RelyingPartyRelyingParty

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

RelyingParty 元素指定用户旅程,以执行当前对 Azure Active Directory B2C (Azure AD B2C) 的请求。The RelyingParty element specifies the user journey to enforce for the current request to Azure Active Directory B2C (Azure AD B2C). 它还指定依赖方 (RP) 应用程序需要作为已颁发令牌一部分的声明列表。It also specifies the list of claims that the relying party (RP) application needs as part of the issued token. RP 应用程序(例如 Web、移动或桌面应用程序)调用 RP 策略文件。An RP application, such as a web, mobile, or desktop application, calls the RP policy file. RP 策略文件执行特定任务,例如登录、重置密码,或编辑配置文件。The RP policy file executes a specific task, such as signing in, resetting a password, or editing a profile. 多个应用程序可以使用相同的 RP 策略,单个应用程序可以使用多个策略。Multiple applications can use the same RP policy and a single application can use multiple policies. 所有 RP 应用程序都接收具有相同声明的令牌,用户会经历相同的用户旅程。All RP applications receive the same token with claims, and the user goes through the same user journey.

下面的示例演示 B2C_1A_signup_signin 策略文件中的 RelyingParty 元素:The following example shows a RelyingParty element in the B2C_1A_signup_signin policy file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="https://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="your-tenant.partner.onmschina.cn"
  PolicyId="B2C_1A_signup_signin"
  PublicPolicyUri="http://your-tenant.partner.onmschina.cn/B2C_1A_signup_signin">

  <BasePolicy>
    <TenantId>your-tenant.partner.onmschina.cn</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <UserJourneyBehaviors>
      <SingleSignOn Scope="Tenant" KeepAliveInDays="7"/>
      <SessionExpiryType>Rolling</SessionExpiryType>
      <SessionExpiryInSeconds>300</SessionExpiryInSeconds>
      <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="your-application-insights-key" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
      <ContentDefinitionParameters>
        <Parameter Name="campaignId">{OAUTH-KV:campaignId}</Parameter>
      </ContentDefinitionParameters>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Description>The policy profile</Description>
      <Protocol Name="OpenIdConnect" />
      <Metadata>collection of key/value pairs of data</Metadata>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" />
        <OutputClaim ClaimTypeReferenceId="loyaltyNumber" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
  ...

可选 RelyingParty 元素包含下列元素:The optional RelyingParty element contains the following elements:

元素Element 出现次数Occurrences 说明Description
DefaultUserJourneyDefaultUserJourney 1:11:1 信赖方应用的默认用户旅程。The default user journey for the RP application.
UserJourneyBehaviorsUserJourneyBehaviors 0:10:1 用户旅程行为的范围。The scope of the user journey behaviors.
TechnicalProfileTechnicalProfile 1:11:1 信赖方应用支持的技术配置文件。A technical profile that's supported by the RP application. 该技术配置文件提供了信赖方应用与 Azure AD B2C 联系的协定。The technical profile provides a contract for the RP application to contact Azure AD B2C.

DefaultUserJourneyDefaultUserJourney

DefaultUserJourney 元素指定对通常在基本或扩展策略中定义的用户旅程标识符的引用。The DefaultUserJourney element specifies a reference to the identifier of the user journey that is usually defined in the Base or Extensions policy. 下面的示例演示在 RelyingParty 元素中指定的注册或登录用户旅程:The following examples show the sign-up or sign-in user journey specified in the RelyingParty element:

B2C_1A_signup_signin 策略:B2C_1A_signup_signin policy:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn">
  ...

B2C_1A_TrustFrameWorkBase 或 B2C_1A_TrustFrameworkExtensionPolicy:B2C_1A_TrustFrameWorkBase or B2C_1A_TrustFrameworkExtensionPolicy:

<UserJourneys>
  <UserJourney Id="SignUpOrSignIn">
  ...

