大佬教程收集整理的这篇文章主要介绍了首次登录时重置密码期间的 Azure AD B2C 错误(使用自定义策略),大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
我正在尝试使用 the "reset password" repo 中所述的自定义策略在第一次登录后(在 Azure ADB2C 中)强制重置密码。
我正在使用自定义策略,并且在尝试上传“SignUpOrSignin.xml”自定义策略时出现验证错误。消息是:
未找到键为“ApplicationObjectID”的必需元数据项 在带有 ID 的 TechnicalProfile 中 策略中的“AAD-UserRemoveMustresetpasswordUsingObjectID” 租户“resetpasswordtest.onmicrosoft.com”的“B2C_1A_signup_signin”
这些是我遵循的步骤:
TrustFrameworkBase.xml
TrustFrameworkExtensions.xml
密码重置.xml
配置文件编辑.xml
SignUpOrSignin.xml
当我尝试上传最后一个 (SignUpOrSignin.xml) 时出现问题 这里有什么问题? Here 您可以找到前 5 个 xml 文件的完整实现。
请查看我粘贴“TrustFrameworkExtensions.xml”和“SignUpOrSignin.xml”自定义策略的以下部分。
感谢阅读
<TrustFrameworkPolicy
xmlns:xsi="http://www.w3.org/2001/XMLscheR_401_11845@a-instance"
xmlns:xsd="http://www.w3.org/2001/XMLscheR_401_11845@a"
xmlns="http://scheR_401_11845@as.microsoft.com/online/cpim/scheR_401_11845@as/2013/06"
PolicyscheR_401_11845@aVersion="0.3.0.0"
TenantID="resetpasswordtest.onmicrosoft.com"
PolicyID="B2C_1A_TrustFrameworkExtensions"
PublicPolicyUri="http://resetpasswordtest.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions">
<BasePolicy>
<TenantID>resetpasswordtest.onmicrosoft.com</TenantID>
<PolicyID>B2C_1A_TrustFrameworkBase</PolicyID>
</BasePolicy>
<BuildingBlocks>
<ClaimsscheR_401_11845@a>
<!--Demo: SpecifIEs whether user must reset the password-->
<ClaimType ID="extension_mustresetpassword">
<displayname>Must reset password</displayname>
<DataType>Boolean</DataType>
<UserHelpText>SpecifIEs whether user must reset the password</UserHelpText>
</ClaimType>
</ClaimsscheR_401_11845@a>
</BuildingBlocks>
<ClaimsProvIDers>
<ClaimsProvIDer>
<displayname>Azure Active Directory</displayname>
<TechnicalProfiles>
<TechnicalProfile ID="AAD-UserReadUsingObjectID">
<OutputClaims>
<!--Demo: Read the 'must reset password' extension attribute -->
<OutputClaim ClaimTypeReferencEID="extension_mustresetpassword" />
</OutputClaims>
</TechnicalProfile>
<TechnicalProfile ID="AAD-UserRemoveMustresetpasswordUsingObjectID">
<Metadata>
<Item Key="Operation">deleteClaims</Item>
</Metadata>
<inputClaims>
<inputClaim ClaimTypeReferencEID="objectID" required="true" />
</inputClaims>
<PersistedClaims>
<PersistedClaim ClaimTypeReferencEID="objectID" />
<PersistedClaim ClaimTypeReferencEID="extension_mustresetpassword" />
</PersistedClaims>
<IncludeTechnicalProfile ReferencEID="AAD-Common" />
</TechnicalProfile>
<!--Demo: to create the extension attribute extension_mustresetpassword,you should upload the policy
and create one account. Then ***comment out this technical profile***.
-->
<TechnicalProfile ID="AAD-UserWriteUsinglogonEmail">
<PersistedClaims>
<PersistedClaim ClaimTypeReferencEID="extension_mustresetpassword" DefaultValue="true" />
</PersistedClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvIDer>
<!-- Facebook claims provIDer -->
<ClaimsProvIDer>
<displayname>Facebook</displayname>
<TechnicalProfiles>
<TechnicalProfile ID="Facebook-OAUTH">
<Metadata>
<!--Demo action required: Change to your Facebook App ID-->
<Item Key="clIEnt_ID">313412440187068</Item>
<Item Key="scope">email public_profile</Item>
<Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fIElds=ID,first_name,last_name,name,email</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvIDer>
<ClaimsProvIDer>
<displayname>Local Account SignIn</displayname>
<TechnicalProfiles>
<TechnicalProfile ID="login-NonInteractive">
<Metadata>
<Item Key="clIEnt_ID">44444444-2222-2222-2222-555555555555</Item>
<Item Key="IDTokenAudIEnce">44444444-2222-2222-2222-555555555555</Item>
</Metadata>
<inputClaims>
<inputClaim ClaimTypeReferencEID="clIEnt_ID" DefaultValue="44444444-2222-2222-2222-555555555555" />
<inputClaim ClaimTypeReferencEID="resource_id" PartnerClaimType="resource" DefaultValue="44444444-2222-2222-2222-555555555555" />
</inputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvIDer>
</ClaimsProvIDers>
<Userjourneys>
<Userjourney ID="SignUpOrSignInWithForcepasswordreset">
<orchestrationSteps>
<orchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDeFinitionReferencEID="API.signuporsignin">
<ClaimsProvIDerSELEctions>
<ClaimsProvIDerSELEction TargetClaimsExchangEID="FacebookExchange" />
<ClaimsProvIDerSELEction ValIDationClaimsExchangEID="LocalAccountSigninEmailExchange" />
</ClaimsProvIDerSELEctions>
<ClaimsExchanges>
<ClaimsExchange ID="LocalAccountSigninEmailExchange" TechnicalProfileReferencEID="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</orchestrationStep>
<!-- check if the user has SELEcted to sign in using one of the social provIDers -->
<orchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectID</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange ID="FacebookExchange" TechnicalProfileReferencEID="Facebook-OAUTH" />
<ClaimsExchange ID="SignUpWithlogonEmailExchange" TechnicalProfileReferencEID="LocalAccountSignUpWithlogonEmail" />
</ClaimsExchanges>
</orchestrationStep>
<!-- For social IDP authentication,attempt to find the user account in the directory. -->
<orchestrationStep Order="3" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationsource</Value>
<Value>localAccountAuthentication</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange ID="AADUserReadUsingalternativeSecurityID" TechnicalProfileReferencEID="AAD-UserReadUsingalternativeSecurityID-NoError" />
</ClaimsExchanges>
</orchestrationStep>
<!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectID).
