Azure ad b2c Azure B2C SAML自定义策略断言电子邮件

我已经通过SAML成功地将Azure B2C设置为IDP，并且我正在正确地返回givenName、objectId、姓氏、userPrincipalName的断言

当用户通过注册过程时，比如说使用电子邮件地址jdoe@company.com，在B2C中自动生成upn，格式为guid@b2ctenant.onmicrosoft.com.

在这种情况下，我想获得实际的登录电子邮件地址jdoe@company.com在SAML断言中

我尝试了以下所有选项，但SAML断言没有电子邮件地址

<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"/>
<OutputClaim ClaimTypeReferenceId="otherMails"/>

在Chris Padgett的回应后发生了变化。但仍然没有电子邮件

<ClaimType Id="email">
 <DisplayName>Email Address</DisplayName>
 <DataType>string</DataType>
 <DefaultPartnerClaimTypes>
   <Protocol Name="OAuth2" PartnerClaimType="email" />
   <Protocol Name="OpenIdConnect" PartnerClaimType="email" />
   <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
  </DefaultPartnerClaimTypes>


<TechnicalProfile Id="AAD-UserReadUsingObjectId">
 ...
 <OutputClaims>
 <OutputClaim ClaimTypeReferenceId="displayName" />
 <OutputClaim ClaimTypeReferenceId="otherMails" />
 <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
 <OutputClaim ClaimTypeReferenceId="givenName" />
 <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
 <OutputClaim ClaimTypeReferenceId="surname" />


<UserJourney Id="SignInSaml">
    <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
        <ClaimsExchanges>
        <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
        </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
        <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
            <Value>authenticationSource</Value>
            <Value>socialIdpAuthentication</Value>
            <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
        </Preconditions>
        <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
        </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />
    </OrchestrationSteps>
    <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>


<RelyingParty>
<DefaultUserJourney ReferenceId="SignInSaml" />
<UserJourneyBehaviors>
    <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="key" DeveloperMode="true" ClientEnabled="true" ServerEnabled="true" TelemetryVersion="1.0.0" />
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="SAML2" />
    <SubjectAuthenticationRequirements TimeToLive="40000" ResetExpiryWhenTokenIssued="false" />
    <Metadata>
    <Item Key="PartnerEntity"><![CDATA[<md:EntityDescriptor 
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2026-12-27T23:42:22.079Z" entityID="someentityid" 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sptest.iamshowcase.com/acs" index="0" isDefault="true"/></md:SPSSODescriptor></md:EntityDescriptor>]]></Item>
    </Metadata>
    <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    <OutputClaim ClaimTypeReferenceId="email" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>

电子邮件地址
一串
...
认证源
社交身份验证
SkipThisOrchestrationStep
保单简介
urn:oasis:names:tc:SAML:1.1:nameid格式：未指定]]>

1）确保使用SAML2协议的声明类型声明电子邮件声明声明：

电子邮件地址
一串
...

2） 确保AAD UserReadUsingObjectId技术配置文件将电子邮件声明作为输出声明读取：

...
...
...

根据您的建议更新了配置。我以前没有SAML2 claimtype，但完全按照您的说明添加它仍然没有任何电子邮件输出。更新了描述中的配置。Hi@Afroz. 感谢您更新上述问题。您是否可以包括

的技术配置文件XML以及*signsAML用户旅程编排步骤？