我尝试使用 ValidationTechnicalProfile 调用 RESTful 技术配置文件。我已检查应用程序洞察,可以看到 OutputClaimsTransformations 正在发生,但它会跳过 ValidationTechnicalProfile 并继续下一步。我尝试将 RESTful 技术配置文件添加为编排步骤,并且没有任何问题。
任何人都可以看到我做错了什么吗?
SignInWithIdProvider.xml
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="__TenantId__" PolicyId="B2C_1A_SignInWithIdProvider" PublicPolicyUri="http://__TenantId__/B2C_1A_signin_idprovider">
<BasePolicy>
<TenantId>__TenantId__</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<RelyingParty>
<DefaultUserJourney ReferenceId="SignInWithIdProvider"/>
<UserJourneyBehaviors>
<SingleSignOn Scope="Policy"/>
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>1800</SessionExpiryInSeconds>
<JourneyFraming Enabled="true" Sources="__JourneyFramingSource__"/>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect"/>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
<OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub"/>
</TechnicalProfile>
</RelyingParty>
来自 TrustFrameworkExtensions.xml 的片段
<ClaimsProvider>
<Domain>Signin</Domain>
<DisplayName>Signin using provider</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="OIDC-SignIn">
<DisplayName>Sign-in</DisplayName>
<Description>Login with provider</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">__WellKnown__</Item>
<Item Key="client_id">__SignInClientId__</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">id profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="SingleLogoutEnabled">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="__SignInSecret__"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="ui_locales" DefaultValue="{Culture:RFC5646}"/>
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="sessionId" PartnerClaimType="sid"/>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="securityLevel" PartnerClaimType="acr"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
<OutputClaim ClaimTypeReferenceId="personalIdentificationNumber" PartnerClaimType="pid"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="REST-PostNewSession" ContinueOnError="true"/>
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
<ClaimsProvider>
<DisplayName>REST APIs</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="REST-PostNewSession">
<DisplayName>Post new session</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="ServiceUrl">https://some.apim.url/post-method</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">Basic</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_UserName"/>
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_Password"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="sessionId"/>
</InputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
<UserJourney Id="SignInWithIdProvider">
<OrchestrationSteps>
<OrchestrationStep Order="1" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="idSignInExchange" TechnicalProfileReferenceId="OIDC-SignIn"/>
</ClaimsExchanges>
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
<Value>authenticationSource</Value>
<Value>localAccountAuthentication</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AlternativeSecurityId" TechnicalProfileReferenceId="AlternativeSecurityId-NoError"/>
</ClaimsExchanges>
</OrchestrationStep>
</UserJourney>
验证技术配置文件仅适用于 selfAsserted 技术配置文件。
只有自我断言的技术配置文件才能使用验证技术配置文件。如果您需要验证非自断言技术配置文件的输出声明,请考虑在用户旅程中使用额外的编排步骤来适应负责验证的技术配置文件。
https://learn.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile
将其添加为编排步骤会起作用。