Azure Active Directory B2C 中的自定义策略Custom policies in Azure Active Directory B2C


在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

自定义策略是定义 Azure Active Directory B2C (Azure AD B2C) 租户行为的配置文件。Custom policies are configuration files that define the behavior of your Azure Active Directory B2C (Azure AD B2C) tenant. 用户流在 Azure AD B2C 门户中预定义,用于最常见的标识任务。User flows are predefined in the Azure AD B2C portal for the most common identity tasks. 标识开发人员可以完全编辑自定义策略来完成许多不同的任务。Custom policies can be fully edited by an identity developer to complete many different tasks.

比较用户流和自定义策略Comparing user flows and custom policies

上下文Context 用户流User flows 自定义策略Custom policies
目标用户Target users 具有或不具有标识专业知识的所有应用程序开发人员。All application developers with or without identity expertise. 标识专业人员、系统集成人员、顾问和内部标识团队。Identity pros, systems integrators, consultants, and in-house identity teams. 他们能够熟悉运作 OpenID Connect 流,并了解标识提供者和基于声明的身份验证。They are comfortable with OpenID Connect flows and understand identity providers and claims-based authentication.
配置方法Configuration method 具有用户友好用户界面 (UI) 的 Azure 门户。Azure portal with a user-friendly user-interface (UI). 直接编辑 XML 文件,并上传到 Azure 门户。Directly editing XML files and then uploading to the Azure portal.
UI 自定义UI customization 完整的 UI 自定义包括 HTML、CSS 和 JavaScript。Full UI customization including HTML, CSS and JavaScript.

使用自定义字符串实现多语言支持。Multilanguage support with Custom strings.
属性自定义Attribute customization 标准和自定义属性。Standard and custom attributes. 相同Same
令牌和会话管理Token and session management 自定义令牌和多个会话选项。Custom token and multiple session options. 相同Same
标识提供者Identity Providers 预定义的本地或社交提供程序以及大多数 OIDC 标识提供者,例如与 Azure Active Directory 租户进行的联合身份验证。Predefined local or social provider and most OIDC identity providers, such as federation with Azure Active Directory tenants. 基于标准的 OIDC、OAUTH 和 SAML。Standards-based OIDC, OAUTH, and SAML. 也可通过集成 REST API 进行身份验证。Authentication is also possible by using integration with REST APIs.
标识任务Identity Tasks 使用本地帐户或许多社交帐户注册或登录。Sign-up or sign-in with local or many social accounts.

自助密码重置。Self-service password reset.

配置文件编辑。Profile edit.

多重身份验证。Multi-Factor Authentication.

自定义令牌和会话。Customize tokens and sessions.

访问令牌流。Access token flows.
使用自定义标识提供者或自定义范围完成与用户流相同的任务。Complete the same tasks as user flows using custom identity providers or use custom scopes.

注册时在另一系统中预配用户帐户。Provision a user account in another system at the time of registration.

使用自己的电子邮件服务提供程序发送欢迎电子邮件。Send a welcome email using your own email service provider.

使用 Azure AD B2C 外部的用户存储。Use a user store outside Azure AD B2C.

使用 API 通过受信任的系统验证用户提供的信息。Validate user provided information with a trusted system by using an API.

策略文件Policy files

使用以下三种类型的策略文件:These three types of policy files are used:

  • 基本文件 - 包含大多数定义。Base file - contains most of the definitions. 建议对此文件进行极少量的更改,以帮助进行故障排除和长期维护策略。It is recommended that you make a minimum number of changes to this file to help with troubleshooting, and long-term maintenance of your policies.
  • 扩展文件保存租户的唯一配置更改。Extensions file - holds the unique configuration changes for your tenant.
  • 信赖方 (RP) 文件注重单个任务的文件,由应用程序或服务(又称信赖方)直接调用。Relying Party (RP) file - The single task-focused file that is invoked directly by the application or service (also, known as a Relying Party). 每个唯一任务需要自身的 RP,根据品牌要求,该数字可能是“应用程序总数 x 用例总数”。Each unique task requires its own RP and depending on branding requirements, the number might be "total of applications x total number of use cases."

Azure AD B2C 中的用户流遵循上面描述的文件模式,但开发人员只能看到 RP 文件,同时,Azure 门户会在后台对扩展文件进行更改。User flows in Azure AD B2C follow the file pattern depicted above, but the developer only sees the RP file, while the Azure portal makes changes in the background to the extensions file.

