ClaimsSchemaClaimsSchema

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

ClaimsSchema 元素定义了可以引用为策略的一部分的声明类型。The ClaimsSchema element defines the claim types that can be referenced as part of the policy. 声明架构是发出声明的位置。Claims schema is the place where you declare your claims. 声明可以是名字、姓氏、显示名称、电话号码等。A claim can be first name, last name, display name, phone number and more. ClaimsSchema 元素包含 ClaimType 元素的列表。ClaimsSchema element contains list of ClaimType elements. ClaimType 元素包含 Id 属性,它是声明名称。The ClaimType element contains the Id attribute, which is the claim name.

<BuildingBlocks>
  <ClaimsSchema>
    <ClaimType Id="Id">
      <DisplayName>Surname</DisplayName>
      <DataType>string</DataType>
      <DefaultPartnerClaimTypes>
        <Protocol Name="OAuth2" PartnerClaimType="family_name" />
        <Protocol Name="OpenIdConnect" PartnerClaimType="family_name" />
        <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
      </DefaultPartnerClaimTypes>
      <UserHelpText>Your surname (also known as family name or last name).</UserHelpText>
      <UserInputType>TextBox</UserInputType>

ClaimTypeClaimType

ClaimType 元素包含以下属性:The ClaimType element contains the following attribute:

属性Attribute 必须Required 说明Description
IDId Yes 用于声明类型的标识符。An identifier that's used for the claim type. 其他元素可以在策略中使用此标识符。Other elements can use this identifier in the policy.

ClaimType 元素包含以下元素:The ClaimType element contains the following elements:

元素Element 出现次数Occurrences 说明Description
DisplayNameDisplayName 1:11:1 在各种屏幕上向用户显示的标题。The title that's displayed to users on various screens. 可将值本地化The value can be localized.
数据类型DataType 1:11:1 声明类型。The type of the claim.
DefaultPartnerClaimTypesDefaultPartnerClaimTypes 0:10:1 用于指定协议的合作伙伴默认声明类型。The partner default claim types to use for a specified protocol. 可以覆盖 InputClaim 或 OutputClaim 元素中指定的 PartnerClaimType 中的值。The value can be overwritten in the PartnerClaimType specified in the InputClaim or OutputClaim elements. 将此元素用于指定协议的默认名称。Use this element to specify the default name for a protocol.
MaskMask 0:10:1 显示声明时可以应用的掩码字符的可选字符串。An optional string of masking characters that can be applied when displaying the claim. 例如,电话号码 324-232-4343 可以屏蔽为 XXX-XXX-4343。For example, the phone number 324-232-4343 can be masked as XXX-XXX-4343.
UserHelpTextUserHelpText 0:10:1 可帮助用户了解其用途的声明类型的说明。A description of the claim type that can be helpful for users to understand its purpose. 可将值本地化The value can be localized.
UserInputTypeUserInputType 0:10:1 应在手动输入声明类型的声明数据时可供用户使用的输入控制的类型。The type of input control that should be available to the user when manually entering the claim data for the claim type. 请参阅稍后在此页中定义的用户输入类型。See the user input types defined later in this page.
AdminHelpTextAdminHelpText 0:10:1 声明类型的说明,有助于管理员了解其用途。A description of the claim type that can be helpful for administrators to understand its purpose.
限制Restriction 0:10:1 此声明的值限制,如正则表达式 (Regex) 或可接受值的列表。The value restrictions for this claim, such as a regular expression (Regex) or a list of acceptable values. 可将值本地化The value can be localized.
PredicateValidationReferencePredicateValidationReference 0:10:1 PredicateValidationsInput 元素的引用。A reference to a PredicateValidationsInput element. PredicateValidationReference 元素可用于执行验证过程,以确保仅输入格式正确的数据。The PredicateValidationReference elements enable you to perform a validation process to ensure that only properly formed data is entered. 有关详细信息,请参阅 PredicatesFor more information, see Predicates.

