问题描述
我有一个使用Azure AD B2C租户的现有应用程序"A".在注册过程中,要求用户输入存储在声明中的编号(专用于此应用程序"A"),名称为"NumberA".
I have an existing application "A" using an Azure AD B2C tenant. During registration users have been asked to enter a number (specific for this application "A") that is stored in a Claim with the name "NumberA".
现在,我想创建一个新的应用程序"B",并且希望租户的现有用户能够登录到应用程序"B".但是在使用它们之前,必须提示他们输入存储在声明中的新数字(特定于应用程序"B"),其名称为"NumberB".
Now I want to create an new application "B" and I want the existing users of my tenant to be able to log into the application "B". But before they can use it they have to be prompted to enter a new number (specific for application "B") that is stored in a Claim with the name "NumberB".
应用程序"B"的新用户注册自己时,只需输入"B"的数字即可.
When new users of application "B" register themselves they only have to enter the number for "B".
我认为这一定有可能,但是我不确定如何做到这一点.
I think this must be possible but I am not sure how to do this.
创建新的自定义策略"B2C_AppB_signup_signin"?然后在新的扩展"文件中添加新的声明"NumberB"并覆盖"技术配置文件(AAD-UserWriteUsingLogonEmail,AAD-UserReadUsingEmailAddress等)
Create a new Custom Policy "B2C_AppB_signup_signin"?And then add a new Claim "NumberB" in a new "Extensions" file and "override" the technical profiles (AAD-UserWriteUsingLogonEmail, AAD-UserReadUsingEmailAddress etc)
还是这是错误的路径.
推荐答案
您在正确的轨道上.
这可以通过创建两个用户旅程(一个用于应用程序A,另一个用于应用程序B),然后在两个用户旅程的业务流程步骤中添加一个提示特定于应用程序声明的前提条件来实现.
This can be implemented by creating two user journeys -- one for Application A and another for Application B -- and then adding a ClaimsExist
precondition to an orchestration step in both user journeys that prompts for the application-specific claim.
例如:对于应用程序B的注册或登录用户过程,可以在从Azure Active Directory中读取用户对象之后(最终用户使用现有帐户登录或(使用新帐户进行注册),该帐户将检查该用户对象是否存在"extension_NumberB"声明,如果不存在,则提示输入:
For example: For Application B's sign-up or sign-in user journey, you can add the following orchestration step after the user object is read from Azure Active Directory (after either the end user has signed in with an existing account or signed up with a new account), which checks whether the "extension_NumberB" claim exists for this user object and if not then prompts for it:
<OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>extension_NumberB</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SelfAssertedApplicationBRegistrationExchange" TechnicalProfileReferenceId="SelfAsserted-ApplicationB-Registration" />
</ClaimsExchanges>
</OrchestrationStep>
然后添加"SelfAsserted-ApplicationB-Registration"技术配置文件:
Then add the "SelfAsserted-ApplicationB-Registration" technical profile:
<TechnicalProfile Id="SelfAsserted-ApplicationB-Registration">
<DisplayName>Application B Registration</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted.applicationb.registration</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" Required="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_NumberB" Required="true" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteProfileUsingObjectId" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
然后,您必须将"extension_NumberB"声明添加为"AAD-UserReadUsingObjectId"技术配置文件的<OutputClaim />
,并将其添加为"AAD-UserWriteProfileUsingObjectId"技术配置文件的<PersistedClaim />
.
You will then have to add the "extension_NumberB" claim as an <OutputClaim />
for the "AAD-UserReadUsingObjectId" technical profile and it as a <PersistedClaim />
for the "AAD-UserWriteProfileUsingObjectId" technical profile.
这篇关于如何使用相同的Azure AD B2C租户提示对新应用程序的新声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!