azure-ad-b2c - Azure AD B2C - 具有 HRD、域提示和 MFA 的自定义策略
问题描述
我正在尝试构建一个使用家庭领域发现和域提示的 B2C 自定义策略。
我们有 2 个角色。
- 在 B2C 中使用 MFA 进行身份验证的本地用户
- 必须重定向到其公司登录页面的外部用户。
用例:
用户被重定向到
https://customdomain.b2clogin.com
(没有域提示)。用户会看到一个登录页面,询问email
地址并取决于用户类型:B2C 的本地用户在我们的 B2C 页面 (customdomain.b2clogin.com) 中进行身份验证。首先,用户输入电子邮件地址,然后
Next
用户输入密码,最后输入 MFA 的代码(在手机上收到)。外部用户首先输入他们的电子邮件,然后 B2C 必须自动将用户重定向到联合身份提供商以登录。
用户被重定向到
https://customdomain.b2clogin.com/?domain_hint=xyz.com
(带有域提示)- 在这种情况下,我们希望用户被自动重定向到
xyz.com
身份提供者。用户不应该看到我们的登录页面customdomain.b2clogin.com
- 在这种情况下,我们希望用户被自动重定向到
我试过的:
通过home-realm-discovery-modern
取样(https://github.com/azure-ad-b2c/samples/tree/master/policies/home-realm-discovery-modern)我让 HRD 正常工作(第 1 点)
通过获取SocialAndLocalAccountsWithMfa
B2C 入门包中的示例,我可以domain_hint
免费获得重定向(上面的第 2 点)。
但是,我未能将两者结合在一起以使两者都能正常工作(domain_hint 和 HRD)。
这是用户旅程:
<UserJourneys>
<UserJourney Id="SignIn">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="ParseDomainHint" TechnicalProfileReferenceId="ParseDomainHint" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-Signin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="3" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="ParseDomainHintLogic" TechnicalProfileReferenceId="HRDLogic" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- If the domain_hint did not match any known domain, then redirect to a default local account sign in-->
<OrchestrationStep Order="4" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- dont run this step if the domain was known, or we have an objectid (local account sign in)-->
<OrchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>true</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- If the domain matched any known domain, then this step will have a single IdP
enabled due to each known IdP TP having an enablement flag via identityProviders claim -->
<OrchestrationStep Order="6" Type="ClaimsProviderSelection" ContentDefinitionReferenceId="api.idpselections">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsProviderSelections>
<ClaimsProviderSelection TargetClaimsExchangeId="AADOIDC" />
<ClaimsProviderSelection TargetClaimsExchangeId="MSAOIDC" />
</ClaimsProviderSelections>
</OrchestrationStep>
<OrchestrationStep Order="7" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>isKnownCustomer</Value>
<Value>true</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADOIDC" TechnicalProfileReferenceId="AAD-OIDC" />
<ClaimsExchange Id="MSAOIDC" TechnicalProfileReferenceId="MSA-OIDC" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- For social IDP authentication, attempt to find the user account in the directory. -->
<OrchestrationStep Order="8" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
</ClaimsExchanges>
</OrchestrationStep>
<!-- Still dont have objectId (social idp user that doesnt yet exist) - write the account -->
<OrchestrationStep Order="9" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="10" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>isKnownCustomer</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="11" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
</OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>
</UserJourneys>
我错过了什么?
解决方案
我们设法让 Home Realm Discovery (HRD) 和 Domain Hints 在自定义策略中协同工作。它基于HomeRealmDiscoveryModern
样本。
这是解决方案/示例: https ://github.com/AlbozDroid/b2c-hrd-domainhint-sample/blob/main/Alboz_susi_public.xml
LocalAndSocialWithMFA
MFA 部分不存在,但按照Microsoft 提供的示例应该很容易添加。
推荐阅读
- bash - 通过 bash 脚本对 Postgres docker 容器执行查询
- javascript - URLSearchParams 的笑话测试用例
- php - 如何使用 symfony 在树枝内设置 knp_paginator '每页限制'
- unity3d - SIGSEGV 与 Unity 和 ARFoundation
- curl - 使用 curl 和 accestoken 从 Azure AD 中获取信息
- reactjs - 将道具传递给孩子不会让他更新 - React Native
- c++ - 类模板:为特定类型名添加额外的变量/方法
- c# - 我想在所有线程完成执行后显示我的程序的执行时间
- javascript - 有没有办法根据用户角色为一条路线加载不同的视图?
- android - 如何让我的数据库信息出现在我的应用程序上