Azure AD B2C-具有HRD,域提示和MFA的自定义策略 [英] Azure AD B2C - Custom policy with HRD, Domain Hints and MFA
问题描述
我正在尝试建立一个B2C自定义策略,该策略利用家庭领域发现和域提示.
I'm trying to build a B2C custom policy that makes use of Home-realm Discovery and Domain Hints.
我们有2个角色.
- 通过MFA在B2C中进行身份验证的本地用户
- 必须重定向到其公司登录页面的外部用户.
用例:
-
用户被重定向到
https://customdomain.b2clogin.com(无域提示).向用户显示一个登录页面,询问您电子邮件地址,并取决于用户类型:
User gets redirected to
https://customdomain.b2clogin.com(no domain hint). User gets presented with a Login page asking for theemailaddress and depending on type of user:
-
B2C的本地用户在我们的B2C页面中进行身份验证(customdomain.b2clogin.com).首先,用户输入电子邮件地址,然后在
Next上,用户输入密码,最后输入密码(通过电话接收)用于MFA.
A local user to B2C authenticates in our B2C page (customdomain.b2clogin.com). First, user enters email address, then on
Nextuser enters password and finally enters code (received on phone) for MFA.
外部用户首先输入其电子邮件,然后B2C必须自动将用户重定向到联合身份提供者进行登录.
An external user first enters their email then B2C must automatically redirect the user to the federated Identity provider to login.
用户被重定向到 https://customdomain.b2clogin.com/?domain_hint=xyz.com (带有域提示)
User gets redirected to https://customdomain.b2clogin.com/?domain_hint=xyz.com (with domain hint)
- 在这种情况下,我们希望用户会自动重定向到
xyz.com身份提供商.用户不应看到我们的customdomain.b2clogin.com登录页面
- In this case we expect the user to be automatically redirected to
xyz.comidentity provider. The user should NOT see our login page forcustomdomain.b2clogin.com
我尝试过的事情:
通过获取 home-realm-discovery-modern 示例(
By taking the home-realm-discovery-modern sample (https://github.com/azure-ad-b2c/samples/tree/master/policies/home-realm-discovery-modern) I get HRD working properly (point 1)
通过获取B2C入门包中的 SocialAndLocalAccountsWithMfa 示例,我可以免费获得 domain_hint 重定向(上面的第2点).
By taking the SocialAndLocalAccountsWithMfa sample in the B2C starter pack I get the domain_hint redirection for free (point 2 above).
但是,我无法将两者结合在一起才能使两者都正常工作(domain_hint和HRD).
However, I'm failing at combining the two together to get both working (domain_hint and HRD).
这是用户旅程:
<UserJourneys>
<UserJourney Id="SignIn">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="ParseDomainHint" TechnicalProfileReferenceId="ParseDomainHint" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-Signin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="ParseDomainHintLogic" TechnicalProfileReferenceId="HRDLogic" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- If the domain_hint did not match any known domain, then redirect to a default local account sign in-->
<OrchestrationStep Order="4" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- dont run this step if the domain was known, or we have an objectid (local account sign in)-->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>true</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- If the domain matched any known domain, then this step will have a single IdP
enabled due to each known IdP TP having an enablement flag via identityProviders claim -->
<OrchestrationStep Order="6" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="AADOIDC" />
<ClaimsProviderSelection TargetClaimsExchangeId="MSAOIDC" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>isKnownCustomer</Value>
<Value>true</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADOIDC" TechnicalProfileReferenceId="AAD-OIDC" />
<ClaimsExchange Id="MSAOIDC" TechnicalProfileReferenceId="MSA-OIDC" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- For social IDP authentication, attempt to find the user account in the directory. -->
<OrchestrationStep Order="8" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Still dont have objectId (social idp user that doesnt yet exist) - write the account -->
<OrchestrationStep Order="9" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="10" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="11" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
</UserJourneys>
我想念的是什么?
推荐答案
我们设法使Home Realm Discovery(HRD)和域提示在自定义策略中一起工作.它基于 HomeRealmDiscoveryModern 示例.
We managed to get Home Realm Discovery (HRD) and Domain Hints to work together in a custom policy. It's based on the HomeRealmDiscoveryModern sample.
这是溶液/样品: https://github.com/AlbozDroid/b2c-hrd-domainhint-sample/blob/main/Alboz_susi_public.xml
MFA部分不存在,但应该按照Microsoft提供的 LocalAndSocialWithMFA 示例进行轻松添加.
The MFA part is not there but should be easy to add by following the LocalAndSocialWithMFA sample provided by Microsoft.
这篇关于Azure AD B2C-具有HRD,域提示和MFA的自定义策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
