文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Azure B2C防止用户输入

Azure B2C防止用户输入
EN

Stack Overflow用户
提问于 2022-04-26 13:35:34
回答 1查看 93关注 0票数 0

我在Azure B2C租户上发布了一个应用程序。有两个auth方法,一个是联邦SAML提供者,另一个是常规Azure AD租户。我希望避免外部SAML的用户被保存在我的Azure B2C租户中。对于每个成功登录的用户,都会在我的Azure B2C租户中创建一个用户条目。如何防止b2c租户中的用户条目?这是我的用户之旅:

代码语言:javascript
复制
  <UserJourneys>
    <UserJourney Id="UDIMASignUpOrSignIn">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" /> -->
            <ClaimsProviderSelection TargetClaimsExchangeId="CEF" />
            <ClaimsProviderSelection TargetClaimsExchangeId="UDIMA" />
          </ClaimsProviderSelections>
        </OrchestrationStep>
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <ClaimsExchanges>
            <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" /> -->
            <ClaimsExchange Id="CEF" TechnicalProfileReferenceId="AADCEF-OpenIdConnect" />
            <ClaimsExchange Id="UDIMA" TechnicalProfileReferenceId="Saml2AssertionIssuer" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect
             from the user. So, in that case, create the user in the directory if one does not already exist
             (verified using objectId which would be set from the last step if account was created in the directory. -->
        
        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        
        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).  -->
        
        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
          </ClaimsExchanges>
        </OrchestrationStep>
        
        <!-- <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="AADCEF-OpenIdConnect" /> -->
        <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>
  </UserJourneys>
代码语言:javascript
复制
azure
azure-ad-b2c
EN

回答 1

Stack Overflow用户

发布于 2022-05-01 17:19:33

请检查所提供的参考资料是否可以使用。

默认情况下,对于外部标识,Azure AD B2C将在其自己的目录.So one中创建一个用户对象(objectID) --它可能能够存储由外部IdP断言的声明,还可以使用由该外部标识创建的最终用户声明或您自己的application.Object id来传递到下一步处理和使用。

Azure中的ObjectID属性通常保存在带有identityProvider的alternateSecurityID中。

代码语言:javascript
复制
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
</OutputClaims>

<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
</OutputClaimsTransformations>

参考: 使用溢出查询联邦身份的B2C

请检查用户是否已与其objectId和颁发者(身份提供程序)进行检查,以解除链接或阻止登录或删除该用户标识。

代码语言:javascript
复制
<ClaimsTransformation Id="RemoveUserIdentityFromCollectionByIssuer" TransformationMethod="RemoveUserIdentityFromCollectionByIssuer">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="issuerToUnlink" TransformationClaimType="issuer" />
          <InputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="collection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="collection" />
        </OutputClaims>
  </ClaimsTransformation>

有关详细信息,请查看active-directory-b2c-advanced-policies/TRUSTFRAMEWORKBASE.xml·GitHub

如果需要的话,也是Azure B2c如何防止用户登录直到管理员批准-堆栈溢出

参考:

active-directory-b2c-advanced-policies/account-linking at master·Azure-Samples/active-directory-b2c-advanced-policies·GitHub

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/72014936

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档