问题
This question is related to this one.
What we'd like to do is: at the moment the user clicks the button like Facebook OR Microsoft account OR Corporate AD in the Sign in page, call a validation technical profile to validate the email address the user is using to sign in.
I tried adding an OrchestrationStep like this:
<OrchestrationStep Order="4"
Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals"
ExecuteActionsIf="false">
<Value>idp</Value>
<Value>CorporateAD</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="FetchMoreClaimsExchange"
TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
</ClaimsExchanges>
</OrchestrationStep>
This is actually calling REST-ValidateSignInEmail because I see an error returned in the URL like this:
https://mywebsite.azurewebsites.net/#error=server_error&error_description=AADB2C%3a++is+disabled.%0d%0aCorrelation+ID%3a+bce3fd82-1111-4f17-ad99-ef7770ed8dda%0d%0aTimestamp%3a+2019-11-08+20%3a34%3a51Z%0d%0a&state=7b7c70e7-7a77-77d7-7d7e-7dd0e7b707e7
The message is+disabled is coming from the REST API I put together but this obviously tells me that the email\signInEmail claim it expects as a parameter is not being sent\passed.
This is the Technical Profile:
<TechnicalProfile Id="REST-ValidateSignInEmail">
<DisplayName>Validate Email</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="SendClaimsIn">Body</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName"
PartnerClaimType="UserEmail" />
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
Can you shed some light on how to approach this?
回答1:
Generally after I post the question I keep fiddling with the code.
Got it working like this:
<TechnicalProfile Id="REST-ValidateSignInEmail">
<DisplayName>Validate Email</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="SendClaimsIn">Body</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName"
PartnerClaimType="UserEmail" />
</InputClaims>
<InputClaim ClaimTypeReferenceId="email"
PartnerClaimType="UserEmail" />
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
Note that I added a new InputClaim with ClaimTypeReferenceId="email". email is the claim value that is passed when using an external IDP.
This sample policy showed me that I could add the OrchestrationStep right before the JwtIssuer one. We can also have it without any preconditions like this:
<OrchestrationStep Order="7"
Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="REST-ValidateSignInEmail"
TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
</ClaimsExchanges>
</OrchestrationStep>
Doing so it'll get called for all IDPs.
Azure Active Directory B2C: Custom CIAM User Journeys
来源:https://stackoverflow.com/questions/58773626/how-to-pass-and-validate-the-signinemail-claim-during-external-idp-login-using-a