0

我们允许外部 Azure AD 用户通过自定义策略注册和登录我们的应用程序。在我们的 adb2c 目录中创建的 shell 用户没有在用户配置文件中获得我想要的 UPN(下面的屏幕截图)。我希望upn 是federated_upn声明的值,即numero1@notecorp111.onmicrosoft.com ,但它将 upn 设置为电子邮件声明的值,即correo1@notecorp111.onmicrosoft.com。你能告诉我我做错了什么吗?谢谢!

claims:
alternativeSecurityId: <Guid>
userPrincipalName: cpim_<guid>@tenantname.onmicrosoft.com
email: correo1@notecorp111.onmicrosoft.com
federated_upn: numero1@notecorp111.onmicrosoft.com

技术简介:

    <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
      <Metadata>
        <Item Key="Operation">Write</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
        <Item Key="UserMessageIfClaimsPrincipalAlreadyExists">You are already registered, please press the back button and sign in instead.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="AlternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />
      </InputClaims>
         <!-- Required claims -->
        <PersistedClaim ClaimTypeReferenceId="alternativeSecurityId" />
        <PersistedClaim ClaimTypeReferenceId="userPrincipalName" />
        <PersistedClaim ClaimTypeReferenceId="mailNickName" DefaultValue="unknown" />
        <PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
        <PersistedClaim ClaimTypeReferenceId="email"  PartnerClaimType="mail" /> 
        <PersistedClaim ClaimTypeReferenceId="federated_upn" PartnerClaimType="signInNames.emailAddress" />
      </PersistedClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
    </TechnicalProfile>


    <TechnicalProfile Id="AADCommon-OpenIdConnect">
      <DisplayName>Multi-Tenant AAD</DisplayName>
      <Description>Login with your Contoso account</Description>
      <Protocol Name="OpenIdConnect"/>
      <Metadata>
        <Item Key="METADATA">https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration</Item>
        <Item Key="client_id">xxxxxxxxxx</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">openid profile email</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
         <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_XXXXX"/>
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
        <OutputClaim ClaimTypeReferenceId="federated_upn" PartnerClaimType="upn"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="upn"/>       
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />            
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
    </TechnicalProfile>

此处用户配置文件的屏幕截图: adb2c 用户配置文件

4

1 回答 1

0

• 您应该在“身份”属性部分的“AADCommon-OpenIDConnect”技术配置文件中包含“signInType”和“issuerAssignedId”属性,其中“signInType”属性将定义用于联合身份的登录类型, 即同样是电子邮件地址或用户名。

• 并且“issuerAssignedId”属性指定由发行者分配给用户的唯一标识符,其中对于联合用户帐户,它表示联合帐户标识符。另外,请检查代表身份颁发者的'issuer'属性,即与Azure AD联合的SaaS平台,其用户以shell用户身份登录Azure AD B2C,因为'issuer'和'issuerAssignedId'的组合对租户来说是唯一的,它定义了要登录的联合身份的登录身份或 UPN。

请查看以下示例,了解如何包含上述属性:-

      ‘ "identities": [
    {
      "signInType": "userName",
         "issuer": "contoso.onmicrosoft.com",
         "issuerAssignedId": "johnsmith"
   },
    {
       "signInType": "emailAddress",
         "issuer": "contoso.onmicrosoft.com",
          "issuerAssignedId": "jsmith@yahoo.com"
    },
    {
         "signInType": "federated",
         "issuer": "facebook.com",
         "issuerAssignedId": "5eecb0cd"
    }
  ] ‘

• 此外,'issuerAssignedId' 是每个应用程序或开发帐户的给定用户的唯一值,应使用它来配置 Azure AD B2C 策略,该策略具有先前由联合 SaaS 平台在同一帐户中分配的相同应用程序 ID . 一旦您在技术配置文件中包含上述属性,将被分配的“federated_upn”将显示在 shell 用户配置文件中,因为您已经提到了身份提供者并在策略中声明它是经过验证的。

请找到以下链接以获取更多信息:-

https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes

在联合 Azure AD B2C 注册自定义策略流上获取 UPN 的问题

于 2021-10-22T11:24:50.493 回答