DefaultUserJourney 元素包含以下属性:The DefaultUserJourney element contains the following attribute:

属性Attribute 必须Required 说明Description
ReferenceIdReferenceId Yes 策略中用户旅程的标识符。An identifier of the user journey in the policy. 有关详细信息,请参阅用户旅程For more information, see user journeys

UserJourneyBehaviorsUserJourneyBehaviors

UserJourneyBehaviors 元素包含下列元素:The UserJourneyBehaviors element contains the following elements:

元素Element 出现次数Occurrences 说明Description
SingleSignOnSingleSignOn 0:10:1 用户旅程单一登录 (SSO) 会话行为的范围。The scope of the single sign-on (SSO) session behavior of a user journey.
SessionExpiryTypeSessionExpiryType 0:10:1 会话的身份验证行为。The authentication behavior of the session. 可能的值:RollingAbsolutePossible values: Rolling or Absolute. Rolling 值(默认值)表示用户保持登录状态,只要用户在应用程序中保持持续活动状态。The Rolling value (default) indicates that the user remains signed in as long as the user is continually active in the application. Absolute 值指示在应用程序会话生命周期指定的时间段后将强制用户重新进行身份验证。The Absolute value indicates that the user is forced to reauthenticate after the time period specified by application session lifetime.
SessionExpiryInSecondsSessionExpiryInSeconds 0:10:1 身份验证成功后,存储在用户浏览器上指定为整数的 Azure AD B2C 会话 Cookie 的生存期。The lifetime of Azure AD B2C's session cookie specified as an integer stored on the user's browser upon successful authentication.
JourneyInsightsJourneyInsights 0:10:1 要使用的 Azure Application Insights 检测密钥。The Azure Application Insights instrumentation key to be used.
ContentDefinitionParametersContentDefinitionParameters 0:10:1 要追加到内容定义负载 URI 的键值对列表。The list of key value pairs to be appended to the content definition load URI.
ScriptExecutionScriptExecution 0:10:1 支持的 JavaScript 执行模式。The supported JavaScript execution modes. 可能的值:AllowDisallow(默认值)。Possible values: Allow or Disallow (default).

SingleSignOnSingleSignOn

SingleSignOn 元素包含在以下属性中:The SingleSignOn element contains in the following attribute:

属性Attribute 必须Required 说明Description
作用域Scope Yes 单一登录行为的范围。The scope of the single sign-on behavior. 可能的值:SuppressedTenantApplicationPolicyPossible values: Suppressed, Tenant, Application, or Policy. Suppressed 值指示禁止此行为,并且系统会始终提示用户选择标识提供者。The Suppressed value indicates that the behavior is suppressed, and the user is always prompted for an identity provider selection. Tenant 值指示该行为适用于租户中的所有策略。The Tenant value indicates that the behavior is applied to all policies in the tenant. 例如,不会提示在两个策略旅程中导航租户的用户选择标识提供者。For example, a user navigating through two policy journeys for a tenant is not prompted for an identity provider selection. Application 值指示该行为适用于发出请求的应用程序的所有策略。The Application value indicates that the behavior is applied to all policies for the application making the request. 例如,不会提示在应用程序的两个策略旅程中导航的用户选择标识提供者。For example, a user navigating through two policy journeys for an application is not prompted for an identity provider selection. Policy 值指示该行为仅适用于一个策略。The Policy value indicates that the behavior only applies to a policy. 例如,当在策略之间切换时,会提示在两个策略旅程中导航信任框架的用户选择标识提供者。For example, a user navigating through two policy journeys for a trust framework is prompted for an identity provider selection when switching between policies.
KeepAliveInDaysKeepAliveInDays Yes 控制用户保持登录状态的时间长短。Controls how long the user remains signed in. 将此值设置为 0 会关闭 KMSI 功能。Setting the value to 0 turns off KMSI functionality.
EnforceIdTokenHintOnLogoutEnforceIdTokenHintOnLogout No 强制将以前颁发的 ID 令牌传递到注销终结点,作为最终用户当前与客户端进行的身份验证会话的提示。Force to pass a previously issued ID token to the logout endpoint as a hint about the end user's current authenticated session with the client. 可能的值为 false(默认)或 truePossible values: false (default), or true. 有关详细信息,请参阅使用 OpenID Connect 进行 Web 登录For more information, see Web sign-in with OpenID Connect.

