首页 文章

Azure AD B2C中的多租户Azure AD

提问于
浏览
4

我在这里听到了答案:Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies

这里的演练:https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/0129fc013ae5e66a3ee0046a5d0db2e8120d8f8e/Walkthroughs/IdP-AzureAD.md

但我无法登录,错误信息是沿线的:

AADB2C: An exception has occured. Correlation ID: <GUID>. Timestamp: <Time>

此外,在最新的master中查看演练时,整个页面已被删除,现在只包含指向https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom的链接,该链接未显示如何为多租户Azure AD IDP配置ClaimsProvider .

错误消息并不是非常有用,我迷路了 .

我的技术资料如下:

<ClaimsProvider>
    <Domain>AzureAD</Domain>
    <DisplayName>Login using Azure AD</DisplayName>
    <TechnicalProfiles>
        <TechnicalProfile Id="AzureADProfile">
            <DisplayName>Azure AD</DisplayName>
            <Description>Login with your Azure AD account</Description>
            <Protocol Name="OpenIdConnect"/>
            <OutputTokenFormat>JWT</OutputTokenFormat>
            <Metadata>
                <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
                <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
                <Item Key="authorization_endpoint">https://login.windows.net/common/oauth2/v2.0/authorize</Item>
                <Item Key="client_id">MyAzureADB2CAppId</Item>
                <Item Key="IdTokenAudience">MyAzureADB2CAppId</Item>
                <Item Key="response_types">id_token</Item>
                <Item Key="UsePolicyInRedirectUri">false</Item>
                <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
                <Item Key="scope">openid</Item>
                <Item Key="HttpBinding">POST</Item>
            </Metadata>
            <CryptographicKeys>
                <Key Id="client_secret" StorageReferenceId="B2C_1A_B2CSecret"/>
            </CryptographicKeys>
            <OutputClaims>
                <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
                <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
                <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
                <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
                <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
                <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
                <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="azureADAuthentication" />
                <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureAD" />
            </OutputClaims>
            <OutputClaimsTransformations>
                <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
                <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
                <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
                <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
            </OutputClaimsTransformations>
            <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
        </TechnicalProfile>
    </TechnicalProfiles>
</ClaimsProvider>

EDIT: 根据spottedhahn 's suggestion, I' ve介绍用户旅程 Logger 后设法得到真正的错误:

The response received from the ClaimsProvider using TechnicalProfile 
"<My_Azure_AD_Common_Profile>" in policy "<My_RP_Policy>" of tenant 
"<My_B2C_Tenant>" did not contain an "id_token".

问题是: Is linking multi-tenant Azure AD to Azure AD B2C still supported, and how can I configure to make that work?

azure-ad-b2c

1 回答

  • 4

    将Azure AD B2C与Azure AD的公共 endpoints 联合时,您可以与以下任一项集成:

    • v1.0 endpoints : https://login.microsoftonline.com/common/oauth2/authorize

    • v2.0 endpoints : https://login.microsoftonline.com/common/oauth2/v2.0/authorize

    v1.0 endpoint

    若要将Azure AD B2C与v1.0 endpoints 集成,必须通过the Azure portal向Azure AD租户注册Azure AD B2C:

    • 登录Azure门户 .

    • 在顶部栏中,选择Azure AD目录 .

    • 在左侧栏中,选择 All services 并找到"App registrations" .

    • 选择 New application registration .

    • Name 中,输入应用程序名称,例如"Azure AD B2C" .

    • Application type 中,选择 Web app / API .

    • Sign-on URL 中,输入 https://login.microsoftonline.com/te/<tenant>/oauth2/authresp ,将 <tenant> 替换为Azure AD B2C租户的名称(例如"contosob2c.onmicrosoft.com") .

    • 选择 Create .

    • 复制 Application ID 以供日后使用 .

    • 选择 Settings ,然后选择 Keys .

    • Passwords 部分中,输入密码说明,选择密码持续时间,选择 Save ,然后复制密码值以供日后使用 .

    然后,必须使用步骤11中的应用程序密钥通过Azure AD B2C门户创建策略密钥(例如“AzureADClientSecret”) .

    然后,您必须使用以下设置更新Azure AD技术配置文件:

    <TechnicalProfile Id="AzureADAccountProfile">
  <DisplayName>Log in with your work account</DisplayName>
  <Protocol Name="OpenIdConnect"/>
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/authorize</Item>
    <Item Key="client_id"><!-- Enter the application ID from step 9 --></Item>
    <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="IdTokenAudience"><!-- Enter the application ID from step 9 --></Item>
    <Item Key="response_types">id_token</Item>
    <Item Key="scope">openid</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADClientSecret"/>
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
    ...
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="ReferenceId="SM-Noop" />
</TechnicalProfile>

    v2.0 endpoint

    要将Azure AD B2C与v2.0 endpoints 集成,必须通过the Application Registration portal向Azure AD租户注册Azure AD B2C:

    • 登录应用程序注册门户 .

    • 选择 Add an app .

    • Application Name 中,输入应用程序名称,例如"Azure AD B2C",然后选择 Create .

    • 复制 Application Id 以供日后使用 .

    • Application Secrets 部分中,选择 Generate new password ,然后复制密码值以供日后使用 .

    • Platforms 部分中,选择 Add Platform ,选择 Web ,然后输入 Redirect URL 作为 https://login.microsoftonline.com/te/<tenant>/oauth2/authresp ,其中将 <tenant> 替换为Azure AD B2C租户的名称(例如"contosob2c.onmicrosoft.com") .

    • 在底栏中,选择 Save .

    然后,必须使用步骤5中的应用程序密钥通过Azure AD B2C门户创建策略密钥(例如“AzureADClientSecret”) .

    然后,您必须使用以下设置更新Azure AD技术配置文件:

    <TechnicalProfile Id="AzureADAccountProfile">
  <DisplayName>Log in with your work account</DisplayName>
  <Protocol Name="OpenIdConnect"/>
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
    <Item Key="client_id"><!-- Enter the application ID from step 4 --></Item>
    <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="IdTokenAudience"><!-- Enter the application ID from step 4 --></Item>
    <Item Key="response_types">id_token</Item>
    <Item Key="scope">openid profile</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADClientSecret"/>
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
    ...
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="ReferenceId="SM-Noop" />
</TechnicalProfile>
    回复于

相关问题