Azure ad b2c 在Azure ADB2C中,是否有任何方法可以将策略从一个租户克隆到另一个租户?
我正在尝试将一个自定义策略从一个ADB2C租户克隆到另一个租户,并通过“身份体验框架”界面上传XML文件 但我得到了以下错误:Azure ad b2c 在Azure ADB2C中,是否有任何方法可以将策略从一个租户克隆到另一个租户?,azure-ad-b2c,Azure Ad B2c,我正在尝试将一个自定义策略从一个ADB2C租户克隆到另一个租户,并通过“身份体验框架”界面上传XML文件 但我得到了以下错误: Unable to upload policy. Reason : Validation failed: 1 validation error(s) found in policy "B2C_1A_B2C_1_SIGNUPIN" of tenant "tenant.onmicrosoft.com".Policy 'B2C_1A_B2C_1_SignUpIn' of te
Unable to upload policy. Reason : Validation failed: 1 validation error(s) found in policy "B2C_1A_B2C_1_SIGNUPIN" of tenant "tenant.onmicrosoft.com".Policy 'B2C_1A_B2C_1_SignUpIn' of tenant 'tenat.onmicrosoft.com' is not allowed to inherit from the specified base policy. Inheritance chain: {
"TenantId": "tenant.onmicrosoft.com",
"PolicyId": "base-v1",
"TenantObjectId": "xxxx...",
"Root": true,
"Derived": {
"TenantId": "tenant.onmicrosoft.com",
"PolicyId": "B2C_1A_B2C_1_SignUpIn",
"TenantObjectId": "yyyy...",
"Rule": "All",
"InheritanceAllowed": false,
"Reason": "Policy 'B2C_1A_B2C_1_SignUpIn' in tenant 'yyyyy...' is blocked from inheriting policies from 'xxxx...' as the basic policy constraint handler 'B2CBasicPoliciesOnly' cannot match the policy id to a prefix or registered policy id."
}
}
这是政策内容:
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0"
TenantId="tenant.onmicrosoft.com" TenantObjectId="xxx...."
PolicyId="B2C_1_SignUpIn" PublicPolicyUri="http://tenant.onmicrosoft.com/">
<BasePolicy>
<TenantId>tenant.onmicrosoft.com</TenantId>
<PolicyId>base-v1</PolicyId>
</BasePolicy>
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="displayName">
<DisplayName>Username</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="givenName">
<DisplayName>First Name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="surname">
<DisplayName>Last name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
<ClaimType Id="extension_Service">
<DisplayName>Service Name</DisplayName>
<DataType>string</DataType>
<Restriction MergeBehavior="Append" />
</ClaimType>
</ClaimsSchema>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>PhoneFactor</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="PhoneFactor-Common">
<EnabledForUserJourneys>OnClaimsExistence</EnabledForUserJourneys>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Token Issuer</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="JwtIssuer">
<Metadata>
<Item Key="token_lifetime_secs">3600</Item>
<Item Key="id_token_lifetime_secs">3600</Item>
<Item Key="refresh_token_lifetime_secs">1209600</Item>
<Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
<Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
<Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Self Asserted</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SelfAsserted-Input">
<InputClaims>
<InputClaim ClaimTypeReferenceId="displayName" />
<InputClaim ClaimTypeReferenceId="givenName" />
<InputClaim ClaimTypeReferenceId="surname" />
<InputClaim ClaimTypeReferenceId="extension_Organization" />
<InputClaim ClaimTypeReferenceId="extension_Department" />
<InputClaim ClaimTypeReferenceId="extension_Service" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" Required="true" />
<OutputClaim ClaimTypeReferenceId="givenName" Required="true" />
<OutputClaim ClaimTypeReferenceId="surname" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Department" Required="true" />
<OutputClaim ClaimTypeReferenceId="extension_Service" Required="true" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Azure Active Directory</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AAD-ReadCommon">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" />
<OutputClaim ClaimTypeReferenceId="extension_Department" />
<OutputClaim ClaimTypeReferenceId="extension_Service" />
</OutputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AAD-WriteCommon">
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="displayName" />
<PersistedClaim ClaimTypeReferenceId="givenName" />
<PersistedClaim ClaimTypeReferenceId="surname" />
<PersistedClaim ClaimTypeReferenceId="extension_Organization" />
<PersistedClaim ClaimTypeReferenceId="extension_Department" />
<PersistedClaim ClaimTypeReferenceId="extension_Service" />
</PersistedClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<UserJourneys>
<UserJourney Id="B2CSignUpOrSignInWithPassword">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signinandsignupwithpassword">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
</OrchestrationStep>
</OrchestrationSteps>
</UserJourney>
</UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId="B2CSignUpOrSignInWithPassword" />
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" />
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="emails" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="newUser" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="extension_Organization" />
<OutputClaim ClaimTypeReferenceId="extension_Service" />
<OutputClaim ClaimTypeReferenceId="extension_Department" />
<OutputClaim ClaimTypeReferenceId="trustFrameworkPolicy" Required="true" DefaultValue="{policy}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
租户:www.onmicrosoft.com
base-v1
用户名
一串
名字
一串
姓
一串
服务名称
一串
音素
一次存在
代币发行人
3600
3600
1209600
7776000
authority和tenantguid
没有一个
自以为是的
Azure Active Directory
滚动的
86400
保单简介
不支持下载标准策略,然后上载它们(无论是否修改)。
看起来这就是您尝试的,使您的标准策略成为自定义策略。自定义策略在继承层次结构中不能有base-v1。base-v1策略严格用于标准策略
该错误表明您(现在)的自定义策略是从base-v1继承的。没错,我已尝试下载一个标准策略以将其克隆到另一个租户。那么这是绝对不可能的(即使你不修改它们)?这并不像上传策略那么简单。租户状态可能不同(例如,该租户中存在哪些扩展属性),租户范围内的B2C选项也可能不同(例如,配置了哪些IDP,社交IDP的客户端ID是什么,等等)。如果上载了冲突的策略,例如,一个依赖用户名,另一个依赖电子邮件地址,等等,该怎么办。要克服的挑战不胜枚举。因此,任何时候下载一个策略后,它都会被视为一个自定义策略。唉,这意味着需要为每个ADB2C实例(即生产与开发环境)手动设置每个配置设置,这与“基础架构即代码”原则背道而驰。这是目前正在投资的领域。我理解,预计将提供创建和编辑策略的编程方式。