Fatal编程技术网
  • azure-ad-b2c/
  • Azure ad b2c 在Azure B2C自定义策略中,持久化strongAuthenticationEmailAddress将重置strongAuthenticationPhoneNumber,反之亦然

Azure ad b2c 在Azure B2C自定义策略中,持久化strongAuthenticationEmailAddress将重置strongAuthenticationPhoneNumber,反之亦然

azure-ad-b2c

Azure ad b2c 在Azure B2C自定义策略中,持久化strongAuthenticationEmailAddress将重置strongAuthenticationPhoneNumber,反之亦然,azure-ad-b2c,azure-ad-b2c-custom-policy,Azure Ad B2c,Azure Ad B2c Custom Policy,通过修改策略()扩展文件中定义的“ProfileEditWithUsername”用户旅程,我可以编辑“strongAuthenticationEmailAddress”。我将strongAuthenticationEmailAddress保留在“AAD UserWriteProfileUsingObjectId”技术配置文件中,该技术配置文件被上述用户旅程用作编排步骤4中的验证配置文件 但是,我注意到,如果我运行更改strongAuthenticationEmailAddress的策略,电子邮

通过修改策略()扩展文件中定义的“ProfileEditWithUsername”用户旅程,我可以编辑“strongAuthenticationEmailAddress”。我将strongAuthenticationEmailAddress保留在“AAD UserWriteProfileUsingObjectId”技术配置文件中,该技术配置文件被上述用户旅程用作编排步骤4中的验证配置文件

但是,我注意到,如果我运行更改strongAuthenticationEmailAddress的策略,电子邮件将成功更改,但strongAuthenticationPhoneNumber&Alternate phone(用于身份验证)将设置为空。 类似地,我实现了编辑MFA电话号码策略(),使用该策略我可以编辑strongAuthenticationPhoneNumber,但它会将strongAuthenticationEmailAddress设置为空

<UserJourney Id="ProfileEditWithUsername">
    <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
            <ClaimsProviderSelections>
                <ClaimsProviderSelection TargetClaimsExchangeId="LocalAccountSigninUsernameExchange" />
            </ClaimsProviderSelections>
        </OrchestrationStep>
        <OrchestrationStep Order="2" Type="ClaimsExchange">
            <ClaimsExchanges>
                <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
            </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="3" Type="ClaimsExchange">
            <ClaimsExchanges>
                <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
            </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="4" Type="ClaimsExchange">
            <ClaimsExchanges>
                <ClaimsExchange Id="B2CUserProfileUpdateExchange" TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate" />
            </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
    </OrchestrationSteps>
    <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

--------------------------------------------------
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
    <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
    </Metadata>
    <IncludeInSso>false</IncludeInSso>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
    </InputClaims>
    <OutputClaims>
        <!-- Required claims -->
        <OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
        <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />

        <!-- Optional claims -->
        <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="otherMails" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />

    </OutputClaims>
    <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
-------------------------------------------------
<TechnicalProfile Id="SelfAsserted-ProfileUpdate">
    <DisplayName>User ID signup</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.selfasserted.profileupdate</Item>
    </Metadata>
    <IncludeInSso>false</IncludeInSso>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="alternativeSecurityId" />
        <InputClaim ClaimTypeReferenceId="userPrincipalName" />
        <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the
                 ValidationTechnicalProfile referenced below so it can be written to directory after being updateed by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->
        <InputClaim ClaimTypeReferenceId="givenName" />
        <InputClaim ClaimTypeReferenceId="surname" />
        <InputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />


    </InputClaims>
    <OutputClaims>
        <!-- Required claims -->
        <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
        <!-- Optional claims. These claims are collected from the user and can be modified. Any claim added here should be updated in the
                 ValidationTechnicalProfile referenced below so it can be written to directory after being updateed by the user, i.e. AAD-UserWriteProfileUsingObjectId. -->
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />


    </OutputClaims>
    <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserWriteProfileUsingObjectId" />
    </ValidationTechnicalProfiles>
</TechnicalProfile>
---------------------------------------------------------------------------
<TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">
    <Metadata>
        <Item Key="Operation">Write</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
    </Metadata>
    <IncludeInSso>false</IncludeInSso>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
    </InputClaims>
    <PersistedClaims>
        <!-- Required claims -->
        <PersistedClaim ClaimTypeReferenceId="objectId" />

        <!-- Optional claims -->
        <PersistedClaim ClaimTypeReferenceId="givenName" />
        <PersistedClaim ClaimTypeReferenceId="surname" />
        <PersistedClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />

    </PersistedClaims>
    <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>


--------------------------------------------------
阅读
真的
假的
-------------------------------------------------
用户ID注册
api.selfasserted.profileupdate
假的
---------------------------------------------------------------------------
写
假的
真的
假的
我记得我也遇到过同样令人沮丧的问题

如果您在TechnicalProfile中保留其中一个strong身份验证字段,它将清除任何其他strong身份验证字段,除非您也保留这些字段

因此,无论您在哪里持久化一个strong身份验证字段,都要将它们全部持久化。在您的示例中,您的技术配置文件“AAD UserWriteProfileUsingObjectId”应该如下所示:

<TechnicalProfile Id="AAD-UserWriteProfileUsingObjectId">
<Metadata>
    <Item Key="Operation">Write</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
</InputClaims>
<PersistedClaims>
    <!-- Required claims -->
    <PersistedClaim ClaimTypeReferenceId="objectId" />

    <!-- Optional claims -->
    <PersistedClaim ClaimTypeReferenceId="givenName" />
    <PersistedClaim ClaimTypeReferenceId="surname" />
    <PersistedClaim ClaimTypeReferenceId="strongAuthenticationEmailAddress" />
    
    <!-- *** NEW LINE *** -->
    <PersistedClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
</PersistedClaims>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />


写
假的
真的
假的
请注意,在strongAuthenticationPhoneNumber的PersistedClaims中添加了新行

在模式中还有另一个地方发生了这种情况,它与signInNames集合在一起。如果您坚持使用signInNames.username之类的内容,那么它将清除任何其他signInNames(如signInNames.emailaddress),除非您也坚持使用signInNames.emailaddress,所以请注意这一点