JourneyInsightsJourneyInsights

JourneyInsights 元素包含以下属性:The JourneyInsights element contains the following attributes:

属性Attribute 必须Required 说明Description
TelemetryEngineTelemetryEngine Yes 值必须是 ApplicationInsightsThe value must be ApplicationInsights.
InstrumentationKeyInstrumentationKey Yes 一个字符串,其中包含 application insights 元素的检测密钥。The string that contains the instrumentation key for the application insights element.
DeveloperModeDeveloperMode Yes 可能的值:truefalsePossible values: true or false. 如果是 true,Application Insights 将加快遥测数据通过处理管道。If true, Application Insights expedites the telemetry through the processing pipeline. 此设置适用于开发,但在高容量时受到限制。This setting is good for development, but constrained at high volumes. 详细活动日志仅设计用来帮助开发自定义策略。The detailed activity logs are designed only to aid in development of custom policies. 请勿在生产中使用开发模式。Do not use development mode in production. 日志收集在开发过程中发送到标识提供者以及从中发出的所有声明。Logs collect all claims sent to and from the identity providers during development. 如果在生产中使用,则开发人员对他们所拥有的 App Insights 日志中收集的 PII(私人身份信息)负责。If used in production, the developer assumes responsibility for PII (Privately Identifiable Information) collected in the App Insights log that they own. 只有当该值设置为 true,才会收集这些详细日志。These detailed logs are only collected when this value is set to true.
ClientEnabledClientEnabled Yes 可能的值:truefalsePossible values: true or false. 如果是 true,则发送用于跟踪页面视图和客户端错误的 Application Insights 客户端脚本。If true, sends the Application Insights client-side script for tracking page view and client-side errors.
ServerEnabledServerEnabled Yes 可能的值:truefalsePossible values: true or false. 如果是 true,则将现有 UserJourneyRecorder JSON 作为自定义事件发送到 Application Insights。If true, sends the existing UserJourneyRecorder JSON as a custom event to Application Insights.
TelemetryVersionTelemetryVersion Yes 值必须是 1.0.0The value must be 1.0.0.

ContentDefinitionParametersContentDefinitionParameters

在 Azure AD B2C 中使用自定义策略可在查询字符串中发送参数。By using custom policies in Azure AD B2C, you can send a parameter in a query string. 通过将该参数传递到 HTML 终结点,可以动态更改页面内容。By passing the parameter to your HTML endpoint, you can dynamically change the page content. 例如,可以基于从 Web 或移动应用程序传递的参数,更改 Azure AD B2C 注册或登录页面上的背景图像。For example, you can change the background image on the Azure AD B2C sign-up or sign-in page, based on a parameter that you pass from your web or mobile application. Azure AD B2C 向动态 HTML 文件传递查询字符串参数,例如 aspx 文件。Azure AD B2C passes the query string parameters to your dynamic HTML file, such as aspx file.

下面的示例传递名为 campaignId 的参数,查询字符串中的值为 hawaiiThe following example passes a parameter named campaignId with a value of hawaii in the query string:

https://login.microsoft.com/contoso.partner.onmschina.cn/oauth2/v2.0/authorize?pB2C_1A_signup_signin&client_id=a415078a-0402-4ce3-a9c6-ec1947fcfb3f&nonce=defaultNonce&redirect_uri=http%3A%2F%2Fjwt.io%2F&scope=openid&response_type=id_token&prompt=login&campaignId=hawaii

ContentDefinitionParameters 元素包含以下元素:The ContentDefinitionParameters element contains the following element:

元素Element 出现次数Occurrences 说明Description
ContentDefinitionParameterContentDefinitionParameter 0:n0:n 一个字符串,包含追加到内容定义负载 URI 查询字符串的键值对。A string that contains the key value pair that's appended to the query string of a content definition load URI.

ContentDefinitionParameters 元素包含以下属性:The ContentDefinitionParameter element contains the following attribute:

属性Attribute 必需Required 说明Description
名称Name Yes 键值对的名称。The name of the key value pair.

TechnicalProfileTechnicalProfile

TechnicalProfile 元素包含以下属性:The TechnicalProfile element contains the following attribute:

属性Attribute 必需Required 说明Description
IDId Yes 值必须是 PolicyProfileThe value must be PolicyProfile.

