azure-ad-b2c - Azure B2C SAML 自定义策略断言电子邮件
问题描述
我已成功通过 SAML 将 Azure B2C 设置为 IDP,并且我正确地取回了 givenName、objectId、surname、userPrincipalName 的断言。
当用户通过电子邮件地址 jdoe@company.com 完成注册过程时,会在 B2C 中自动生成格式为 guid@b2ctenant.onmicrosoft.com 的 upn。
我想获得实际的登录电子邮件地址,在本例中为 SAML 断言中的 jdoe@company.com。
我已经尝试了以下所有选项,但 SAML 断言没有电子邮件地址。
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"/>
<OutputClaim ClaimTypeReferenceId="otherMails"/>
在 Chris Padgett 的回应后改变了。但仍然没有电子邮件。
<ClaimType Id="email">
<DisplayName>Email Address</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="email" />
<Protocol Name="OpenIdConnect" PartnerClaimType="email" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
</DefaultPartnerClaimTypes>
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
...
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<UserJourney Id="SignInSaml">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>socialIdpAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignInSaml" />
<UserJourneyBehaviors>
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="key" DeveloperMode="true" ClientEnabled="true" ServerEnabled="true" TelemetryVersion="1.0.0" />
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="SAML2" />
<SubjectAuthenticationRequirements TimeToLive="40000" ResetExpiryWhenTokenIssued="false" />
<Metadata>
<Item Key="PartnerEntity"><![CDATA[<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2026-12-27T23:42:22.079Z" entityID="someentityid"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sptest.iamshowcase.com/acs" index="0" isDefault="true"/></md:SPSSODescriptor></md:EntityDescriptor>]]></Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
解决方案
1) 确保使用SAML2协议的声明类型声明电子邮件声明:
<ClaimType Id="email">
<DisplayName>Email Address</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="email" />
<Protocol Name="OpenIdConnect" PartnerClaimType="email" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
</DefaultPartnerClaimTypes>
...
</ClaimType>
2) 确保电子邮件声明被AAD-UserReadUsingObjectId技术配置文件读取为输出声明:
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
...
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
</OutputClaims>
...
</TechnicalProfile>
推荐阅读
- reactjs - 在 React 中将类名从一个组件传递到另一个组件
- python - 为什么这个 fastai.tabular 回归不起作用?
- java - HTTP 404 Not Found - 源服务器没有找到目标资源的当前表示或不愿意透露存在的表示
- firebase - 有没有办法设置 Firebase 刷新令牌的过期时间?
- python - pytest 失败并显示“错误:找不到文件或目录:和”
- python - Python - 拆分 DataFrame 以制作训练集
- java - 如何从具有任意深度的深度嵌套哈希表中检索值?
- jquery - 使用 jquery 从克隆的输入字段上传多个文件
- ios - Tableview numberOfRowsInSection 返回重复的.count 数字?
- python - 使用外部 CMD 启动程序,检测何时关闭