根据扩展属性阻止/拒绝登录用户 [英] Prevent/deny login to user based on extension attribute
问题描述
我有一个自定义属性,我想在身份验证时使用它.例如,我有另一个状态扩展属性,该属性可以具有可能的值,例如expired/blocked/inactive/active.在创建用户时,我将确保为此填充一个值.
I have a custom attribute which I'd like to use while authenticating. For example, I have another status extension attribute which can have possible values like expired/blocked/inactive/active. While creating the user I will ensure there is a value populated for this.
在登录时,我还要考虑该扩展属性.用户可能输入了正确的密码,但是仅仅因为他的扩展名属性状态的值已过期/已阻止/无效,所以我想拒绝登录并提供自定义的本地化错误消息.
At the time of login I'd like to consider this extension attribute as well. It may be possible that the user is entering the right password, but just because his extension attribute status has a value of expired/blocked/inactive I'd like to deny login and give a custom localized error message.
注意:我正在使用自定义策略.
Note: I'm using custom policies.
推荐答案
您可以构建声明转换,以确定是否激活了用户帐户,如果未激活,则显示错误消息.
You can build claims transformations to determine whether the user account is activated and, if not, display an error message.
首先,您必须声明一个声明类型,该声明类型表示用户帐户是否已激活:
Firstly, you must declare a claim type that represents whether the user account is activated:
<ClaimType Id="accountActivated">
<DisplayName>Account Activated</DisplayName>
<DataType>boolean</DataType>
</ClaimType>
接下来,您必须声明 a CompareClaimToValue 声明转换,以确定自定义属性是否设置为有效":
Next, you must declare a CompareClaimToValue claims transformation to determine whether the custom attribute is set to "Active":
<ClaimsTransformation Id="CheckAccountActivated" TransformationMethod="CompareClaimToValue">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_AccountStatus" TransformationClaimType="inputClaim1" />
</InputClaims>
<InputParameters>
<InputParameter Id="compareTo" DataType="string" Value="Active" />
<InputParameter Id="operator" DataType="string" Value="equal" />
<InputParameter Id="ignoreCase" DataType="string" Value="true" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="accountActivated" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
接下来,您必须声明一个 AssertBooleanClaimIsEqualToValue 声明转换,以确保用户帐户已激活:
Next, you must declare an AssertBooleanClaimIsEqualToValue claims transformation to ensure that the user account is activated:
<ClaimsTransformation Id="EnsureAccountActivated" TransformationMethod="AssertBooleanClaimIsEqualToValue">
<InputClaims>
<InputClaim ClaimTypeReferenceId="accountActivated" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="valueToCompareTo" DataType="boolean" Value="true" />
</InputParameters>
</ClaimsTransformation>
接下来,您必须从 AAD-UserReadUsingObjectId 技术资料测试用户帐户已激活的副本中调用 EnsureAccountActivated 声明转换:
Next, you must invoke the EnsureAccountActivated claims transformations from a copy of the AAD-UserReadUsingObjectId technical profile test that the user account is activated:
<TechnicalProfile Id="AAD-UserReadUsingObjectId-EnsureAccountActivated">
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CheckAccountActivated" />
<OutputClaimsTransformation ReferenceId="EnsureAccountActivated" />
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />
</TechnicalProfile>
最后,您必须从 SelfAsserted-LocalAccountSignin-Email 技术配置文件的副本中调用 AAD-UserReadUsingObjectId-EnsureAccountActivated 技术配置文件以显示错误消息:
Lastly, you must invoke the AAD-UserReadUsingObjectId-EnsureAccountActivated technical profile from a copy of the SelfAsserted-LocalAccountSignin-Email technical profile to show the error message:
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email-EnsureAccountActivated">
...
<Metadata>
...
<Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Whoops, your e-mail address hasn't been verified, contact Support.</Item>
</Metadata>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId-EnsureAccountActivated" />
</ValidationTechnicalProfiles>
...
</TechnicalProfile>
更新:2019年4月3日
这绝对好用,但是在本地化自定义错误消息方面需要一些帮助.
This worked absolutely fine however need some help regarding localizing the custom error message.
您可以使用本地化.
第一步是
第二步是定义与 SelfAsserted-LocalAccountSignin-Email-EnsureAccountActivated 技术资料相关的页面定义的每种受支持语言的本地化字符串: The second step is to define the localized strings for each supported language for the page definition that is associated with the SelfAsserted-LocalAccountSignin-Email-EnsureAccountActivated technical profile: (如果翻译不正确,我不会说西班牙语,很抱歉.) (I don't speak Spanish so apologies if this is the incorrect translation.) 最后一步是从页面定义声明对本地化资源的引用: 这篇关于根据扩展属性阻止/拒绝登录用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!<BuildingBlocks>
...
<Localization>
<SupportedLanguages />
<LocalizedResources Id="api.signuporsignin.en">
<LocalizedStrings>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Whoops, your e-mail address hasn't been verified, contact Support.</LocalizedString>
</LocalizedStrings>
</LocalizedResources>
<LocalizedResources Id="api.signuporsignin.es">
<LocalizedStrings>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Vaya, su dirección de correo electrónico no ha sido verificada, contacte a Soporte.</LocalizedString>
</LocalizedStrings>
</LocalizedResources>
</Localization>
</BuildingBlocks>
<BuildingBlocks>
...
<ContentDefinitions>
<ContentDefinition Id="api.signuporsignin">
...
<LocalizedResourcesReferences MergeBehavior="Prepend">
<LocalizedResourcesReference Language="en" LocalizedResourcesReferenceId="api.signuporsignin.en" />
<LocalizedResourcesReference Language="es" LocalizedResourcesReferenceId="api.signuporsignin.es" />
</LocalizedResourcesReferences>
</ContentDefinition>
</ContentDefinitions>
<Localization />
</BuildingBlocks>
