我已设置Azure AD B2C以允许用户使用https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom中所述的自定义策略从"regular" AAD目录进行身份验证 . 在一个场景中,我希望用户进行注册(使用他们的AAD信誉进行身份验证,在AAD B2C目录中创建相应的对象,并将objectidentifier作为声明传递给我的应用程序),而不提供任何进一步的信息 . 从例子开始,我可以尝试't figure out how to entirely skip the self-assertion step. The two approaches I'
1)删除SelfAsserted-Social ClaimsExchange,以及2)修改(实际上,复制到TrustFrameworkExtensions,重命名和编辑)SelfAsserted-Social和AAD-UserReadUsingObjectId ClaimsExchanges,以便唯一的OutputClaim条目是不需要用户提示的条目 .
在这两种方法中,从UI角度来看,注册似乎起作用,但是在B2C目录中没有创建用户对象 . 使用App Insights,在两种方法中,AAD-UserReadUsingObjectId似乎都会生成Microsoft.Cpim.Common.PolicyException .
完整的用户旅程是
<UserJourney Id="SignUpAAD">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="KDEWEbAppTestExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="KDEWebAppTestExchange" TechnicalProfileReferenceId="KDEWebAppTestProfile" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- prepare ground for searching for user -->
<OrchestrationStep Order="4" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="SelfAsserted-Social-Silent" TechnicalProfileReferenceId="SelfAsserted-Social-Silent" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent
in the token. -->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectIdLimited" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- create the user in the directory if one does not already exist
(verified using objectId which would be set from the last step if account was created in the directory. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
</UserJourney>
有任何想法吗?
谢谢
马丁
1 回答
您必须使用以下业务流程步骤替换业务流程步骤4:
如果在编排步骤3中未检索到用户对象,则该编排步骤创建用户对象(即,“objectId”声明不存在) .