是否可以使用身份体验框架使用颁发者的声明自动更新 B2C 用户详细信息?
[英]Is it possible to automatically update B2C user details by using claims from the Issuer, using Identity Experience Framework?
问题描述
I have created a policy for an application following the B2C tutorial docs .
我按照B2C 教程文档为应用程序创建了一个策略。 It successfully creates users in a B2C tenant, filling in givename.. email etc from any/all issuers - currently, other any other Azure tenant can sign into this B2C tenant, this is what is required.它成功地在 B2C 租户中创建用户,填写来自任何/所有发行人的名字.. 电子邮件等 - 目前,其他任何其他 Azure 租户都可以登录到此 B2C 租户,这是必需的。
But what if details change with the original issuer's object (a name change, for example)?但是如果细节随着原始发行者的对象而改变(例如名称改变)呢? Currently there would be a mismatch, unless the user follows a journey to edit their own profile (manually).目前会有不匹配的情况,除非用户跟随旅程编辑他们自己的个人资料(手动)。
Would it be possible to create a journey which asks for claims from the issuer AFTER the object exists in the B2C tenant, and then update the local user with new details?是否可以创建一个旅程,在 B2C 租户中存在对象后向发行人索取索赔,然后使用新的详细信息更新本地用户?
The result I was looking to achieve was an automatic update to the the B2C tenant user, if the original account has been edited in some way, at the point the B2C user authenticates.我希望实现的结果是对 B2C 租户用户的自动更新,如果原始帐户已以某种方式进行了编辑,则在 B2C 用户进行身份验证时。 And that way the application linked to the B2C Tenant could be sent the updated claims.这样,链接到 B2C 租户的应用程序就可以发送更新的声明。
I understand the premise, but what I am lacking is the knowledge of what steps in a journey I would need, what these steps would look like.我理解这个前提,但我缺乏的是我需要的旅程中的哪些步骤,这些步骤会是什么样子的知识。 If anyone could share an example of even just reading a Name from the orginal issuer, and copying it the B2C tenent user, it would be extremely useful to me.如果有人可以分享一个例子,甚至只是从原始发行人那里读取名称,并将其复制到 B2C 租户用户,这对我来说将非常有用。
[Edit] Thanks to Jas for the detailed solution! [编辑] 感谢 Jas 的详细解决方案! I solved this by simply adding a AAD-UserReadUsingObjectId and a AAD-UserWriteUsingAlternativeSecurityId steps to the end of the signup-sign in journey.我通过简单地将 AAD-UserReadUsingObjectId 和 AAD-UserWriteUsingAlternativeSecurityId 步骤添加到注册-登录旅程的末尾来解决了这个问题。 Which updates the B2C User object with claims from the original object every time they login, and meets the requirements since it updates the B2C tenant and passes the updated attributes to the application which requires them too.每次登录时都会使用原始对象的声明更新 B2C 用户对象,并且满足要求,因为它更新了 B2C 租户并将更新的属性传递给也需要它们的应用程序。
2 个解决方案
解决方案1
1 已采纳 2022-04-12 15:21:56
Output claims in the OpenId technical profile allow you to map claims incoming from the IdP into the AAD B2C claimbag. OpenId 技术配置文件中的输出声明允许您将从 IdP 传入的声明映射到 AAD B2C 声明包。
Lets use the example of monitoring whether displayName has changed at the IdP.让我们以监控 IdP 的 displayName 是否发生变化为例。
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="live.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="displayNameFromIdp" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
Then we read the user using AAD-ReadUsingAlternativeSecurityId , by default.然后我们默认使用AAD-ReadUsingAlternativeSecurityId读取用户。 See the output claims here as follows, this will read the displayName of the user that already exists in B2C directory.请参阅此处的输出声明如下,这将读取 B2C 目录中已存在的用户的 displayName。
<OutputClaims>
<!-- Required claims -->
<OutputClaim ClaimTypeReferenceId="objectId" />
<!-- Optional claims -->
<OutputClaim ClaimTypeReferenceId="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="identityChanged" DefaultValue="false"/>
</OutputClaims>
Now, we compare the displayName and displayNameFromIdp values using CompareClaims claim transform .现在,我们使用CompareClaims 声明转换来比较displayName和displayNameFromIdp值。
<ClaimsTransformation Id="CompareDisplayName" TransformationMethod="CompareClaims">
<InputClaims>
<InputClaim ClaimTypeReferenceId="displayNameFromIdp" TransformationClaimType="inputClaim1" />
<InputClaim ClaimTypeReferenceId="displayName" TransformationClaimType="inputClaim2" />
</InputClaims>
<InputParameters>
<InputParameter Id="operator" DataType="string" Value="NOT EQUAL" />
<InputParameter Id="ignoreCase" DataType="boolean" Value="true" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityChanged" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
Make a claim transform like this for each claim you want to check.为您要检查的每个声明进行这样的声明转换。 Only change the inputClaims , so if anything changes, it's always reflected as a boolean in identityChanged claim.仅更改inputClaims ,因此如果有任何更改,它总是在identityChanged声明中反映为布尔值。
Add this claimTransform as an output claims transform to AAD-ReadUsingAlternativeSecurityId :将此 claimTransform 作为输出声明转换添加到AAD-ReadUsingAlternativeSecurityId :
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CompareDisplayName" />
</OutputClaimsTransformations>
For each claim transform you create, for each attribute you want to keep sync'd, add an output claims transform referencing the claim transformation id.对于您创建的每个声明转换,对于要保持同步的每个属性,添加一个引用声明转换 ID 的输出声明转换。
Now, if identityChanged == true , we know to call the AAD Write technical profile.现在,如果identityChanged == true ,我们知道调用 AAD 写入技术配置文件。 In your journey, add a step, at some point after AAD-UserReadUsingAlternativeSecurityId (after reading the user), and after AAD-UserWriteUsingAlternativeSecurityId (after creating the user).在您的旅程中,在AAD-UserReadUsingAlternativeSecurityId之后(在读取用户之后)和AAD-UserWriteUsingAlternativeSecurityId之后(在创建用户之后)添加一个步骤。
<OrchestrationStep Order="NUMBER" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>identityChanged</Value>
<Value>false</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserUpdate" TechnicalProfileReferenceId="AAD-UserUpdateUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>
Define an Azure AD technical profile to update the user:定义Azure AD 技术配置文件以更新用户:
<TechnicalProfile Id="AAD-UserUpdateUsingAlternativeSecurityId">
<Metadata>
<Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
</Metadata>
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="alternativeSecurityId" />
</PersistedClaims>
<IncludeTechnicalProfile ReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
Define a claim identityChanged , and displayNameFromIdp :定义声明identityChanged和displayNameFromIdp :
<ClaimType Id="identityChanged">
<DisplayName>identityChanged</DisplayName>
<DataType>boolean</DataType>
</ClaimType>
<ClaimType Id="displayNameFromIdp">
<DisplayName>displayNameFromIdp</DisplayName>
<DataType>string</DataType>
</ClaimType>
解决方案2
0 2022-04-11 20:57:19
The flow would be:流程将是:
- User logs in用户登录
- Call the original issuer via API and get the user's latest details通过 API 调用原发行者,获取用户最新详情
- Compare details and update if required.比较详细信息并根据需要进行更新。 You can use the string transformations .您可以使用字符串转换。
- Write the updated details写下更新的细节
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.