Azure B2C:检查本地帐户创建期间是否存在其他声明 [英] Azure B2C: Checking if another claim exists during local account creation

问题描述

除了通常根据使用的电子邮件当前是否不存在创建帐户外，我想知道如何检查 Azure Active Directory 中是否不存在另一个声明值.

In addition to the usual creation of an account based on whether the e-mail used doesn't currently exist, I would like to know how I can also check if another claim value doesn't exist in Azure Active Directory.

例如，对于我们的应用程序，创建帐户的任何人都必须提供组织名称.注册后，他们就是其组织组的所有者.

For example, for our application, anyone who creates an account must provide an organization name. Once they signup, they are the owner of their organization group.

在创建帐户之前，我想检查一个组织名称是否与任何其他帐户关联(如果所有者想要将人员添加到他们的组织，我们将通过邀请进行注册).如果不存在，则创建帐户.否则，我想抛出错误并阻止创建帐户.

Before account creation, I want to check if an organization name is not associated with any other account (we're going to do sign-up via invitation if the owner wants to add people to their organization). If it doesn't exist, then create the account. Otherwise, I want to throw an error and prevent the creation of an account.

查看 Azure B2C 技术配置文件文档后，我认为修改 AAD-UserWriteUsingLogonEmail 是我的最佳猜测.

After looking through the Azure B2C technical profiles documentation, I would think that modifying AAD-UserWriteUsingLogonEmail would be my best guess.

到目前为止，我已经尝试了两种方法.第一种方法是包含组织名称的输入声明.但是，这只会冻结测试流程:

I've tried two approaches so far. The first approach was including the input claim for the organization name. However, this just freezes the test flow:

<TechnicalProfile Id="AAD-UserWriteUsingLogonEmail">
    <Metadata>
      <Item Key="Operation">Write</Item>
      <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
    </Metadata>
    <IncludeInSso>false</IncludeInSso>
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true" /> 
      <InputClaim ClaimTypeReferenceId="extension_organizationName" Required="true" /> 
    </InputClaims>
    <PersistedClaims>
      <!-- Required claims -->
      <PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
      <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password"/>
      <PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
      <PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration" />

      <!-- Optional claims. -->
      <PersistedClaim ClaimTypeReferenceId="givenName" />
      <PersistedClaim ClaimTypeReferenceId="surname" />
      <PersistedClaim ClaimTypeReferenceId="extension_organizationName" /> 
    </PersistedClaims>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" />
      <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
      <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
      <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
      <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
      </OutputClaims>
    <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>

第二种方法类似，但使用 <InputClaimsTransformations> 通过 DoesClaimExist 操作检查组织名称是否存在.使用这种方法时，我收到以下错误:

The second approach was something similar, but instead using an <InputClaimsTransformations> to check if an organization name exists via the DoesClaimExist action. When using this approach, I get the following error:

无法验证所提供的信息.

Unable to validate the information provided.

由于我是创建自定义策略的新手，是在正确的轨道上修改 AAD-UserWriteUsingLogonEmail 配置文件还是需要完全不同的方法?

Since I'm new to creating custom policies, is modifying the AAD-UserWriteUsingLogonEmail profile on the right track or do I need a completely different approach?

在关注 Barbara 的链接后，我能够进行验证.但是，我在尝试阻止正在使用已与另一个帐户关联的组织的帐户时仍然遇到问题.似乎使用 <InputClaimsTransformations> 并没有真正做任何事情.

After following Barbara's links, I was able to get the validation working. However, I'm still having issues trying to prevent an account that is using an organization that is already associated with another account. It seems that using an <InputClaimsTransformations> doesn't really do anything.

推荐答案

错误信息 Unable to validate the information provided. 表示您没有正确配置自定义策略，无法使用自定义索赔.因此，您必须遵循文档:

The error message Unable to validate the information provided. indicates that you did not configure your custom policy correctly to be able to use custom claims. Thus you have to follow the documentation:

1. 获取扩展应用的应用属性
2. 修改您的自定义策略以将应用程序属性包含在 AAD-Common-technical 配置文件中

请按照步骤重试.

这篇关于Azure B2C:检查本地帐户创建期间是否存在其他声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！