是否可以将组从联合AD传递到B2C到Azure AD B2C
[英]Is it possible to pass groups to B2C from federated AD to Azure AD B2C
问题描述
I have an application running on B2C as part of customer deployment we federate with the customers AD so they can log in with their own corporate identity. 
我有一个在B2C上运行的应用程序,作为我们与客户广告联盟的客户部署的一部分,以便他们可以使用自己的公司身份登录。
We then create matching groups in the B2C to control behaviors in the app. 然后,我们在B2C中创建匹配组以控制应用程序中的行为。
We have a request that a customer wants to create the groups in their AD and then pass it across so that they can manage their users and access in one place. 我们要求客户希望在其广告中创建组,然后将其传递出去,以便他们可以在一个位置管理用户和访问。
I can see how I can add the claims I want when setting up a user flow but I cant see any option for groups. 我可以看到如何在设置用户流时添加所需的声明,但是看不到组的任何选项。 Is it possible to do or do i have to query the external AD (matching the way I query for groups in the B2C directory) 是否可以做或必须查询外部AD(与查询B2C目录中的组的方式匹配)
Thanks 谢谢
1 个解决方案
解决方案1
1 已采纳 2019-07-29 14:50:35
While technically possible, I Also question the benefit of doing this. 尽管在技术上可行,但我也质疑这样做的好处。 I will try to briefly describe how this would technically work. 我将尝试简要描述这在技术上将如何工作。 If not clear - I will have to summ-it on Github. 如果不清楚-我将不得不在Github上进行总结。 This is only possible using custom policy. 这只能使用自定义策略来实现。 So you have to follow: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile 因此,您必须遵循: https : //docs.microsoft.com/zh-cn/azure/active-directory-b2c/active-directory-technical-profile
Edit the Menifest of the application registration in federated AAD.
在联合AAD中编辑应用程序注册的清单。 There you have to indicate that you require group membership claim: 在这里,您必须指出您需要组成员身份声明: "groupMembershipClaims": "All",Extend the claims schema in your custom policy extensions by adding a new claim:
通过添加新的声明来扩展自定义策略扩展中的声明架构:
<ClaimsSchema> <ClaimType Id="idpGroupMemberships"> <DisplayName>Group Memberships in the IdP</DisplayName> <DataType>stringCollection</DataType> <UserHelpText>This is read only for the user</UserHelpText> </ClaimType> </ClaimsSchema>
- Later in the technical profile, copy the incoming groups claim into your outputclaims: 在技术资料的后面,将传入的组声明复制到输出声明中:
<OutputClaims> ... <OutputClaim ClaimTypeReferenceId="idpGroupMemberships" PartnerClaimType="groups" /> </OutputClaims>
- Finally, you have to include that new claim in your relying party policy: 最后,您必须将该新要求包括在您的依赖方政策中:
<RelyingParty> <DefaultUserJourney ReferenceId="SuSiLocalFbStaykovNet" /> <TechnicalProfile Id="PolicyProfile"> <DisplayName>PolicyProfile</DisplayName> <Protocol Name="OpenIdConnect" /> <OutputClaims> ... <OutputClaim ClaimTypeReferenceId="idpGroupMemberships" /> </OutputClaims> <SubjectNamingInfo ClaimType="sub" /> </TechnicalProfile> </RelyingParty>
Using this approach you will get the Groups as GUIDs (these will be the objec IDs of the groups in federated AAD). 使用这种方法,您将获得作为GUID的组(这些将是联合AAD中组的对象ID)。 If you want to get the Groups as names and not GUIDs, it is only partially supported and more complicated. 如果要获取组的名称而不是GUID,则仅部分支持它,而且更复杂。 Check out this doc here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#configure-the-azure-ad-application-registration-for-group-attributes 在此处查看此文档: https : //docs.microsoft.com/zh-cn/azure/active-directory/hybrid/how-to-connect-fed-group-claims#configure-the-azure-ad-application-登记换基团的属性
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.