This can only happen when authentication happened using a social IDP. If local account was created or authentication done
using ESTS in step 2,then an user account must exist in the directory by this time. -->
<orchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectID</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange ID="SelfAsserted-Social" TechnicalProfileReferencEID="SelfAsserted-Social" />
</ClaimsExchanges>
</orchestrationStep>
<!-- This step reads any user attributes that we may not have received when authenticaTing using ESTS so they can be sent
in the token. -->
<orchestrationStep Order="5" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationsource</Value>
<Value>socialIDpAuthentication</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange ID="AADUserReaDWithObjectID" TechnicalProfileReferencEID="AAD-UserReadUsingObjectID" />
</ClaimsExchanges>
</orchestrationStep>
<!--Demo: check if change password is required. If yes,ask the user to reset the password-->
<orchestrationStep Order="6" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationsource</Value>
<Value>socialIDpAuthentication</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>extension_mustresetpassword</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>extension_mustresetpassword</Value>
<Value>True</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange ID="NewCredentials" TechnicalProfileReferencEID="LocalAccountWritepasswordUsingObjectID" />
</ClaimsExchanges>
</orchestrationStep>
<!--Demo: check if change password is required. If yes remove the value of the extension attribute.
So,on the next time user dons' t need to update the password-->
<orchestrationStep Order="7" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationsource</Value>
<Value>socialIDpAuthentication</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
<Value>extension_mustresetpassword</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>extension_mustresetpassword</Value>
<Value>True</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange ID="AADUserRemoveMustresetpasswordUsingObjectID" TechnicalProfileReferencEID="AAD-UserRemoveMustresetpasswordUsingObjectID" />
</ClaimsExchanges>
</orchestrationStep>
<!-- The prevIoUs step (SelfAsserted-Social) Could have been skipped if there were no attributes to collect
from the user. So,in that case,create the user in the directory if one does not already exist
(verifIEd using objectID which would be set from the last step if account was created in the directory. -->
<orchestrationStep Order="8" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectID</Value>
<Action>SkipThisorchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange ID="AADUserWrite" TechnicalProfileReferencEID="AAD-UserWriteUsingalternativeSecurityID" />
</ClaimsExchanges>
</orchestrationStep>
<orchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferencEID="JwtIssuer" />
</orchestrationSteps>
<ClIEntDeFinition ReferencEID="DefaultWeb" />
</Userjourney>
</Userjourneys>
</TrustFrameworkPolicy>
<TrustFrameworkPolicy
xmlns:xsi="http://www.w3.org/2001/XMLscheR_401_11845@a-instance"
xmlns:xsd="http://www.w3.org/2001/XMLscheR_401_11845@a"
xmlns="http://scheR_401_11845@as.microsoft.com/online/cpim/scheR_401_11845@as/2013/06"
PolicyscheR_401_11845@aVersion="0.3.0.0"
TenantID="resetpasswordtest.onmicrosoft.com"
PolicyID="B2C_1A_signup_signin"
PublicPolicyUri="http://resetpasswordtest.onmicrosoft.com/B2C_1A_signup_signin">
<BasePolicy>
<TenantID>resetpasswordtest.onmicrosoft.com</TenantID>
<PolicyID>B2C_1A_TrustFrameworkExtensions</PolicyID>
</BasePolicy>
<RelyingParty>
<DefaultUserjourney ReferencEID="SignUpOrSignInWithForcepasswordreset" />
<TechnicalProfile ID="PolicyProfile">
<displayname>PolicyProfile</displayname>
<Protocol name="OpenIDConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferencEID="displayname" />
<OutputClaim ClaimTypeReferencEID="givenname" />
<OutputClaim ClaimTypeReferencEID="surname" />
<OutputClaim ClaimTypeReferencEID="email" />
<OutputClaim ClaimTypeReferencEID="objectID" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferencEID="IDentityProvIDer" />
<OutputClaim ClaimTypeReferencEID="tenantID" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectID}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
</TrustFrameworkPolicy>
您错过了配置扩展属性支持的策略。 https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-custom-policy#azure-ad-b2c-extensions-app
在开始使用示例之前,可以使用我的工具自动完成整个过程:https://aka.ms/iefsetup。
以上是大佬教程为你收集整理的首次登录时重置密码期间的 Azure AD B2C 错误(使用自定义策略)全部内容,希望文章能够帮你解决首次登录时重置密码期间的 Azure AD B2C 错误(使用自定义策略)所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。