数据类型DataType

DataType 元素支持以下值:The DataType element supports the following values:

类型Type 说明Description
booleanboolean 表示一个布尔(truefalse)值。Represents a Boolean (true or false) value.
datedate 表示某个时刻,通常表示为某天的日期。Represents an instant in time, typically expressed as a date of a day. 日期的值遵循 ISO 8601 约定。The value of the date follows ISO 8601 convention.
dateTimedateTime 表示某个时刻,通常以日期和当天的时间表示。Represents an instant in time, typically expressed as a date and time of day. 日期的值遵循 ISO 8601 约定。The value of the date follows ISO 8601 convention.
durationduration 表示以年、月、日、小时、分钟和秒为单位的时间间隔。Represents a time interval in years, months, days, hours, minutes, and seconds. 其格式为 PnYnMnDTnHnMnS,其中 P 表示正值,N 表示负值。The format of is PnYnMnDTnHnMnS, where P indicates positive, or N for negative value. nY 是后跟文本 Y 的年数。nY is the number of years followed by a literal Y. nMo 是后跟文本 Mo 的月数。nMo is the number of months followed by a literal Mo. nD 是后跟文本 D 的天数。nD is the number of days followed by a literal D. 示例:P21Y 表示 21 年。Examples: P21Y represents 21 years. P1Y2Mo 表示一年零两个月。P1Y2Mo represents one year, and two months. P1Y2Mo5D 表示一年零两个月五天。P1Y2Mo5D represents one year, two months, and five days. P1Y2M5DT8H5M620S 表示一年零两个月五天八小时五分钟二十秒。P1Y2M5DT8H5M620S represents one year, two months, five days, eight hours, five minutes, and twenty seconds.
phoneNumberphoneNumber 表示电话号码。Represents a phone number.
intint 表示 -2,147,483,648 到 2,147,483,647 之间的数字Represents number between -2,147,483,648 and 2,147,483,647
longlong 表示 -9,223,372,036,854,775,808 到 9,223,372,036,854,775,807 之间的数字Represents number between -9,223,372,036,854,775,808 to 9,223,372,036,854,775,807
stringstring 将文本表示为 UTF-16 代码单元的序列。Represents text as a sequence of UTF-16 code units.
stringCollectionstringCollection 表示 string 的集合。Represents a collection of string.
userIdentityuserIdentity 表示用户标识。Represents a user identity.
userIdentityCollectionuserIdentityCollection 表示 userIdentity 的集合。Represents a collection of userIdentity.

DefaultPartnerClaimTypesDefaultPartnerClaimTypes

DefaultPartnerClaimTypes 可能包含以下元素:The DefaultPartnerClaimTypes may contain the following element:

元素Element 出现次数Occurrences 说明Description
协议Protocol 1:n1:n 具有其默认合作伙伴声明类型名称的协议的列表。List of protocols with their default partner claim type name.

Protocol 元素包含以下属性:The Protocol element contains the following attributes:

属性Attribute 必须Required 说明Description
名称Name Yes Azure AD B2C 支持的有效协议的名称。The name of a valid protocol supported by Azure AD B2C. 可能的值包括:OAuth1、OAuth2、SAML2、OpenIdConnect。Possible values are: OAuth1, OAuth2, SAML2, OpenIdConnect.
PartnerClaimTypePartnerClaimType Yes 要使用的声明类型名称。The claim type name to be used.

在以下示例中,当标识体验框架与 SAML2 标识提供者或信赖方应用交互时,surname 声明将映射到 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname,如果使用 OpenIdConnect 和 OAuth2,该声明将映射到 family_nameIn the following example, when the Identity Experience Framework interacts with a SAML2 identity provider or relying party application, the surname claim is mapped to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, with OpenIdConnect and OAuth2, the claim is mapped to family_name.

