关于 Azure Active Directory B2C 自定义策略中的技术配置文件About technical profiles in Azure Active Directory B2C custom policies

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

技术配置文件提供了一个框架,该框架具有内置机制,可使用 Azure Active Directory B2C (Azure AD B2C) 中的自定义策略与不同类型的参与方进行通信。A technical profile provides a framework with a built-in mechanism to communicate with different type of parties using a custom policy in Azure Active Directory B2C (Azure AD B2C). 技术配置文件用于与 Azure AD B2C 租户通信、创建用户或读取用户配置文件。Technical profiles are used to communicate with your Azure AD B2C tenant, to create a user, or read a user profile. 技术配置文件可以自断言以实现与用户的交互。A technical profile can be self-asserted to enable interaction with the user. 例如,收集用户的凭据进行登录,然后呈现注册页面或密码重置页面。For example, collect the user's credential to sign in and then render the sign-up page or password reset page.

技术配置文件的类型Type of technical profiles

技术配置文件支持以下类型的方案:A technical profile enables these types of scenarios:

  • Application Insights - 将事件数据发送到 Application InsightsApplication Insights - Sending event data to Application Insights.
  • Azure Active Directory - 为 Azure Active Directory B2C 用户管理提供支持。Azure Active Directory - Provides support for the Azure Active Directory B2C user management.
  • Azure 多重身份验证 - 使用 Azure 多重身份验证 (MFA) 为验证电话号码提供支持。Azure Multi-Factor Authentication - provides support for verifying a phone number by using Azure Multi-Factor Authentication (MFA).
  • 声明转换 - 调用输出声明转换,针对一组输出声明来操作声明值、验证声明或设置默认值。Claims transformation - Call output claims transformations to manipulate claims values, validate claims, or set default values for a set of output claims.
  • JWT 令牌颁发者 - 发出返回给信赖方应用程序的 JWT 令牌。JWT token issuer - Emits a JWT token that is returned back to the relying party application.
  • OAuth1 - 与任何 OAuth 1.0 协议标识提供者联合。OAuth1 - Federation with any OAuth 1.0 protocol identity provider.
  • OAuth2 - 与任何 OAuth 2.0 协议标识提供者联合。OAuth2 - Federation with any OAuth 2.0 protocol identity provider.
  • 一次性密码 - 为管理一次性密码的生成和验证提供支持。One time password - Provides support for managing the generation and verification of a one-time password.
  • OpenID Connect - 与任何 OpenID Connect 协议标识提供者联合。OpenID Connect - Federation with any OpenID Connect protocol identity provider.
  • 电话因素 - 支持注册和验证电话号码。Phone factor - Support for enrolling and verifying phone numbers.
  • RESTful 提供程序 - 调用 REST API 服务,例如验证用户输入、扩充用户数据或与业务线应用程序集成。RESTful provider - Call to REST API services, such as validate user input, enrich user data, or integrate with line-of-business applications.
  • SAML 标识提供者 - 与任何 SAML 协议标识提供者联合。SAML identity provider - Federation with any SAML protocol identity provider.
  • SAML 令牌颁发者 - 发出返回给信赖方应用程序的 SAML 令牌。SAML token issuer - Emits a SAML token that is returned back to the relying party application.
  • 自断言 - 与用户交互。Self-Asserted - Interact with the user. 例如,收集用户的凭据进行登录、呈现注册页或密码重置。For example, collect the user's credential to sign in, render the sign-up page, or password reset.
  • 会话管理 - 处理不同类型的会话。Session management - Handle different types of sessions.

技术配置文件流Technical profile flow

所有类型的技术配置文件都具有相同的概念。All types of technical profiles share the same concept. 你发送输入声明、运行声明转换以及与已配置的参与方(例如标识提供者、REST API 或 Azure AD 目录服务)进行通信。You send input claims, run claims transformation, and communicate with the configured party, such as an identity provider, REST API, or Azure AD directory services. 在该过程完成后,技术配置文件返回输出声明并可能运行输出声明转换。After the process is completed, the technical profile returns the output claims and may run output claims transformation. 下图显示了如何处理技术配置文件中引用的转换和映射。The following diagram shows how the transformations and mappings referenced in the technical profile are processed. 无论技术配置文件与哪个参与方交互,在执行任意声明转换后,技术配置文件的输出声明都会立即存储在声明包中。Regardless of the party the technical profile interacts with, after any claims transformation is executed, the output claims from the technical profile are immediately stored in the claims bag.