TechnicalProfile 包含以下元素:The TechnicalProfile contains the following elements:

元素Element 出现次数Occurrences 说明Description
DisplayNameDisplayName 1:11:1 一个字符串,其中包含技术配置文件的名称。The string that contains the name of the technical profile.
说明Description 0:10:1 一个字符串,其中包含技术配置文件的说明。The string that contains the description of the technical profile.
协议Protocol 1:11:1 用于联合的协议。The protocol used for the federation.
MetadataMetadata 0:10:1 一个键/值对项集合,由协议在事务过程中与终结点进行通信,以配置依赖方与其他社区参与者之间的交互。The collection of Item of key/value pairs utilized by the protocol for communicating with the endpoint in the course of a transaction to configure interaction between the relying party and other community participants.
OutputClaimsOutputClaims 1:11:1 作为技术配置文件中的输出的声明类型列表。A list of claim types that are taken as output in the technical profile. 这些元素中的每一个都包含对已在 ClaimsSchema 部分或策略文件继承自的策略中定义的 ClaimType。Each of these elements contains reference to a ClaimType already defined in the ClaimsSchema section or in a policy from which this policy file inherits.
SubjectNamingInfoSubjectNamingInfo 1:11:1 在令牌中使用的使用者名称。The subject name used in tokens.

Protocol 元素包含以下属性:The Protocol element contains the following attribute:

属性Attribute 必需Required 说明Description
名称Name Yes Azure AD B2C 支持的有效协议的名称,用作技术配置文件的一部分。The name of a valid protocol supported by Azure AD B2C that is used as part of the technical profile. 可能的值:OpenIdConnectSAML2Possible values: OpenIdConnect or SAML2. OpenIdConnect 值表示根据 OpenID 基本规范的 OpenID Connect 1.0 协议标准。The OpenIdConnect value represents the OpenID Connect 1.0 protocol standard as per OpenID foundation specification. SAML2 表示根据 OASIS 规范的 SAML 2.0 协议标准。The SAML2 represents the SAML 2.0 protocol standard as per OASIS specification.

MetadataMetadata

如果协议是 SAML,则元数据元素包含以下元素。When the protocol is SAML, a metadata element contains the following elements.

AttributeAttribute 必需Required 说明Description
IdpInitiatedProfileEnabledIdpInitiatedProfileEnabled No 指示是否支持 IDP 发起的流。Indicates whether the IDP initiated flow is supported. 可能的值:truefalse(默认值)。Possible values: true or false (default).
XmlSignatureAlgorithmXmlSignatureAlgorithm No Azure AD B2C 用于对 SAML 响应进行签名的方法。The method that Azure AD B2C uses to sign the SAML Response. 可能的值:Sha256Sha384Sha512Sha1Possible values: Sha256, Sha384, Sha512, or Sha1. 确保在两端配置具有相同值的签名算法。Make sure you configure the signature algorithm on both sides with same value. 仅使用证书支持的算法。Use only the algorithm that your certificate supports. 若要配置 SAML 断言,请参阅 SAML 颁发者技术配置文件元数据To configure the SAML Assertion, see SAML issuer technical profile metadata.
DataEncryptionMethodDataEncryptionMethod No 指示 Azure AD B2C 在使用高级加密标准 (AES) 算法时用来加密数据的方法。Indicates the method that Azure AD B2C uses to encrypt the data, using Advanced Encryption Standard (AES) algorithm. 此元数据控制 SAML 响应中 <EncryptedData> 元素的值。The metadata controls the value of the <EncryptedData> element in the SAML response. 可能的值:Aes256(默认值)、Aes192Sha512 Aes128Possible values: Aes256 (default), Aes192, Sha512, or Aes128.
KeyEncryptionMethodKeyEncryptionMethod No 指示 Azure AD B2C 对用来加密数据的密钥副本进行加密时使用的方法。Indicates the method that Azure AD B2C uses to encrypt the copy of the key that was used to encrypt the data. 此元数据控制 SAML 响应中 <EncryptedKey> 元素的值。The metadata controls the value of the <EncryptedKey> element in the SAML response. 可能的值: Rsa15(默认值)- RSA 公钥加密标准 (PKCS) 版本 1.5 算法; RsaOaep - RSA 最佳非对称加密填充 (OAEP) 加密算法。Possible values: Rsa15 (default) - RSA Public Key Cryptography Standard (PKCS) Version 1.5 algorithm, RsaOaep - RSA Optimal Asymmetric Encryption Padding (OAEP) encryption algorithm.
UseDetachedKeysUseDetachedKeys No 可能的值:truefalse(默认值)。Possible values: true, or false (default). 如果将值设置为 true,则 Azure AD B2C 会更改已加密断言的格式。When the value is set to true, Azure AD B2C changes the format of the encrypted assertions. 使用分离的密钥会将加密的断言添加为 EncrytedAssertion 的子元素而不是 EncryptedData 的子元素。Using detached keys adds the encrypted assertion as a child of the EncrytedAssertion as opposed to the EncryptedData.
WantsSignedResponsesWantsSignedResponses No 指示 Azure AD B2C 是否对 SAML 响应的 Response 部分进行签名。Indicates whether Azure AD B2C signs the Response section of the SAML response. 可能的值:true(默认值)或 falsePossible values: true (default) or false.

