如何使用自定义策略基于扩展声明类型防止在AD B2C中登录 [英] How to prevent Login in AD B2C based on an extension claim type using custom policies
问题描述
我的扩展声明类型为 extension_isEmailVerified .我想根据此声明类型的值阻止用户登录.如果为 true ,则用户可以登录;如果 false ,则需要在登录页面中显示一条错误消息,提示您的电子邮件未通过验证.
I have an extension claim type say extension_isEmailVerified. I want to block user from login based on the value of this claim type. If it is true then user can login and if false then need to show an error message in the login page that your email is not verified.
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<DisplayName>Local Account Signin</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>
<Item Key="setting.operatingMode">Username</Item>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
<OutputClaim ClaimTypeReferenceId="password" Required="true" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
以上是我的登录技术资料.
Above is my sign in technical profile.
推荐答案
您可以添加其他验证技术配置文件来验证自定义属性,如果未将其设置为期望值,则显示错误消息,如下所示:
You can add additional validation technical profiles to validate the custom attribute and display an error message if it isn't set to the expected value as follows:
(请注意,如果 login-NonInteractive 验证技术配置文件不成功,则不会执行其他验证技术配置文件.)
(Note that if the login-NonInteractive validation technical profile doesn't succeed then the additional validation technical profiles aren't executed.)
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
...
<Metadata>
<Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Oops, your email hasn't been verified.</Item>
</Metadata>
...
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
<ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />
<ValidationTechnicalProfile ReferenceId="ClaimsTransformation-AssertEmailVerified" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
ClaimsTransformation-AssertEmailVerified 技术资料(请参阅
The ClaimsTransformation-AssertEmailVerified technical profile (see Define a claims transformation technical profile for more information about a claims transformation technical profile) is defined as:
<ClaimsProvider>
<DisplayName>Claims Transformation</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="ClaimsTransformation-AssertEmailVerified">
<DisplayName>Assert Email Verified Claims Transformation</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_EmailVerified" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="AssertEmailVerified" />
</OutputClaimsTransformations>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
AssertEmailVerified 声明转换定义为:
<ClaimsTransformation Id="AssertEmailVerified" TransformationMethod="AssertBooleanClaimIsEqualToValue">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_EmailVerified" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="valueToCompareTo" DataType="boolean" Value="true" />
</InputParameters>
</ClaimsTransformation>
这篇关于如何使用自定义策略基于扩展声明类型防止在AD B2C中登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
