎使用< InputClaimsTransformations> 并没有真正的作用.
错误消息无法验证所提供的信息.表示您没有正确配置自定义策略以能够使用自定义索赔.因此,您必须遵循文档:
请按照以下步骤操作,然后重试.
In addition to the usual creation of an account based on whether the e-mail used doesn't currently exist, I would like to know how I can also check if another claim value doesn't exist in Azure Active Directory.
For example, for our application, anyone who creates an account must provide an organization name. Once they signup, they are the owner of their organization group.
Before account creation, I want to check if an organization name is not associated with any other account (we're going to do sign-up via invitation if the owner wants to add people to their organization). If it doesn't exist, then create the account. Otherwise, I want to throw an error and prevent the creation of an account.
After looking through the Azure B2C technical profiles documentation, I would think that modifying AAD-UserWriteUsingLogonEmail would be my best guess.
I've tried two approaches so far. The first approach was including the input claim for the organization name. However, this just freezes the test flow:
<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
<Metadata>
<Item Key="Operation">Write</Item>
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true" />
<InputClaim ClaimTypeReferenceId="extension_organizationName" Required="true" />
</InputClaims>
<PersistedClaims>
<!-- Required claims -->
<PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
<PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password"/>
<PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
<PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration" />
<!-- Optional claims. -->
<PersistedClaim ClaimTypeReferenceId="givenName" />
<PersistedClaim ClaimTypeReferenceId="surname" />
<PersistedClaim ClaimTypeReferenceId="extension_organizationName" />
</PersistedClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
The second approach was something similar, but instead using an <InputClaimsTransformations> to check if an organization name exists via the DoesClaimExist action. When using this approach, I get the following error:
Unable to validate the information provided.
Since I'm new to creating custom policies, is modifying the AAD-UserWriteUsingLogonEmail profile on the right track or do I need a completely different approach?
EDIT:
After following Barbara's links, I was able to get the validation working. However, I'm still having issues trying to prevent an account that is using an organization that is already associated with another account. It seems that using an <InputClaimsTransformations> doesn't really do anything.
The error message Unable to validate the information provided. indicates that you did not configure your custom policy correctly to be able to use custom claims.
Thus you have to follow the documentation:
- Get the application properties of the extensions app
- Modify your custom policy to include the application properties in the AAD-Common-technical profile
Please follow the steps and try again.
这篇关于Azure B2C:检查本地帐户创建过程中是否还存在其他声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
