在 Azure Active Directory B2C 自定义策略中定义电话因素技术配置文件Define a phone factor technical profile in an Azure Active Directory B2C custom policy

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

Azure Active Directory B2C (Azure AD B2C) 支持注册和验证电话号码。Azure Active Directory B2C (Azure AD B2C) provides support for enrolling and verifying phone numbers. 此技术配置文件:This technical profile:

  • 提供一个用户界面,用于与用户进行交互以验证或注册电话号码。Provides a user interface to interact with the user to verify, or enroll a phone number.
  • 支持使用电话呼叫和短信来验证电话号码。Supports phone calls and text messages to validate the phone number.
  • 支持多个电话号码。Supports multiple phone numbers. 用户可以选择一个要验证的电话号码。The user can select one of the phone numbers to verify.
  • 返回一个声明,指示用户是否提供了新电话号码。Returns a claim indicating whether the user provided a new phone number. 可以使用此声明来确定是否要将电话号码保存在 Azure AD B2C 用户配置文件中。You can use this claim to decide whether the phone number should be persisted to the Azure AD B2C user profile.
  • 使用内容定义来控制外观。Uses a content definition to control the look and feel.

协议Protocol

“Protocol”元素的“Name”属性必须设置为 ProprietaryThe Name attribute of the Protocol element needs to be set to Proprietary. handler 属性必须包含 Azure AD B2C 对电话因素使用的协议处理程序程序集的完全限定名称:Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=nullThe handler attribute must contain the fully qualified name of the protocol handler assembly that is used by Azure AD B2C for phone factor: Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

以下示例演示了用于注册和验证的电话因素技术配置文件:The following example shows a phone factor technical profile for enrollment and validation:

<TechnicalProfile Id="PhoneFactor-InputOrVerify">
  <DisplayName>PhoneFactor</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</TechnicalProfile>

输入声明转换Input claims transformations

InputClaimsTransformations 元素可以包含一组输入声明转换,这些转换用于修改输入声明或生成新的输入声明。The InputClaimsTransformations element may contain a collection of input claims transformations that are used to modify the input claims, or generate new ones. 以下输入声明转换将生成一个 UserId 声明,稍后在输入声明集合中将使用该声明。The following input claims transformation generates a UserId claim that is used later in the input claims collection.

<InputClaimsTransformations>
  <InputClaimsTransformation ReferenceId="CreateUserIdForMFA" />
</InputClaimsTransformations>

输入声明Input claims

InputClaims 元素必须包含以下声明。The InputClaims element must contain the following claims. 还可将声明名称映射到电话因素技术配置文件中定义的名称。You can also map the name of your claim to the name defined in the phone factor technical profile.

数据类型Data type 必须Required 说明Description
stringstring Yes 用户的唯一标识符。A unique identifier for the user. 声明名称或 PartnerClaimType 必须设置为 UserIdThe claim name, or PartnerClaimType must be set to UserId. 此声明不应包含个人身份信息。This claim should not contain personal identifiable information.
stringstring Yes 声明类型的列表。List of claim types. 每个声明都包含一个电话号码。Each claim contains one phone number. 如果有任何输入声明不包含电话号码,则会要求用户注册并验证新的电话号码。If any of the input claims do not contain a phone number, the user will be asked to enroll and verify a new phone number. 已验证的电话号码将作为输出声明返回。The validated phone number is returned as an output claim. 如果其中一个输入声明包含电话号码,则要求用户对其进行验证。If one of the input claims contain a phone number, the user is asked to verify it. 如果有多个输入声明包含电话号码,则会要求用户选择并验证其中一个电话号码。If multiple input claims contain a phone number, the user is asked to choose and verify one of the phone numbers.

以下示例演示如何使用多个电话号码。The following example demonstrates using multiple phone numbers. 有关详细信息,请参阅示例策略For more information, see sample policy.

<InputClaims>
  <InputClaim ClaimTypeReferenceId="userIdForMFA" PartnerClaimType="UserId" />
  <InputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
  <InputClaim ClaimTypeReferenceId="secondaryStrongAuthenticationPhoneNumber" />
</InputClaims>

输出声明Output claims

OutputClaims 元素包含电话因素技术配置文件返回的声明列表。The OutputClaims element contains a list of claims returned by the phone factor technical profile.

数据类型Data type 必须Required 说明Description
booleanboolean Yes 指明用户是否已输入新的电话号码。Indicates whether the new phone number has been entered by the user. 声明名称或 PartnerClaimType 必须设置为 newPhoneNumberEnteredThe claim name, or PartnerClaimType must be set to newPhoneNumberEntered
stringstring Yes 已验证的电话号码。The verified phone number. 声明名称或 PartnerClaimType 必须设置为 Verified.OfficePhoneThe claim name, or PartnerClaimType must be set to Verified.OfficePhone.

OutputClaimsTransformations 元素可以包含用于修改输出声明或生成新输出声明的 OutputClaimsTransformation 元素集合。The OutputClaimsTransformations element may contain a collection of OutputClaimsTransformation elements that are used to modify the output claims, or generate new ones.

加密密钥Cryptographic keys

不使用“CryptographicKeys”元素。The CryptographicKeys element is not used.

MetadataMetadata

属性Attribute 必须Required 说明Description
ContentDefinitionReferenceIdContentDefinitionReferenceId Yes 与此技术配置文件关联的内容定义的标识符。The identifier of the content definition associated with this technical profile.
ManualPhoneNumberEntryAllowedManualPhoneNumberEntryAllowed No 指定是否允许用户手动输入电话号码。Specify whether or not a user is allowed to manually enter a phone number. 可能的值:truefalse(默认值)。Possible values: true, or false (default).
setting.authenticationModesetting.authenticationMode No 用于验证电话号码的方法。The method to validate the phone number. 可能的值:smsphonemixed(默认值)。Possible values: sms, phone, or mixed (default).
setting.autodialsetting.autodial No 指定技术配置文件是否应自动拨号或自动发送短信。Specify whether the technical profile should auto dial or auto send an SMS. 可能的值:truefalse(默认值)。Possible values: true, or false (default). 自动拨号要求将 setting.authenticationMode 元数据设置为 smsphoneAuto dial requires the setting.authenticationMode metadata be set to sms, or phone. 输入声明集合必须包含单个电话号码。The input claims collection must have a single phone number.

UI 元素UI elements

可以本地化电话因素身份验证页的用户界面元素。The phone factor authentication page user interface elements can be localized.

后续步骤Next steps