Azure AD B2C中的多租户Azure AD [英] Multi-tenant Azure AD in Azure AD B2C
问题描述
我在这里关注答案:这里的演练:但是我无法登录,错误消息如下:
But I wasn't able to login, the error message is something along the line:
AADB2C: An exception has occured. Correlation ID: <GUID>. Timestamp: <Time>
此外,当以最新的母版查看演练时,整个页面已被删除,现在仅包含指向
Furthermore, when viewing the walkthrough in latest master, the whole page has been removed and now only contains the link to https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom, which does not show how to configure ClaimsProvider for multi-tenant Azure AD IDP.
该错误消息不是很有帮助,我迷路了.
The error message was not super helpful, and I'm getting lost.
我的技术资料如下:
<ClaimsProvider>
<Domain>AzureAD</Domain>
<DisplayName>Login using Azure AD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AzureADProfile">
<DisplayName>Azure AD</DisplayName>
<Description>Login with your Azure AD account</Description>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
<Item Key="authorization_endpoint">https://login.windows.net/common/oauth2/v2.0/authorize</Item>
<Item Key="client_id">MyAzureADB2CAppId</Item>
<Item Key="IdTokenAudience">MyAzureADB2CAppId</Item>
<Item Key="response_types">id_token</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="scope">openid</Item>
<Item Key="HttpBinding">POST</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_B2CSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="azureADAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureAD" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
编辑:按照spottedhahn的建议引入了用户旅程记录器"后,我设法得到了真正的错误:
After introducing User Journey Recorder as per spottedhahn's suggestion, I've managed to get the real error:
The response received from the ClaimsProvider using TechnicalProfile
"<My_Azure_AD_Common_Profile>" in policy "<My_RP_Policy>" of tenant
"<My_B2C_Tenant>" did not contain an "id_token".
问题是:仍支持将多租户Azure AD链接到Azure AD B2C,如何配置以使其正常工作?
推荐答案
将Azure AD B2C与Azure AD的公共终结点联合时,可以与以下任意一个集成:
When federating Azure AD B2C with Azure AD's common endpoint, you can integrate with either:
- v1.0终结点:
https://login.microsoftonline.com/common/oauth2/authorize
- v2.0端点:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
- The v1.0 endpoint:
https://login.microsoftonline.com/common/oauth2/authorize
- The v2.0 endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
v1.0端点
要将Azure AD B2C与v1.0终结点集成,必须通过 Azure门户注册Azure AD B2C.与您的Azure AD租户:
To integrate Azure AD B2C with the v1.0 endpoint, you must register Azure AD B2C through the Azure portal with your Azure AD tenant:
- 登录到Azure门户.
- 在顶部栏中,选择您的Azure AD目录.
- 在左侧栏中,选择所有服务,然后找到应用程序注册".
- 选择新申请注册.
- 在名称中,输入应用程序名称,例如"Azure AD B2C".
- 在应用程序类型中,选择 Web应用程序/API .
- 在登录URL 中,输入
https://login.microsoftonline.com/te/<tenant>/oauth2/authresp
,在其中将<tenant>
替换为Azure AD B2C租户的名称(例如"contosob2c.onmicrosoft.com"). li>
- 选择创建.
- 复制应用程序ID 以供以后使用.
- 选择设置,然后选择键.
- 在密码部分中,输入密码说明,选择密码持续时间,选择保存,然后复制密码值以备后用.
- Sign in to the Azure portal.
- In the top bar, select your Azure AD directory.
- In the left bar, select All services and find "App registrations".
- Select New application registration.
- In Name, enter an application name, such as "Azure AD B2C".
- In Application type, select Web app / API.
- In Sign-on URL, enter
https://login.microsoftonline.com/te/<tenant>/oauth2/authresp
, where you replace<tenant>
with the name of your Azure AD B2C tenant (such as "contosob2c.onmicrosoft.com"). - Select Create.
- Copy Application ID for later.
- Select Settings and then select Keys.
- In the Passwords section, enter a password description, select a password duration, select Save, and then copy the password value for later.
然后,您必须使用步骤11中的应用程序密钥通过Azure AD B2C门户创建策略密钥(例如"AzureADClientSecret").
You must then create a policy key (e.g. "AzureADClientSecret") through the Azure AD B2C portal with the application secret from step 11.
然后必须使用以下设置更新Azure AD技术配置文件:
You must then update the Azure AD technical profile with the following settings:
<TechnicalProfile Id="AzureADAccountProfile">
<DisplayName>Log in with your work account</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/authorize</Item>
<Item Key="client_id"><!-- Enter the application ID from step 9 --></Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="IdTokenAudience"><!-- Enter the application ID from step 9 --></Item>
<Item Key="response_types">id_token</Item>
<Item Key="scope">openid</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADClientSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
...
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="ReferenceId="SM-Noop" />
</TechnicalProfile>
v2.0端点
要将Azure AD B2C与v2.0终结点集成,必须通过应用程序注册门户与您的Azure AD租户:
To integrate Azure AD B2C with the v2.0 endpoint, you must register Azure AD B2C through the Application Registration portal with your Azure AD tenant:
- 登录到应用程序注册门户.
- 选择添加应用.
- 在应用程序名称中,输入应用程序名称,例如"Azure AD B2C",然后选择创建.
- 复制应用程序ID 以供以后使用.
- 在应用程序秘密部分中,选择生成新密码,然后复制密码值以备后用.
- 在平台部分中,选择添加平台,选择 Web ,然后输入重定向URL 作为
https://login.microsoftonline.com/te/<tenant>/oauth2/authresp
,在其中将<tenant>
替换为Azure AD B2C租户的名称(例如"contosob2c.onmicrosoft.com"). - 在底部栏中,选择保存.
- Sign in to the Application Registration portal.
- Select Add an app.
- In Application Name, enter an application name, such as "Azure AD B2C", and then select Create.
- Copy Application Id for later.
- In the Application Secrets section, select Generate new password and then copy the password value for later.
- In the Platforms section, select Add Platform, select Web, and then enter a Redirect URL as
https://login.microsoftonline.com/te/<tenant>/oauth2/authresp
, where you replace<tenant>
with the name of your Azure AD B2C tenant (such as "contosob2c.onmicrosoft.com"). - In the bottom bar, select Save.
然后,您必须使用步骤5中的应用程序密钥通过Azure AD B2C门户创建策略密钥(例如"AzureADClientSecret").
You must then create a policy key (e.g. "AzureADClientSecret") through the Azure AD B2C portal with the application secret from step 5.
然后必须使用以下设置更新Azure AD技术配置文件:
You must then update the Azure AD technical profile with the following settings:
<TechnicalProfile Id="AzureADAccountProfile">
<DisplayName>Log in with your work account</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
<Item Key="client_id"><!-- Enter the application ID from step 4 --></Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="IdTokenAudience"><!-- Enter the application ID from step 4 --></Item>
<Item Key="response_types">id_token</Item>
<Item Key="scope">openid profile</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADClientSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
...
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="ReferenceId="SM-Noop" />
</TechnicalProfile>
这篇关于Azure AD B2C中的多租户Azure AD的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!