OutputClaimsOutputClaims

OutputClaims 元素包含以下元素:The OutputClaims element contains the following element:

元素Element 出现次数Occurrences 说明Description
OutputClaimOutputClaim 0:n0:n 信赖方订阅的策略中受支持列表的预期声明类型的名称。The name of an expected claim type in the supported list for the policy to which the relying party subscribes. 此声明可作为技术配置文件输出。This claim serves as an output for the technical profile.

OutputClaim 元素包含以下属性:The OutputClaim element contains the following attributes:

属性Attribute 必需Required 说明Description
ClaimTypeReferenceIdClaimTypeReferenceId Yes 对在策略文件的 ClaimsSchema 部分定义的 ClaimType 的引用。A reference to a ClaimType already defined in the ClaimsSchema section in the policy file.
DefaultValueDefaultValue No 一个默认值,如果声明值为空,则可以使用该值。A default value that can be used if the claim value is empty.
PartnerClaimTypePartnerClaimType No 按照 ClaimType 定义中配置的不同名称发送声明。Sends the claim in a different name as configured in the ClaimType definition.

SubjectNamingInfoSubjectNamingInfo

使用 SubjectNameingInfo 元素,可以控制令牌使用者的值:With the SubjectNameingInfo element, you control the value of the token subject:

  • JWT 令牌 - sub 声明。JWT token - the sub claim. 这是令牌针对其断言信息的主体,例如应用程序的用户。This is a principal about which the token asserts information, such as the user of an application. 此值固定不变,无法重新分配或重复使用。This value is immutable and cannot be reassigned or reused. 可使用它安全地执行授权检查,例如,使用令牌访问资源时。It can be used to perform safe authorization checks, such as when the token is used to access a resource. 默认情况下,将使用目录中用户的对象 ID 填充使用者声明。By default, the subject claim is populated with the object ID of the user in the directory. 有关详细信息,请参阅令牌、会话和单一登录配置For more information, see Token, session and single sign-on configuration.
  • SAML 令牌 - 标识使用者元素的 <Subject><NameID> 元素。SAML token - the <Subject><NameID> element which identifies the subject element. 可以修改 NameId 格式。The NameId format can be modified.

SubjectNamingInfo 元素包含以下属性:The SubjectNamingInfo element contains the following attribute:

属性Attribute 必需Required 说明Description
ClaimTypeClaimType Yes 对输出声明的 PartnerClaimType 的引用。A reference to an output claim's PartnerClaimType. 输出声明必须在信赖方策略 OutputClaims 集合中定义。The output claims must be defined in the relying party policy OutputClaims collection.
格式Format No 用于 SAML 依赖方,以设置 SAML 断言中返回的 NameId 格式。Used for SAML Relying parties to set the NameId format returned in the SAML Assertion.

下面的示例演示如何定义 OpenID Connect 信赖方。The following example shows how to define an OpenID Connect relying party. 使用者名称信息配置为 objectIdThe subject name info is configured as the objectId:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
      <OutputClaim ClaimTypeReferenceId="email" />
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="identityProvider" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" />
  </TechnicalProfile>
</RelyingParty>

JWT 令牌包括带用户 objectId 的 sub 声明:The JWT token includes the sub claim with the user objectId:

{
  ...
  "sub": "6fbbd70d-262b-4b50-804c-257ae1706ef2",
  ...
}

下面的示例演示如何定义 SAML 信赖方。The following example shows how to define a SAML relying party. 主体名称信息配置为 objectId,并提供了 NameId formatThe subject name info is configured as the objectId, and the NameId format has been provided:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
  <TechnicalProfile Id="PolicyProfile">
    <DisplayName>PolicyProfile</DisplayName>
    <Protocol Name="SAML2" />
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
      <OutputClaim ClaimTypeReferenceId="email" />
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
      <OutputClaim ClaimTypeReferenceId="identityProvider" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="sub" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
  </TechnicalProfile>
</RelyingParty>