![](/img/trans.png)
[英]Azure AD B2C throwing a 404 when attempting to clicking the link to sign
[英]Azure AD B2C AAD-UserReadUsingAlternativeSecurityId technical profile is throwing error
我有一个具有以下技术配置文件的自定义策略,以启用来自多个 Azure AD 租户的登录。 当我使用有效的工作帐户登录时,技术配置文件 AAD-UserReadUsingAlternativeSecurityId 引发错误。 我在下面包含了应用程序见解 output。 由于我无法控制 Azure AD B2C 如何在技术资料中构建图表 api 查找,我如何才能 go 找到并解决实际问题?
我检查了构建备用安全 ID 的声明转换,但没有发现任何内容,按照入门包进行操作,但没有进行任何更改
<TechnicalProfile Id="Common-AAD">
<DisplayName>Active Directory</DisplayName>
<!-- <DisplayName>Sign In</DisplayName> -->
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="client_id">dcaee4b4-61d6-45e6-88b2-b35a81e93077</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="METADATA">https://login.microsoftonline.com/common/.well-known/openid-configuration</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<!-- The key below allows you to specify each of the Azure AD tenants that can be used to sign in. Update the GUIDs below for each tenant. -->
<Item Key="ValidTokenIssuerPrefixes">
https://sts.windows.net/{GUID1-masked},
https://sts.windows.net/{GUID2-masked},
https://sts.windows.net/{GUID3-masked},
https://sts.windows.net/{GUID4-masked}
</Item>
<!-- The commented key below specifies that users from any tenant can sign-in. Uncomment if you would like anyone with an Azure AD account to be able to sign in. -->
<!-- <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>-->
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AZB2CSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<!-- <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub" /> -->
<!-- Mark: issuerUserId below originally mapped to sub -->
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<!-- <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> -->
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
“AAD 请求https://graph.windows.net/34d8169d-0e97-4cc7-a8d0-57c29404f1b1/users?api-version=1.6-integrationOnly&%24filter=alternativeSecurityIds%2fany(x%3ax%2ftype+eq+6+ and+x%2fidentityProvider+eq+%27https%3a%2f%2fsts.windows.net%{GUID-MASKED}%2f%27+and+x%2fkey+eq+X%2738623361343134642D623331622D343638322D396662382D663461376161666164643966%27) using method GET as request body格式错误。\r\n响应:\n{"odata.metadata":"https://graph.windows.net/34d8169d-0e97-4cc7-a8d0-57c29404f1b1/$metadata#directoryObjects","value":[] }\r\n",
在策略运行后,向应用程序/用户显示的错误是:AADB2C99002:找不到提供的用户 ID 的帐户。 我猜这是正常的,因为用户查找失败
“打开浏览器和 go 到租户的 OpenID Connect 元数据 URL。找到颁发者 object并记录其值。它应该类似于https://login.microsoftonline.com/00000000-0000-0000-000000/0000-000 .well-known/openid-configuration” 。
当我这样做时,我得到一个像这样的发行人:
“https://login.microsoftonline.com/GUID/v2.0”
但是你有:
https://sts.windows.net/{GUID1-masked}
(无论如何,文档似乎是错误的 - 他们的发行人是“知名”地址)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.