azure-ad-b2c - Azure B2C SAML 自定义策略断言电子邮件

问题描述

我已成功通过 SAML 将 Azure B2C 设置为 IDP，并且我正确地取回了 givenName、objectId、surname、userPrincipalName 的断言。

当用户通过电子邮件地址 jdoe@company.com 完成注册过程时，会在 B2C 中自动生成格式为 guid@b2ctenant.onmicrosoft.com 的 upn。

我想获得实际的登录电子邮件地址，在本例中为 SAML 断言中的 jdoe@company.com。

我已经尝试了以下所有选项，但 SAML 断言没有电子邮件地址。

<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"/>
<OutputClaim ClaimTypeReferenceId="otherMails"/>

在 Chris Padgett 的回应后改变了。但仍然没有电子邮件。

<ClaimType Id="email">
 <DisplayName>Email Address</DisplayName>
 <DataType>string</DataType>
 <DefaultPartnerClaimTypes>
   <Protocol Name="OAuth2" PartnerClaimType="email" />
   <Protocol Name="OpenIdConnect" PartnerClaimType="email" />
   <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
  </DefaultPartnerClaimTypes>


<TechnicalProfile Id="AAD-UserReadUsingObjectId">
 ...
 <OutputClaims>
 <OutputClaim ClaimTypeReferenceId="displayName" />
 <OutputClaim ClaimTypeReferenceId="otherMails" />
 <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
 <OutputClaim ClaimTypeReferenceId="givenName" />
 <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
 <OutputClaim ClaimTypeReferenceId="surname" />


<UserJourney Id="SignInSaml">
    <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="ClaimsExchange">
        <ClaimsExchanges>
        <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
        </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
        <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
            <Value>authenticationSource</Value>
            <Value>socialIdpAuthentication</Value>
            <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
        </Preconditions>
        <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
        </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />
    </OrchestrationSteps>
    <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>


<RelyingParty>
<DefaultUserJourney ReferenceId="SignInSaml" />
<UserJourneyBehaviors>
    <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="key" DeveloperMode="true" ClientEnabled="true" ServerEnabled="true" TelemetryVersion="1.0.0" />
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="SAML2" />
    <SubjectAuthenticationRequirements TimeToLive="40000" ResetExpiryWhenTokenIssued="false" />
    <Metadata>
    <Item Key="PartnerEntity"><![CDATA[<md:EntityDescriptor 
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2026-12-27T23:42:22.079Z" entityID="someentityid" 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sptest.iamshowcase.com/acs" index="0" isDefault="true"/></md:SPSSODescriptor></md:EntityDescriptor>]]></Item>
    </Metadata>
    <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    <OutputClaim ClaimTypeReferenceId="email" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>

标签： azure-ad-b2c