说明技术配置文件流的示意图

  1. 单一登录 (SSO) 会话管理-使用 SSO 会话管理还原技术配置文件的会话状态。Single sign-on (SSO) session management - Restores technical profile's session state, using SSO session management.
  2. 输入声明转换 - 从声明包中提取每个输入声明转换的输入声明。Input claims transformation - Input claims of every input claims transformation are picked up from the claims bag. 输入声明转换的输出声明可以是后续输入声明转换的输入声明。The output claims of an input claims transformation can be input claims of a subsequent input claims transformation.
  3. 输入声明 - 从声明包中提取声明并将其用于技术配置文件。Input claims - Claims are picked up from the claims bag and are used for the technical profile. 例如,自断言技术配置文件使用输入声明来预填充用户提供的输出声明。For example, a self-asserted technical profile uses the input claims to prepopulate the output claims that the user provides. REST API 技术配置文件使用输入声明将输入参数发送到 REST API 终结点。A REST API technical profile uses the input claims to send input parameters to the REST API endpoint. Azure Active Directory 使用输入声明作为读取、更新或删除帐户的唯一标识符。Azure Active Directory uses input claim as a unique identifier to read, update, or delete an account.
  4. 技术配置文件执行 - 技术配置文件与已配置的参与方交换声明。Technical profile execution - The technical profile exchanges the claims with the configured party. 例如:For example:
    • 将用户重定向到标识提供者以完成登录。Redirect the user to the identity provider to complete the sign-in. 成功登录后,用户返回并继续执行技术配置文件。After successful sign-in, the user returns back and the technical profile execution continues.
    • 在将参数作为 InputClaims 发送并将信息作为 OutputClaims 返回时调用 REST API。Call a REST API while sending parameters as InputClaims and getting information back as OutputClaims.
    • 创建或更新用户帐户。Create or update the user account.
    • 发送并验证 MFA 文本信息。Sends and verifies the MFA text message.
  5. 验证技术配置文件 - 自断言技术配置文件可以调用验证技术配置文件Validation technical profiles - A self-asserted technical profile can call validation technical profiles. 验证技术配置文件可验证用户分析的数据并返回错误消息或正常信息,包含或不包含输出声明。The validation technical profile validates the data profiled by the user and returns an error message or Ok, with or without output claims. 例如,在 Azure AD B2C 创建新帐户之前,它会检查用户是否已存在于目录服务中。For example, before Azure AD B2C creates a new account, it checks whether the user already exists in the directory services. 你可以调用 REST API 技术配置文件来添加自己的业务逻辑。You can call a REST API technical profile to add your own business logic.

    验证技术配置文件的输出声明的范围仅限于调用验证技术配置文件的技术配置文件,The scope of the output claims of a validation technical profile is limited to the technical profile that invokes the validation technical profile. 以及同一技术配置文件下的其他验证技术配置文件。and other validation technical profiles under same technical profile. 如果要在下一个业务流程步骤中使用输出声明,则需要将输出声明添加到调用验证技术配置文件的技术配置文件中。If you want to use the output claims in the next orchestration step, you need to add the output claims to the technical profile that invokes the validation technical profile.

  6. 输出声明 - 声明将返回到声明包中。Output claims - Claims are returned back to the claims bag. 可以在下一个业务流程步骤或输出声明转换中使用这些声明。You can use those claims in the next orchestrations step, or output claims transformations.
  7. 输出声明转换 - 从声明包中提取每个输出声明转换的输入声明。Output claims transformations - Input claims of every output claims transformation are picked up from the claims bag. 先前步骤中的技术配置文件的输出声明可以是输出声明转换的输入声明。The output claims of the technical profile from the previous steps can be input claims of an output claims transformation. 执行后,输出声明将被放回到声明包中。After execution, the output claims are put back in the claims bag. 输出声明转换的输出声明也可以是后续输出声明转换的输入声明。The output claims of an output claims transformation can also be input claims of a subsequent output claims transformation.
  8. 单一登录 (SSO) 会话管理 - 使用 SSO 会话管理将技术配置文件的数据持久保留在会话中。Single sign-on (SSO) session management - Persists technical profile's data to the session, using SSO session management.

技术配置文件包含Technical profile inclusion

技术配置文件可以包括另一个技术配置文件,用以更改设置或添加新功能。A technical profile can include another technical profile to change settings or add new functionality. IncludeTechnicalProfile 元素是对基本技术配置文件的引用,可从中派生技术配置文件。The IncludeTechnicalProfile element is a reference to the base technical profile from which a technical profile is derived. 级别数没有限制。There is no limit on the number of levels.

例如,AAD-UserReadUsingAlternativeSecurityId-NoError 技术配置文件包括 AAD-UserReadUsingAlternativeSecurityId。For example, the AAD-UserReadUsingAlternativeSecurityId-NoError technical profile includes the AAD-UserReadUsingAlternativeSecurityId. 此技术配置文件将 RaiseErrorIfClaimsPrincipalDoesNotExist 元数据项设置为 true,并且如果目录中不存在社交帐户,则会引发错误。This technical profile sets the RaiseErrorIfClaimsPrincipalDoesNotExist metadata item to true, and raises an error if a social account does not exist in the directory. AAD-UserReadUsingAlternativeSecurityId-NoError 将覆盖此行为并禁用错误消息。AAD-UserReadUsingAlternativeSecurityId-NoError overrides this behavior, and disables that error message.

<TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId-NoError">
  <Metadata>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">false</Item>
  </Metadata>
  <IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingAlternativeSecurityId" />
</TechnicalProfile>

AAD-UserReadUsingAlternativeSecurityId 包括 AAD-Common 技术配置文件。AAD-UserReadUsingAlternativeSecurityId includes the AAD-Common technical profile.

<TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">
  <Metadata>
    <Item Key="Operation">Read</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
    <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">User does not exist. Please sign up before you can sign in.</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="AlternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="otherMails" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

AAD-UserReadUsingAlternativeSecurityId-NoErrorAAD-UserReadUsingAlternativeSecurityId未指定所需的 Protocol 元素,因为在 AAD-Common 技术配置文件中指定了该元素。Both AAD-UserReadUsingAlternativeSecurityId-NoError and AAD-UserReadUsingAlternativeSecurityId don't specify the required Protocol element, because it's specified in the AAD-Common technical profile.

<TechnicalProfile Id="AAD-Common">
  <DisplayName>Azure Active Directory</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  ...
</TechnicalProfile>