时间戳

首页 > 解决方案 > 通过自定义策略 AAD 写入创建 Azure B2C 帐户将用户创建为已锁定

azure-ad-b2c - 通过自定义策略 AAD 写入创建 Azure B2C 帐户将用户创建为已锁定

问题描述

我正在尝试通过即时迁移创建登录流程。通过 REST API 验证用户后,我需要通过 AAD 写入验证技术配置文件将用户写入目录。它工作正常,但它将帐户创建为“锁定” - 当我进入门户时,我看到“阻止登录 = YES”

可能是什么原因?我使用相同的技术配置文件,它在注册流程中运行良好

以下是我在本地登录技术配置文件中执行的技术配置文件

 <TechnicalProfile Id="AAD-UserWriteUsingLogonEmail-Migrate">
      <Metadata>
        <Item Key="Operation">Write</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
         <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.emailAddress" Required="true" />  

      </InputClaims>
      <PersistedClaims>
        <!-- Required claims -->

          <PersistedClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.emailAddress" />   

        <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
        <PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="unknown" />
        <PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration" />
        <!-- Optional claims. -->
        <PersistedClaim ClaimTypeReferenceId="givenName" />
        <PersistedClaim ClaimTypeReferenceId="surname" />
        <PersistedClaim ClaimTypeReferenceId="jobTitle" />
        <PersistedClaim ClaimTypeReferenceId="extension_Phone" /> 
        <PersistedClaim ClaimTypeReferenceId="extension_companyId" />
        <PersistedClaim ClaimTypeReferenceId="extension_companyName" />
        <PersistedClaim ClaimTypeReferenceId="extension_communicationOptin" /> 
        <PersistedClaim ClaimTypeReferenceId="streetAddress" />
        <PersistedClaim ClaimTypeReferenceId="city" />
        <PersistedClaim ClaimTypeReferenceId="state" />
        <PersistedClaim ClaimTypeReferenceId="postalCode" />
        <PersistedClaim ClaimTypeReferenceId="country" /> 
      </PersistedClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
        <OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
    </TechnicalProfile>

标签: azure-ad-b2c

解决方案

...

        <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />

...

事实证明,“newpassword”声明不可用,因为我在自我断言登录步骤中收集的声明是“password”。添加“PartnerClaimType=password”并没有将“password”复制到“newpassword”声明中。

解决方案是简单地将“newpassword”重命名为“password”并且流程运行良好

        <PersistedClaim ClaimTypeReferenceId="password" />

正如克里斯评论的那样,当密码不存在时,AAD Write 仍然创建用户,但将其创建为禁用 - 我认为这不应该发生,B2C 应该给出有意义的错误消息

推荐阅读