1

使用 AAD B2C 身份体验框架,我正在尝试创建一个自定义策略,该策略允许登录到本地 AADB2C 帐户并包括“无法访问您的帐户?” 链接调用内置的自助服务功能。所以基本上我想要内置“B2C_1_SignIn_Local”策略的用户体验/功能,但作为我的自定义策略套件的一部分。我不希望这种用户旅程/体验允许用户选择不同的 IdP。

我已经能够创建一个调用本地登录的用户旅程,但 UI 不包含“无法访问您的帐户?” 关联。到目前为止,我的用户旅程如下所示:

 <UserJourney Id="SignInB2CLocal">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection TargetClaimsExchangeId="SignInWithLogonNameExchange" />
          </ClaimsProviderSelections>
        </OrchestrationStep>

       <OrchestrationStep Order="2" Type="ClaimsExchange">
        <ClaimsExchanges>
          <ClaimsExchange Id="SignInWithLogonNameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
        </ClaimsExchanges>
       </OrchestrationStep>


        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>socialIdpAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>


        <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
    </UserJourney>

以上是基于我在内置策略 B2C_1_SignIn_Local(下载的文件)中找到的内容以及我用于其他 IdP(如 AAD)的内容的组合。我还尝试从我的 MVC ASP.NET 应用程序中直接调用内置的 B2C_1_SignIn_Local,但出现令牌验证错误。

我的预期结果可能吗?

谢谢!

马丁

4

2 回答 2

1

您可以:

(i) 从ClaimsProviderSelectionClaimsExchange编排步骤更改为CombinedSignInAndSignUp具有api.signuporsignin内容定义的步骤,或

(ii) 从api.selfasserted内容定义更改api.signuporsigninSelfAsserted-LocalAccountSignin-Email技术配置文件的定义。

重要的是<DataUri />内容定义的值设置为:

urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0

呈现“忘记密码”和“立即注册”链接。

i)CombinedSignInAndSignUp编排步骤

<OrchestrationSteps>
  <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signupsignin">
    <ClaimsProviderSelections>
      <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
    </ClaimsProviderSelections>
    <ClaimsExchanges>
      <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="2" Type="ClaimsExchange">
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
        <Value>objectId</Value>
        <Action>SkipThisOrchestrationStep</Action>
      </Precondition>
    </Preconditions>
    <ClaimsExchanges>
      <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="3" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>

ii)LocalAccountSigninEmailExchange技术概况

<TechnicalProfiles>
  <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
    <Metadata>
      <Item Key="ContentDefinitionReferenceId">api.signuporsignin</Item>
    </Metadata>
  </TechnicalProfile>
</TechnicalProfiles>

<OrchestrationSteps>
  <OrchestrationStep Order="1" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="2" Type="ClaimsExchange">
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
        <Value>objectId</Value>
        <Action>SkipThisOrchestrationStep</Action>
      </Precondition>
    </Preconditions>
    <ClaimsExchanges>
      <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="3" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
    </ClaimsExchanges>
  </OrchestrationStep>
  <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
于 2018-01-27T07:21:44.363 回答
0

这是未经测试的,但我很确定你会改变:

ContentDefinitionReferenceId="api.idpselections"

至:

ContentDefinition Id="api.localaccountsignin"

这应该只显示没有注册和密码重置的本地帐户登录页面。

于 2018-01-31T00:21:09.287 回答