技术配置文件无法将用户帐户与电子邮件(signInNames.emailAddress)声明匹配。

huangapple
go评论143阅读模式
英文:

Technical Profile fails to match user account with email (signInNames.emailAddress) claim

问题

The content provided does not ask about the designation or information regarding a terrorist organization. If you have any other inquiries or need assistance on a different topic, please let me know.

英文:

Can anyone explain to me (before Azure B2C Custom Policies make me pull what's left of my hair out), why this technical profile fails to ever return an "objectId" when a user account exists in Azure B2C. I am collecting the email claim in a previous screen and calling the technical profile from the orchestration step.

I can see the profile executing in my Application Insights logs and I have confirmed that the email address I use in the claim is in the directory. But every time, no matter which email address I use, I never get an objectId back which means I can never detect if the user exists or not!

Technical Profile

     <TechnicalProfile Id="UE-AAD-CheckAccountExistsByEmail">
        <Protocol Name="Proprietary"
        Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided email address.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true"/>
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId"/>
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

Orchestration Step

    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <!-- Skip this if we already have an object id from single signon -->
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectIdFromSession</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <!-- Call a technical profile to see if an account can be found with the email supplied in AD -->
        <ClaimsExchange Id="AccountExistsClaim"
          TechnicalProfileReferenceId="UE-AAD-CheckAccountExistsByEmail" />
      </ClaimsExchanges>
    </OrchestrationStep>

答案1

得分: 0

I'll provide the translation without additional information:

你已将 ClaimsTransformationProtocolProvider 指定为处理程序。
你需要将 AAD 提供程序指定为处理程序以进行 Graph API 查询。
尽管如果 AAD-Common 已经包含协议元素,你不需要在这里再次指定,因为它将从那里包含。

就像这样:

     <TechnicalProfile Id="UE-AAD-CheckAccountExistsByEmail">
        <!-- 但如果 AAD-Common 已经包含它,实际上你不需要这个 -->
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">提供的电子邮件地址未找到帐户。</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true"/>
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId"/>
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

ClaimsTransformationProtocolProvider 用于运行声明转换以生成新的声明或修改现有的声明。
它不用于查询 AAD。

英文:

You have specified ClaimsTransformationProtocolProvider as the handler.
You need the AAD provider as the handler to make Graph API queries.
Though if AAD-Common already has the Protocol element, you don't need to specify it here again since it'll be included from there.

Like so:

     <TechnicalProfile Id="UE-AAD-CheckAccountExistsByEmail">
        <!-- You don't actually need this though if AAD-Common has it -->
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">An account could not be found for the provided email address.</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" Required="true"/>
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId"/>
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

ClaimsTransformationProtocolProvider is used for running claims transformations to produce new claims or modify existing claims.
It is not used for querying AAD.

huangapple
  • 本文由 发表于 2023年2月14日 01:00:44
  • 转载请务必保留本文链接:https://go.coder-hub.com/75439000.html
  • azure
  • azure-ad-b2c
  • azure-ad-b2c-custom-policy
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定