Azure AD B2C 自定义策略集扩展属性值

Question

我有 B2C 自定义策略登录 UserJouney，它会检查用户是否需要在首次登录时重置密码。我们正在使用扩展属性来执行此操作，因为 B2C 存在“forceChangePasswordNextLogin”值阻止用户登录的错误。

这是登录用户旅程。

<UserJourney Id="SignUpOrSignInSaml">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
      <ClaimsProviderSelections>
        <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninUsernameExchange" />
      </ClaimsProviderSelections>
      <ClaimsExchanges>
        <ClaimsExchange Id="LocalAccountSigninUsernameExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Username" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="SignUpWithLogonUsernameExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonName" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <!-- This step reads any user attributes that we may not have received when in the token. -->
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
          <Value>extension_ChangePasswordRequired</Value>
          <Value>true</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
        </Preconditions>
        <ClaimsExchanges>
        <ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordChangeUsingObjectId" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="5" Type="ClaimsExchange">
    <ClaimsExchanges>
      <ClaimsExchange Id="UpdatePasswordResetValue" TechnicalProfileReferenceId="LocalAccountUpdatePasswordResetStateValue" />
    </ClaimsExchanges>
  </OrchestrationStep>
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />
  </OrchestrationSteps>
  <ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

UserJourney 中的第 4 步评估扩展属性“extension_ChangePasswordRequired”是否设置为“true”，如果显示为“true”，将提示用户更改密码。这工作正常。

然后使用第 5 步将扩展属性更新为“true”以外的值，这样用户下次登录时不会再次收到提示，但似乎没有工作。

这是我的“LocalAccountUpdatePasswordResetStateValue”技术资料

    <TechnicalProfile Id="LocalAccountUpdatePasswordResetStateValue">
        <DisplayName>Update Password Set Value</DisplayName>
        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" Required="true" />
        </OutputClaims>
        <OutputClaimsTransformations>
          <OutputClaimsTransformation ReferenceId="SetPasswordResetStatus" />
        </OutputClaimsTransformations>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
      </TechnicalProfile>

这是它正在调用的输出声明转换

<ClaimsTransformation Id="SetPasswordResetStatus" TransformationMethod="FormatStringClaim">
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="inputClaim" />
      </InputClaims>
      <InputParameters>
        <InputParameter Id="stringFormat" DataType="string" Value="abc123" />
      </InputParameters>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" TransformationClaimType="outputClaim" />
      </OutputClaims>
    </ClaimsTransformation>

政策在上传时通过验证，但在密码重置后不会为用户设置扩展属性。

有谁知道我在这里做错了什么，或者是否有更好的方法来实现这一点？

-----更新-----

我成功地能够通过此处看到的持久声明将值写入不同的扩展属性

<TechnicalProfile Id="AAD-UserUpdateStateValue">
   <Metadata>
      <Item Key="Operation">Write</Item>
      <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
      <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
   </Metadata>
   <IncludeInSso>false</IncludeInSso>
 <InputClaims>
   <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
 </InputClaims>
 <PersistedClaims>
    <!-- Required claims -->
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <!-- Optional claims -->
    <PersistedClaim ClaimTypeReferenceId="extension_Flag" DefaultValue="abc1234567"/>
    </PersistedClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

但是，正如 Chris 在 post 中提到的那样，如果我在上一步中阅读了声明，这将不起作用。

Answer 1

DefaultValue 属性在且仅当声明值未设置时才有效。

要强制使用默认值，请将 AlwaysUseDefaultValue 属性设置为 true:

<PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />

在您的特定情况下，您应该在写入新密码时将 extension_ChangePasswordRequired 声明设置为 AAD-UserWritePasswordUsingObjectId 技术配置文件中的此默认值：

<TechnicalProfile Id="AAD-UserWritePasswordUsingObjectId">
  <Metadata>
    <Item Key="Operation">Write</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  </InputClaims>
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
    <PersistedClaim ClaimTypeReferenceId="extension_ChangePasswordRequired" DefaultValue="true" AlwaysUseDefaultValue="true" />
  </PersistedClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

然后，您可以从用户旅程中删除编排步骤 5。