堆棧內存溢出
  簡體   English   中英

如何在 Azure B2C 基於請求的輸入查詢參數的自定義策略的用戶旅程中跳過一步

[英]How to Skip a step in user journey of Azure B2C Custom policy based on an input query parameter of the request

 原文  2020-07-22 06:58:35       azure/ azure-ad-b2c

問題描述

我有如下輸入聲明<InputClaim ClaimTypeReferenceId="isAccessFlow" PartnerClaimType="access_flow" DefaultValue="{OAUTH-KV:access_flow}"/>

<TechnicalProfile Id="Google-OAUTH">

基於這個值,我想跳過用戶旅程中的 MFA 編排步驟。為此,我需要從 output 聲明中獲取值。 那么如何將輸入聲明中的值傳遞給 output 聲明,或者我如何直接在 userjourney 中使用輸入聲明來停止該步驟。

我的用戶旅程編排步驟如下

        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signinandsignupwithpassword">
          <ClaimsProviderSelections>
          <ClaimsProviderSelection TargetClaimsExchangeId="AD" />
          <ClaimsProviderSelection TargetClaimsExchangeId="ADFSExchange" />
          <ClaimsProviderSelection TargetClaimsExchangeId="MicrosoftExchange" />
           <ClaimsProviderSelection TargetClaimsExchangeId="GoogleExchange" />
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- Check if the user has selected to sign in using one of the social providers -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
          <ClaimsExchange Id="ADFSExchange" TechnicalProfileReferenceId="ADFS-SAML2" />
          <ClaimsExchange Id="MicrosoftExchange" TechnicalProfileReferenceId="MSA-OIDC" />
          <ClaimsExchange Id="AD" TechnicalProfileReferenceId="OIDC-AD" />
            <ClaimsExchange Id="GoogleExchange" TechnicalProfileReferenceId="Google-OAUTH" />
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). 
          This can only happen when authentication happened using a social IDP. If local account was created or authentication done
          using ESTS in step 2, then an user account must exist in the directory by this time. -->
        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent 
          in the token. -->
        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>socialIdpAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect 
             from the user. So, in that case, create the user in the directory if one does not already exist 
             (verified using objectId which would be set from the last step if account was created in the directory. -->
        <OrchestrationStep Order="6" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
          </ClaimsExchanges>
        </OrchestrationStep>
   <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed.
             This step checks whether there's a phone number on record,  for the user. If found, then the user is challenged to verify it. -->
        <OrchestrationStep Order="7" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>isActiveMFASession</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
              <Value>requiresMFA</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
           <!--  <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>isAccessFlow</Value>
               <Value>true</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition> -->
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
          </ClaimsExchanges>
        </OrchestrationStep>

編排步驟 6 中的注釋部分是我想要實現的,但失敗了我是自定義策略的新手,所以如果我做錯了,請糾正我。

1 個解決方案

解決方案1
 0 已采納  2020-07-23 06:31:16

自己找到了解決方案。 我們還可以在 Output 聲明中使用聲明解析器,如下所示<OutputClaim ClaimTypeReferenceId="isAccessFlow" DefaultValue="{OAUTH-KV:access_flow}" AlwaysUseDefaultValue="true"/>

設置:

  • IncludeClaimResolvingInClaimsHandling元數據必須設置為 true。
  • 輸入或 output 聲明屬性AlwaysUseDefaultValue必須設置為 true。

我之前錯過了這些設置,不得不掙扎。 添加這些后,以下前提條件按預期工作。

           <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>isAccessFlow</Value>
               <Value>true</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Azure自定義策略B2C - 業務流程步驟 僅在 Azure B2C 中自定義登錄部分用戶旅程 azure B2c無縫用戶遷移自定義策略錯誤 在 Azure AD B2C 中使用自定義策略在注冊期間驗證和驗證用戶輸入數據 Azure B2C手機之旅 如何在Azure B2c中使用IdentityServer3或4作為自定義策略 如何編寫在添加新用戶時觸發的 Azure B2C 自定義策略 Azure AD B2C 自定義策略繞過或跳過特定電話號碼編排流程 Azure 自定義策略 B2C 如何讀取 Azure AD 用戶的員工 ID 並使用此值填充文本框 Azure B2C 自定義策略,在 Output 聲明中添加自定義用戶屬性
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM