2

我正在创建自定义 B2C 策略,并尝试为使用用户名创建的本地帐户复制密码重置过程。

我可以从 AD 读取用户名,但我不确定如何根据帐户验证已验证的电子邮件地址。

目前,如果用户名正确,则可以使用任何电子邮件地址进行验证。

技术简介:

<TechnicalProfile Id="SA-LocalAccountDiscoveryUsingLogonName">
      <DisplayName>Reset password using logon name</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
        <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
      </OutputClaims>
      <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingLogonName" />
      </ValidationTechnicalProfiles>
    </TechnicalProfile>

验证技术简介:

<TechnicalProfile Id="AAD-UserReadUsingLogonName">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
      </Metadata>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
    </TechnicalProfile>

用户旅程:

<UserJourney Id="PasswordReset">
  <OrchestrationSteps>
    <!--Get user by username-->
    <OrchestrationStep Order="1" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="PasswordResetUsingEmailAddressExchange" TechnicalProfileReferenceId="SA-LocalAccountDiscoveryUsingLogonName" />
      </ClaimsExchanges>
    </OrchestrationStep>

    <!--Reset password-->
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="SA-LocalAccountPasswordReset" />
      </ClaimsExchanges>
    </OrchestrationStep>

    <!--Read remaining attributes of user-->
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="ReadUser" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>

    <!--Create token-->
    <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
4

1 回答 1

3

如果您在注册策略期间将电子邮件地址写入“otherMails”和“strongAuthenticationEmailAddress”属性,那么您可以在密码重置策略期间使用 REST API 验证电子邮件地址是否与用户名相关联。

此 REST API 必须声明为声明提供程序:

<ClaimsProvider>
    <DisplayName>REST APIs</DisplayName>
    <TechnicalProfiles>
        <TechnicalProfile Id="RestApi-CheckUser">
            <DisplayName>Check User REST API</DisplayName>
            <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
            <Metadata>
                <Item Key="ServiceUrl">Insert the REST API endpoint URL</Item>
                <Item Key="AuthenticationType">None</Item>
                <Item Key="SendClaimsIn">Body</Item>
            </Metadata>
            <InputClaims>
                <InputClaim ClaimTypeReferenceId="signInName" />
                <InputClaim ClaimTypeReferenceId="email" />
            </InputClaims>
            <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
    </TechnicalProfiles>
</ClaimsProvider>

REST API 可以使用 Azure AD Graph API 通过“signInNames”和“otherMails”属性查询用户对象(您无法使用此 Graph API 读取“strongAuthenticationEmailAddress”属性),并且如REST API 演练中所述200 OK如果电子邮件地址与用户名相关联,则返回,否则返回409 Conflict

然后可以从“SA-LocalAccountDiscoveryUsingLogonName”技术配置文件中调用 REST API 技术配置文件作为验证技术配置文件:

<TechnicalProfile Id="SA-LocalAccountDiscoveryUsingLogonName">
    <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="RestApi-CheckUser" />
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingLogonName" />
    </ValidationTechnicalProfiles>
</TechnicalProfile>

如果“RestApi-CheckUser”技术配置文件返回200 OK,则调用“AAD-UserReadUsingLogonName”技术配置文件,最终用户可以继续重置密码。如果“RestApi-CheckUser”技术配置文件返回409 Conflict,则不会调用“AAD-UserReadUsingLogonName”技术配置文件,最终用户无法继续。

于 2017-12-14T23:10:17.893 回答