<ClaimType Id="surname">
  <DisplayName>Surname</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="family_name" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="family_name" />
    <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" />
  </DefaultPartnerClaimTypes>
</ClaimType>

因此,Azure AD B2C 发布的 JWT 令牌会忽略 family_name,而不是 ClaimType 名称 surname 。As a result, the JWT token issued by Azure AD B2C, emits the family_name instead of ClaimType name surname.

{
  "sub": "6fbbd70d-262b-4b50-804c-257ae1706ef2",
  "auth_time": 1535013501,
  "given_name": "David",
  "family_name": "Williams",
  "name": "David Williams",
}

MaskMask

Mask 元素包含以下属性:The Mask element contains the following attributes:

属性Attribute 必须Required 说明Description
Type Yes 声明掩码的类型。The type of the claim mask. 可能的值:SimpleRegexPossible values: Simple or Regex. Simple 值表示简单的文本掩码应用于字符串声明的前导部分。The Simple value indicates that a simple text mask is applied to the leading portion of a string claim. Regex 值指示正则表达式总体上应用于字符串声明。The Regex value indicates that a regular expression is applied to the string claim as whole. 如果指定了 Regex 值,则还必须通过要使用的正则表达式定义可选属性。If the Regex value is specified, an optional attribute must also be defined with the regular expression to use.
Regex No 如果将 Type 设置为 Regex,请指定要使用的正则表达式。If Type is set to Regex, specify the regular expression to use.

以下示例将配置具有 Simple 掩码的 PhoneNumber 声明:The following example configures a PhoneNumber claim with the Simple mask:

<ClaimType Id="PhoneNumber">
  <DisplayName>Phone Number</DisplayName>
  <DataType>string</DataType>
  <Mask Type="Simple">XXX-XXX-</Mask>
  <UserHelpText>Your telephone number.</UserHelpText>
</ClaimType>

标识体验框架呈现电话号码的同时隐藏了前六个数字:The Identity Experience Framework renders the phone number while hiding the first six digits:

浏览器中显示的电话号码声明,其中前六位数字由 X 掩码

以下示例将配置具有 Regex 掩码的 AlternateEmail 声明:The following example configures a AlternateEmail claim with the Regex mask:

<ClaimType Id="AlternateEmail">
  <DisplayName>Please verify the secondary email linked to your account</DisplayName>
  <DataType>string</DataType>
  <Mask Type="Regex" Regex="(?&lt;=.).(?=.*@)">*</Mask>
  <UserInputType>Readonly</UserInputType>
</ClaimType>

标识体验框架仅呈现电子邮件地址和电子邮件域名的第一个字母:The Identity Experience Framework renders only the first letter of the email address and the email domain name:

浏览器中显示的电子邮件声明,其中字符由星号掩码

限制Restriction

Restriction 元素可能包含以下属性:The Restriction element may contain the following attribute:

属性Attribute 必须Required 说明Description
MergeBehaviorMergeBehavior No 用于将枚举值与具有相同标识符的父策略中的 ClaimType 合并的方法。The method used to merge enumeration values with a ClaimType in a parent policy with the same identifier. 覆盖基本策略中指定的声明时,请使用此属性。Use this attribute when you overwrite a claim specified in the base policy. 可能的值:AppendPrependReplaceAllPossible values: Append, Prepend, or ReplaceAll. Append 值是应追加到父策略中指定的集合的末尾的数据集合。The Append value is a collection of data that should be appended to the end of the collection specified in the parent policy. Prepend 值是应在父策略中指定的集合之前添加的数据集合。The Prepend value is a collection of data that should be added before the collection specified in the parent policy. ReplaceAll 值是应忽略的父策略中指定的数据集合。The ReplaceAll value is a collection of data specified in the parent policy that should be ignored.

Restriction 元素包含以下元素:The Restriction element contains the following elements:

元素Element 出现次数Occurrences 说明Description
枚举Enumeration 1:n1:n 可让用户在用户界面中为声明选择的可用选项,例如下拉列表中的值。The available options in the user interface for the user to select for a claim, such as a value in a dropdown.
模式Pattern 1:11:1 要使用的正则表达式。The regular expression to use.

