[英]How to add a claim of type “StringCollection” in ad b2c custom policies
我想添加兩個“StringCollection”類型的 output 聲明,1. 國家(例如:美國、英國等)2. 組(例如:XX、XY、XZ)
用戶注冊時需要保存這些數據並需要將這些數據添加到令牌中
我創建了以下聲明類型:
<ClaimType Id="extension_countries">
<DisplayName>Countries</DisplayName>
<DataType>stringCollection</DataType>
<UserHelpText>Country list</UserHelpText>
</ClaimType>
和轉型:
<ClaimsTransformation Id="CreateCountriesFromCountry" TransformationMethod="AddItemToStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="country" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="extension_countries" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="extension_countries" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
當我添加到 RelyingParty 的“OutputClaims”時,它顯示錯誤“技術配置文件中的擴展屬性 'extension_countries' 不支持數據類型 'StringCollection'”
該錯誤可能是由於 AAD Graph API 擴展屬性的潛在限制: https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-目錄模式擴展#擴展數據類型--
可用類型:
因此,您不能創建作為字符串集合的擴展屬性。
作為一種解決方法,編寫自己的 REST function 將集合轉換為字符串,反之亦然,前提是您的字符串大小不超過 256 個字符(我認為這是最大值)。
你出錯的地方是試圖定義一個已經來自讀取 AAD 的調用的聲明。 創建一個新聲明,只是不要將extension_countries
公開為 output 聲明。
首先你創建一個新的 ClaimType
<ClaimType Id="Countries">
<DisplayName>Countries</DisplayName>
<DataType>stringCollection</DataType>
<UserHelpText>A list of countries for user</UserHelpText>
<!-- ... removed for brevity -->
</ClaimType>
然后創建聲明轉換
<ClaimsTransformation Id="CountriesClaimFromExtensionCountries" TransformationMethod="StringSplit">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_countries" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter DataType="string" Id="delimiter" Value="," />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="Countries" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
在您的用戶旅程中,應該有一個步驟,您可以使用用戶的 object id 從 AAD 讀取
<!-- NOTE: This is an example step, for your specific use case it maybe different, but whatever the step is that reads from AAD and gets the extension_countries attribute, do it there.
in the token. -->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>socialIdpAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
更新該技術配置文件以使用您剛剛創建的聲明轉換。
<!-- The following technical profile is used to read data after user authenticates. -->
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<Metadata>
<Item Key="Operation">Read</Item>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" Required="true" />
</InputClaims>
<OutputClaims>
<!-- Optional claims -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="otherMails" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<!-- NOTE: assuming you already added this -->
<OutputClaim ClaimTypeReferenceId="extension_countries" />
</OutputClaims>
<!-- NOTE: This is where you add the reference to the claims tranformation -->
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CountriesClaimFromExtensionCountries"/>
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>
然后在您的依賴方...確保輸出聲明。
<RelyingParty>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<!-- NOTE: new output claim, other output claims are omitted for brevity -->
<OutputClaim ClaimTypeReferenceId="Countries" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.