Azure ad b2c 启用用户名登录流时,阻止Azure B2C用户使用电子邮件地址登录
我在Azure AD B2C中设置了一些自定义策略,其中一个是用户使用用户名登录的流。我参考了以下内容。我的问题是,以前使用电子邮件地址设置的用户也可以使用其电子邮件地址作为用户名通过用户名流登录。我想阻止这一切 以下是我的前两个Azure ad b2c 启用用户名登录流时,阻止Azure B2C用户使用电子邮件地址登录,azure-ad-b2c,azure-ad-b2c-custom-policy,Azure Ad B2c,Azure Ad B2c Custom Policy,我在Azure AD B2C中设置了一些自定义策略,其中一个是用户使用用户名登录的流。我参考了以下内容。我的问题是,以前使用电子邮件地址设置的用户也可以使用其电子邮件地址作为用户名通过用户名流登录。我想阻止这一切 以下是我的前两个UserJourney步骤: <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="ap
UserJourney
步骤:
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SignUpWithLogonUsernameExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonName" />
</ClaimsExchanges>
</OrchestrationStep>
SignUpTarget
元数据引用的是SignUpWithLogonUsernameExchange
,其技术配置文件为LocalAccountSignUpWithLogonName
,如UserTravel
的步骤二所示
<TechnicalProfile Id="LocalAccountSignUpWithLogonName">
<DisplayName>Username signup</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IpAddressClaimReferenceId">IpAddress</Item>
<Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
<Item Key="LocalAccountType">Username</Item>
<Item Key="LocalAccountProfile">true</Item>
<Item Key="language.button_continue">Create</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" />
<OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
<OutputClaim ClaimTypeReferenceId="newUser" />
<!-- Optional claims, to be collected from the user -->
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surName" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonName" />
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
以下是每个用户的身份:
用户1
"identities":[
{
"signInType":"emailAddress",
"issuer":"{tenant}.onmicrosoft.com",
"issuerAssignedId":"userOne@yahoo.com"
},
{
"signInType":"userPrincipalName",
"issuer":"{tenant}.onmicrosoft.com",
"issuerAssignedId":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX@{tenant}.onmicrosoft.com"
}
]
用户2:
"identities":[
{
"signInType":"userName",
"issuer":"{tenant}.onmicrosoft.com",
"issuerAssignedId":"userTwo"
},
{
"signInType":"userPrincipalName",
"issuer":"{tenant}.onmicrosoft.com",
"issuerAssignedId":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX@{tenant}.onmicrosoft.com"
}
]
感谢您的帮助。在登录技术配置文件中,使用signInNames.username添加验证技术配置文件以读取帐户。配置其元数据以在用户不存在时引发错误。在登录非交互验证技术配置文件之前插入此项
<TechnicalProfile Id="AAD-UserWriteUsingLogonName">
<Metadata>
<Item Key="Operation">Write</Item>
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />
</InputClaims>
<PersistedClaims>
<!-- Required claims -->
<PersistedClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" />
<PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" />
<PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
<PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
<PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration" />
<!-- Optional claims. -->
<PersistedClaim ClaimTypeReferenceId="givenName" />
<PersistedClaim ClaimTypeReferenceId="surname" />
</PersistedClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
解决方案:
阅读
真的
剪
剪
参考文献:我不熟悉如何执行此操作。我知道如何创建验证技术配置文件,但不知道如何使用元数据键抛出错误。我在我的AAD UserWriteUsingLogonName中有signInNames.username作为输入声明,但我不确定这是否就是你所要求的“使用signInNames.username读取帐户”。我对此有点陌生。添加了完整的解决方案。您的问题与
AAD UserWriteUsingLogonName
没有多大关系,只是它解释了您在注册时在何处写入用户名标识符(signInNames.username
)。默认登录技术配置文件与所有签名匹配。在登录前插入一个读取操作,该操作是非交互式的,通过signInNames.username
显式读取用户更显式。啊!我现在明白了。很高兴知道,如果输入声明不存在,您可以设置读取,然后使用raise error键抛出错误。谢谢你的帮助。
"identities":[
{
"signInType":"userName",
"issuer":"{tenant}.onmicrosoft.com",
"issuerAssignedId":"userTwo"
},
{
"signInType":"userPrincipalName",
"issuer":"{tenant}.onmicrosoft.com",
"issuerAssignedId":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX@{tenant}.onmicrosoft.com"
}
]