枚举Enumeration

Enumeration 元素定义了可供用户在用户界面中选择声明的可用选项,例如 CheckboxMultiSelectDropdownSingleSelectRadioSingleSelect 中的值。The Enumeration element defines available options for the user to select for a claim in the user interface, such as a value in a CheckboxMultiSelect, DropdownSingleSelect, or RadioSingleSelect. 另外,可以使用 LocalizedCollections 元素定义和本地化可用选项。Alternatively, you can define and localize available options with LocalizedCollections element. 若要从声明 Enumeration 集合中查找项目,请使用 GetMappedValueFromLocalizedCollection 声明转换。To look up an item from a claim Enumeration collection, use GetMappedValueFromLocalizedCollection claims transformation.

Enumeration 元素包含以下属性:The Enumeration element contains the following attributes:

属性Attribute 必须Required 说明Description
文本Text Yes 在用户界面中向用户显示的此选项的显示字符串。The display string that is shown to the user in the user interface for this option.
ValueValue Yes 与此选项关联的声明值。The claim value that is associated with selecting this option.
SelectByDefaultSelectByDefault No 指示默认情况下是否应在 UI 中选择此选项。Indicates whether or not this option should be selected by default in the UI. 可能的值:True 或 False。Possible values: True or False.

以下示例将配置默认值设置为 New York 的 “城市”下拉列表声明:The following example configures a city dropdown list claim with a default value set to New York:

<ClaimType Id="city">
  <DisplayName>city where you work</DisplayName>
  <DataType>string</DataType>
  <UserInputType>DropdownSingleSelect</UserInputType>
  <Restriction>
    <Enumeration Text="Bellevue" Value="bellevue" SelectByDefault="false" />
    <Enumeration Text="Redmond" Value="redmond" SelectByDefault="false" />
    <Enumeration Text="New York" Value="new-york" SelectByDefault="true" />
  </Restriction>
</ClaimType>

默认值设置为纽约的城市下拉列表:Dropdown city list with a default value set to New York:

在浏览器中呈现并显示默认值的下拉控件

模式Pattern

Pattern 元素可以包含以下属性:The Pattern element can contain the following attributes:

属性Attribute 必须Required 说明Description
RegularExpressionRegularExpression Yes 此类型的声明必须匹配才能有效的正则表达式。The regular expression that claims of this type must match in order to be valid.
HelpTextHelpText No 正则表达式检查失败时向用户显示的错误消息。An error message for users if the regular expression check fails.

以下示例将配置具有正则表达式输入验证和帮助文本的 email 声明:The following example configures an email claim with regular expression input validation and help text:

<ClaimType Id="email">
  <DisplayName>Email Address</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OpenIdConnect" PartnerClaimType="email" />
  </DefaultPartnerClaimTypes>
  <UserHelpText>Email address that can be used to contact you.</UserHelpText>
  <UserInputType>TextBox</UserInputType>
  <Restriction>
    <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&amp;'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." />
    </Restriction>
 </ClaimType>

标识体验框架呈现具有电子邮件格式输入验证的电子邮件地址声明:The Identity Experience Framework renders the email address claim with email format input validation:

显示由正则表达式限制触发的错误消息的 TextBox

UserInputTypeUserInputType

Azure AD B2C 支持各种用户输入类型,例如在手动输入声明类型的声明数据时可以使用的文本框、密码和下拉列表。Azure AD B2C supports a variety of user input types, such as a textbox, password, and dropdown list that can be used when manually entering claim data for the claim type. 使用 自断言技术配置文件显示控件从用户收集信息时,必须指定 UserInputTypeYou must specify the UserInputType when you collect information from the user by using a self-asserted technical profile and display controls.

