问题
From testing, it appears Validation Technical Profiles are only used when added to SelfAssserted Technical Profiles
E.g the following:
<TechnicalProfile Id="ExternalIDP">
<DisplayName>Some External IdP</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<!-- ... -->
</Metadata>
<OutputClaims>
<!-- ... -->
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="FETCH-MORE-CLAIMS" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
does not appear to call the FETCH-MORE-CLAIMS profile after authenticating to the external identity provider.
Is this correct, and if so, is there another way to always force a second technical profile to be called whenever a particular technical profile is called?
回答1:
One possible way would be to set an output claim that indicates that was done, and then have an orchestration step after that with a condition on that claim, which then runs your TP as a claims exchange.
So an output claim like:
<OutputClaim ClaimTypeReferenceId="idp" DefaultValue="ThisIdp" AlwaysUseDefaultValue="true" />
You'd need to define that claim if it isn't already defined, or you can use another one you already have.
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>idp</Value>
<Value>ThisIdp</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="FetchMoreClaimsExchange" TechnicalProfileReferenceId="FETCH-MORE-CLAIMS" />
</ClaimsExchanges>
</OrchestrationStep>
This orchestration step is skipped if idp != ThisIdp, so it would only run if your external idp was used.
来源:https://stackoverflow.com/questions/57891462/azure-ad-b2c-validation-profile-for-non-selfasserted-technical-profiles