问题
I've set up a Custom Policy in Azure AD B2C following the guide provided here:
https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-sf-app-custom
I've actually set up the IdP as SSOCircle instead of SalesForce, and this seems to work until the redirection to the Service Provider Assertion Consumer Url of
https://login.microsoftonline.com/te/TENANT.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer
I've added Application Insights in order to troubleshoot and the exception details are:
A Claim of ClaimType with id "socialIdpUserId" was not found, which is required by the ClaimsTransformationImpl of Type "Microsoft.Cpim.Data.Transformations.CreateAlternativeSecurityIdTransformation" for TransformationMethod "CreateAlternativeSecurityId" referenced by the ClaimsTransformation with id "CreateAlternativeSecurityId" in policy "B2C_1A_TrustFrameworkBase" of tenant "TENANT.onmicrosoft.com".
Any help would be appreciated.
回答1:
As per the error, your <ClaimsProvider> is missing the socialIdpUserId claim. This is because either the <OutputClaim> entry which has a ClaimTypeReferenceId="socialIdPUserId" is missing or it's mapped to a PartnerClaimType that SSOCircle isn't providing.
From the "Create the Salesforce SAML claims provider in your base policy" section in that doc you referenced:
<ClaimsProvider>
<Domain>salesforce</Domain>
<DisplayName>Salesforce</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="salesforce">
<DisplayName>Salesforce</DisplayName>
<Description>Login with your Salesforce account</Description>
<Protocol Name="SAML2"/>
<Metadata>
<Item Key="RequestsSigned">false</Item>
<Item Key="WantsEncryptedAssertions">false</Item>
<Item Key="WantsSignedAssertions">false</Item>
<Item Key="PartnerEntity">https://contoso-dev-ed.my.salesforce.com/.well-known/samlidp.xml</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="userId"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="username"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="externalIdp"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="SAMLIdp" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
回答2:
If you need the user id as a claim from SSOCircle, please check "UserID" during import of the SAML Service Provider data at the SSOCircle Admin UI. SSOCircle IDP will then add the user name as "UserID" attribute into the SAML assertion.
Referring to Policy Saca mentioned, change the line:
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="userId"/>
to
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="UserID"/>
Do similar for the other attributes like givenname, surname and email
来源:https://stackoverflow.com/questions/45553943/azure-active-directory-custom-policy-error