UserInputType 元素可用的用户输入类型:The UserInputType element available user input types:

UserInputTypeUserInputType 支持的 ClaimTypeSupported ClaimType 说明Description
CheckboxMultiSelectCheckboxMultiSelect string 多选下拉框。Multi select drop-down box. 声明值表示为所选值的逗号分隔字符串。The claim value is represented in a comma delimiter string of the selected values.
DateTimeDropdownDateTimeDropdown date, dateTimedate, dateTime 用于选择日、月和年的下拉框。Drop-downs to select a day, month, and year.
DropdownSingleSelectDropdownSingleSelect string 单选下拉框。Single select drop-down box. 声明值为所选值。The claim value is the selected value.
EmailBoxEmailBox string 电子邮件输入字段。Email input field.
ParagraphParagraph booleandatedateTimedurationintlongstringboolean, date, dateTime, duration, int, long, string 一个仅显示段落标记中文本的字段。A field that shows text only in a paragraph tag.
密码Password string 密码文本框。Password text box.
RadioSingleSelectRadioSingleSelect string 单选按钮的集合。Collection of radio buttons. 声明值为所选值。The claim value is the selected value.
ReadonlyReadonly booleandatedateTimedurationintlongstringboolean, date, dateTime, duration, int, long, string 只读文本框。Read-only text box.
TextBoxTextBox booleanintstringboolean, int, string 单行文本框。Single-line text box.

TextBoxTextBox

TextBox 用户输入类型用于提供单行文本框。The TextBox user input type is used to provide a single-line text box.

显示在声明类型中指定的属性的 TextBox

<ClaimType Id="displayName">
  <DisplayName>Display Name</DisplayName>
  <DataType>string</DataType>
  <UserHelpText>Your display name.</UserHelpText>
  <UserInputType>TextBox</UserInputType>
</ClaimType>

EmailBoxEmailBox

EmailBox 用户输入类型用于提供基本电子邮件输入字段。The EmailBox user input type is used to provide a basic email input field.

显示在声明类型中指定的属性的 EmailBox

<ClaimType Id="email">
  <DisplayName>Email Address</DisplayName>
  <DataType>string</DataType>
  <UserHelpText>Email address that can be used to contact you.</UserHelpText>
  <UserInputType>EmailBox</UserInputType>
  <Restriction>
    <Pattern RegularExpression="^[a-zA-Z0-9.+!#$%&amp;'+^_`{}~-]+(?:\.[a-zA-Z0-9!#$%&amp;'+^_`{}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$" HelpText="Please enter a valid email address." />
  </Restriction>
</ClaimType>

密码Password

Password 用户输入类型用于记录用户输入的密码。The Password user input type is used to record a password entered by the user.

使用具有 password 的声明类型

<ClaimType Id="password">
  <DisplayName>Password</DisplayName>
  <DataType>string</DataType>
  <UserHelpText>Enter password</UserHelpText>
  <UserInputType>Password</UserInputType>
</ClaimType>

DateTimeDropdownDateTimeDropdown

DateTimeDropdown 用户输入类型用于提供一组用来选择日、月和年的下拉列表。The DateTimeDropdown user input type is used to provide a set of drop-downs to select a day, month, and year. 可以使用 Predicates 和 PredicateValidations 元素来控制最小日期值和最大日期值。You can use Predicates and PredicateValidations elements to control the minimum and maximum date values. 有关详细信息,请参阅 Predicates 和 PredicateValidations 的 “配置日期范围”部分。For more information, see the Configure a date range section of Predicates and PredicateValidations.

使用具有 datetimedropdown 的声明类型

<ClaimType Id="dateOfBirth">
  <DisplayName>Date Of Birth</DisplayName>
  <DataType>date</DataType>
  <UserHelpText>The date on which you were born.</UserHelpText>
  <UserInputType>DateTimeDropdown</UserInputType>
</ClaimType>

RadioSingleSelectRadioSingleSelect

RadioSingleSelect 用户输入类型用于提供允许用户选择一个选项的单选按钮集合。The RadioSingleSelect user input type is used to provide a collection of radio buttons that allows the user to select one option.