尽管有三种类型的策略文件,但并不局限于三个文件。Although there are three types of policy files, you aren't restricted to only three files. 每种文件类型都可以有多个文件。You may have multiple files of each file type. 例如,如果不希望更改扩展名文件,则可以创建 Extensions2 文件来进一步扩展该扩展文件。For example, if you don't want to make changes to your Extensions file, you can create an Extensions2 file to further extend the Extensions file.

自定义策略核心概念Custom policy core concepts

Azure 中的客户标识和访问管理 (CIAM) 服务包括:The customer identity and access management (CIAM) service in Azure includes:

  • 一个用户目录,可通过使用 Microsoft Graph 进行访问,并保存本地帐户和联合帐户的用户数据。A user directory that is accessible by using Microsoft Graph and which holds user data for both local accounts and federated accounts.
  • 访问“标识体验框架”。此框架协调用户与实体之间的信任,并在两者之间传递声明,以完成标识或访问管理任务。Access to the Identity Experience Framework that orchestrates trust between users and entities and passes claims between them to complete an identity or access management task.
  • 安全令牌服务 (STS),颁发 ID 令牌、刷新令牌和访问令牌(以及等效的 SAML 断言),并对其进行验证以保护资源。A security token service (STS) that issues ID tokens, refresh tokens, and access tokens (and equivalent SAML assertions) and validates them to protect resources.

Azure AD B2C 依次与标识提供程序、用户、其他系统和本地用户目录交互,以完成标识任务。Azure AD B2C interacts with identity providers, users, other systems, and with the local user directory in sequence to achieve an identity task. 例如,登录用户、注册新用户或重置密码。For example, sign in a user, register a new user, or reset a password. “标识体验框架”和策略(亦称为“用户旅程”或“信任框架策略”)可建立多方信任并显式定义执行组件、操作、协议和要完成的步骤顺序。The Identity Experience Framework and a policy (also called a user journey or a trust framework policy) establishes multi-party trust and explicitly defines the actors, the actions, the protocols, and the sequence of steps to complete.

“标识体验框架”是一个完全可配置的、策略驱动的、基于云的 Azure 平台,用于协调采用标准协议格式(例如 OpenID Connect、OAuth、SAML)的实体与一些非标准实体(例如基于 REST API 的系统间声明交换)之间的信任关系。The Identity Experience Framework is a fully configurable, policy-driven, cloud-based Azure platform that orchestrates trust between entities in standard protocol formats such as OpenID Connect, OAuth, SAML, and a few non-standard ones, for example REST API-based system-to-system claims exchanges. 该框架创建支持 HTML 和 CSS 的用户友好的白标体验。The framework creates user-friendly, white-labeled experiences that support HTML and CSS.

自定义策略以一个或多个采用 XML 格式的文件表示,这些文件在分层链中相互引用。A custom policy is represented as one or several XML-formatted files that refer to each other in a hierarchical chain. XML 元素定义声明架构、声明转换、内容定义、声明提供程序、技术配置文件、用户旅程业务流程步骤,以及其他元素。The XML elements define the claims schema, claims transformations, content definitions, claims providers, technical profiles, and user journey orchestration steps, among other elements. 自定义策略可作为一个或多个 XML 文件进行访问,这些文件在信赖方调用时由标识体验框架执行。A custom policy is accessible as one or several XML files that are executed by the Identity Experience Framework when invoked by a relying party. 配置自定义策略的开发人员必须严谨地定义信任关系,以包含元数据终结点和确切的声明交换定义,并配置每个标识提供者所需的机密、密钥和证书。Developers configuring custom policies must define the trusted relationships in careful detail to include metadata endpoints, exact claims exchange definitions, and configure secrets, keys, and certificates as needed by each identity provider.

继承模型Inheritance model

当应用程序调用 RP 策略文件时,Azure AD B2C 中的标识体验框架依次从基本文件、扩展文件和 RP 策略文件中添加所有元素,以组合当前生效的策略。When an application calls the RP policy file, the Identity Experience Framework in Azure AD B2C adds all of the elements from base file, from the extensions file, and then from the RP policy file to assemble the current policy in effect. RP 文件中具有相同类型和名称的元素将替代扩展中的这些元素,扩展将替代基本。Elements of the same type and name in the RP file will override those in the extensions, and extensions overrides base.