为什么我的自定义策略中不支持将声明标记为支持? [英] Why are claims being flagged as not supported in my custom policy?

查看:59
本文介绍了为什么我的自定义策略中不支持将声明标记为支持?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在将应用程序从使用内置用户流切换到自定义策略,以便我们可以启用一些我们需要的功能,例如帐户链接和REST集成.

I'm switching our app from using built-in user flows to custom policies so that we can enable some features that we need like account linking and REST integration.

我的TrustFrameworkBase.xml和TrustFrameworkExtensions.xml策略文件都可以正常上传.但是,当我尝试上传依赖方文件时,遇到了无法解释的验证错误:

My TrustFrameworkBase.xml and TrustFrameworkExtensions.xml policy files both upload fine. But when I try uploading the relying party file I'm hitting a validation error that I can't explain:

验证失败:租户"HyperProofLocalDev.onmicrosoft.com"的策略"B2C_1A_SIGNUP"中发现2个验证错误.AzureActive Directory提供程序技术配置文件"AAD-UserWriteUsingAlternativeSecurityId"中不支持输入声明"alternativeSecurityIds"策略'B2C_1A_SignUp'的Azure Active Directory提供程序技术配置文件'AAD-UserCreateEmailsClaim'不支持输入声明'emails'.

Validation failed: 2 validation error(s) found in policy "B2C_1A_SIGNUP" of tenant "HyperProofLocalDev.onmicrosoft.com".Input Claim 'alternativeSecurityIds' is not supported in Azure Active Directory Provider technical profile 'AAD-UserWriteUsingAlternativeSecurityId' of policy 'B2C_1A_SignUp'.Input Claim 'emails' is not supported in Azure Active Directory Provider technical profile 'AAD-UserCreateEmailsClaim' of policy 'B2C_1A_SignUp'.

我遵循了在线指导,例如这篇文章添加对这些声明的支持.尚无法确定B2C为何认为不支持这些功能.

I followed guidance online such as this post to add support for these claims. Haven't been able to determine why B2C thinks these are unsupported.

这是我在TrustFrameworkBase.xml中用于电子邮件的内容:

Here's what I have for emails in TrustFrameworkBase.xml:

      <ClaimType Id="emails">
        <DisplayName>Emails</DisplayName>
        <DataType>stringCollection</DataType>
        <UserHelpText>User's email addresses</UserHelpText>
      </ClaimType>

      <ClaimsTransformation Id="GetFirstOtherMail" TransformationMethod="GetSingleItemFromStringCollection">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="otherMails" TransformationClaimType="collection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="firstOtherMail" TransformationClaimType="extractedItem" />
        </OutputClaims>
      </ClaimsTransformation>

      <ClaimsTransformation Id="CopyFirstOtherMailToEmails" TransformationMethod="AddItemToStringCollection">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="firstOtherMail" TransformationClaimType="item" />
          <InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
        </OutputClaims>
      </ClaimsTransformation>

      <ClaimsTransformation Id="CopySignInNamesEmailToEmails" TransformationMethod="AddItemToStringCollection">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="signInNames.emailAddress" TransformationClaimType="item" />
          <InputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="emails" TransformationClaimType="collection" />
        </OutputClaims>
      </ClaimsTransformation>

        <TechnicalProfile Id="AAD-UserCreateEmailsClaim">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          </Metadata>
          <IncludeInSso>false</IncludeInSso>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="emails" />           
          </OutputClaims>
          <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="GetFirstOtherMail"/>
            <OutputClaimsTransformation ReferenceId="CopySignInNamesEmailToEmails"/>
            <OutputClaimsTransformation ReferenceId="CopyFirstOtherMailToEmails"/>
          </OutputClaimsTransformations>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>

这是依赖方文件:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="hyperprooflocaldev.onmicrosoft.com"
  PolicyId="B2C_1A_SignUp"
  PublicPolicyUri="http://hyperprooflocaldev.onmicrosoft.com/B2C_1A_SignUp"  
  DeploymentMode="Development"
  UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"
  >

  <BasePolicy>
    <TenantId>hyperprooflocaldev.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUp" />
    <UserJourneyBehaviors>
      <SessionExpiryType>Rolling</SessionExpiryType>
      <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
      <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="451d3a92-fb38-4a1b-9b77-2f6572677090" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
      <ContentDefinitionParameters>
        <Parameter Name="emailAddress">{OIDC:LoginHint}</Parameter>
        <Parameter Name="givenName">{OAUTH-KV:givenName}</Parameter>
        <Parameter Name="surname">{OAUTH-KV:surname}</Parameter>
      </ContentDefinitionParameters>
      <ScriptExecution>Allow</ScriptExecution>
    </UserJourneyBehaviors>    

    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="emails" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="newUser" />
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

推荐答案

user 对象具有 otherMails 属性而不是 emails 属性这就是发生错误的原因.

The user object has the otherMails property rather than the emails property which is why the error is occurring.

假设您已声明 signInNames.emailAddress otherMails 声明类型,则必须修改 AAD-UserCreateEmailsClaim 技术资料,如下接下来,在输出声明转换处理它们之前,先读取 user 对象的 signInNames.emailAddress otherMails 属性:

Assuming that you have declared the signInNames.emailAddress and otherMails claim types, then you must modify the AAD-UserCreateEmailsClaim technical profile, as follows, to read both the signInNames.emailAddress and otherMails properties for the user object before they are processed by the output claims transformations:

<TechnicalProfile Id="AAD-UserCreateEmailsClaim">
  <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />           
    <OutputClaim ClaimTypeReferenceId="otherMails" />           
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="GetFirstOtherMail"/>
    <OutputClaimsTransformation ReferenceId="CopySignInNamesEmailToEmails"/>
    <OutputClaimsTransformation ReferenceId="CopyFirstOtherMailToEmails"/>
  </OutputClaimsTransformations>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

这篇关于为什么我的自定义策略中不支持将声明标记为支持?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