使用具有 radiodsingleselect 的声明类型

<ClaimType Id="color">
  <DisplayName>Preferred color</DisplayName>
  <DataType>string</DataType>
  <UserInputType>RadioSingleSelect</UserInputType>
  <Restriction>
    <Enumeration Text="Blue" Value="Blue" SelectByDefault="false" />
    <Enumeration Text="Green " Value="Green" SelectByDefault="false" />
    <Enumeration Text="Orange" Value="Orange" SelectByDefault="true" />
  </Restriction>
</ClaimType>

DropdownSingleSelect 用户输入类型用于提供允许用户选择一个选项的下拉框。The DropdownSingleSelect user input type is used to provide a drop-down box that allows the user to select one option.

使用具有 dropdownsingleselect 的声明类型

<ClaimType Id="city">
  <DisplayName>City where you work</DisplayName>
  <DataType>string</DataType>
  <UserInputType>DropdownSingleSelect</UserInputType>
  <Restriction>
    <Enumeration Text="Bellevue" Value="bellevue" SelectByDefault="false" />
    <Enumeration Text="Redmond" Value="redmond" SelectByDefault="false" />
    <Enumeration Text="New York" Value="new-york" SelectByDefault="true" />
  </Restriction>
</ClaimType>

CheckboxMultiSelectCheckboxMultiSelect

CheckboxMultiSelect 用户输入类型用于提供允许用户选择多个选项的复选框集合。The CheckboxMultiSelect user input type is used to provide a collection of checkboxes that allows the user to select multiple options.

使用具有 checkboxmultiselect 的声明类型

<ClaimType Id="languages">
  <DisplayName>Languages you speak</DisplayName>
  <DataType>string</DataType>
  <UserInputType>CheckboxMultiSelect</UserInputType>
  <Restriction>
    <Enumeration Text="English" Value="English" SelectByDefault="true" />
    <Enumeration Text="France " Value="France" SelectByDefault="false" />
    <Enumeration Text="Spanish" Value="Spanish" SelectByDefault="false" />
  </Restriction>
</ClaimType>

ReadonlyReadonly

Readonly 用户输入类型用于提供要显示声明和值的只读字段。The Readonly user input type is used to provide a readonly field to display the claim and value.

使用具有 readonly 的声明类型

<ClaimType Id="membershipNumber">
  <DisplayName>Membership number</DisplayName>
  <DataType>string</DataType>
  <UserHelpText>Your membership number (read only)</UserHelpText>
  <UserInputType>Readonly</UserInputType>
</ClaimType>

ParagraphParagraph

Paragraph 用户输入类型用于提供仅在段落标记中显示文本的字段。The Paragraph user input type is used to provide a field that shows text only in a paragraph tag. 例如,<p>文本</p>。For example, <p>text</p>. 自断言技术配置文件的 Paragraph 用户输入类型 OutputClaim 必须将 Required 属性设置为 false(默认值)。A Paragraph user input type OutputClaim of self-asserted technical profile, must set the Required attribute false (default).

使用具有 paragraph 的声明类型

<ClaimType Id="responseMsg">
  <DisplayName>Error message: </DisplayName>
  <DataType>string</DataType>
  <AdminHelpText>A claim responsible for holding response messages to send to the relying party</AdminHelpText>
  <UserHelpText>A claim responsible for holding response messages to send to the relying party</UserHelpText>
  <UserInputType>Paragraph</UserInputType>
  <Restriction>
    <Enumeration Text="B2C_V1_90001" Value="You cannot sign in because you are a minor" />
    <Enumeration Text="B2C_V1_90002" Value="This action can only be performed by gold members" />
    <Enumeration Text="B2C_V1_90003" Value="You have not been enabled for this operation" />
  </Restriction>
</ClaimType>