问题
We are using custom SignIn/SigUp Policy, configured Facebook, LinkedIn, Twitter, Google+ as Social IDP's.
We have built a custom page where we ask the user for their email and then redirect them to the particular IDP page (we have logic built around this) using domain_hint
, for example: domain_hint=facebook.com
.
I want to pass the email address entered by the user in the first step in login_hint
along with domain_hint
so that the user doesn't have to enter the email once again when redirected to the IDP Page (Facebook.com).
I took the code from the AD B2C documentation for IDP's and added as below in claims provider for Facebook, Linkedin, Twitter etc. which is not working
<InputClaims>
<InputClaim ClaimTypeReferenceId="logonIdentifier" PartnerClaimType="login_hint" DefaultValue="{OIDC:LoginHint}" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="logonIdentifier" Required="true" />
</OutputClaims>
Is there a way/option to achieve this?
回答1:
For the above identity providers, Google is the only one that supports a login hint, so if you add the domain_hint
and login_hint
parameters to the Azure AD B2C request:
https://login.microsoftonline.com/te/<tenant>/<policy>/oauth2/v2.0/authorize?...&domain_hint=google.com&login_hint=someone@somewhere.com
then you can pass the "login_hint" parameter through from Azure AD B2C to the Google endpoint as follows:
1) Create a "loginHint" claim type:
<ClaimType Id="loginHint">
<DisplayName>Login Hint</DisplayName>
<DataType>string</DataType>
</ClaimType>
2) Add the "loginHint" input claim to the Google technical profile:
<ClaimsProvider>
<Domain>google.com</Domain>
<DisplayName>Google Account</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="GoogleAccount-OAuth2">
<DisplayName>Google Account</DisplayName>
<Protocol Name="OAuth2" />
...
<InputClaims>
<InputClaim ClaimTypeReferenceId="loginHint" PartnerClaimType="login_hint" DefaultValue="{OIDC:LoginHint}" />
</InputClaims>
...
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
回答2:
See this PDF: Targeting a sign-in user or domain name using login and domain hint
Using Login hint in custom policy.
To prepopulate the sign-in name, in your custom policy, override the SelfAsserted-LocalAccountSignin-Email technical profile. In the section, you set the signInName's claim's DefaultValue to {OIDC:LoginHint}. The {OIDC:LoginHint} variable contains the value of the login_hint parameter. Azure AD B2C reads the signInName input claim's value, and pre-populates the signInName textbox
来源:https://stackoverflow.com/questions/49456133/how-to-get-login-hint-working-with-social-idp-using-custom-policy