TechnicalProfilesTechnicalProfiles

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

TechnicalProfiles 元素包含声明提供程序支持的一组技术配置文件。A TechnicalProfiles element contains a set of technical profiles supported by the claim provider. 每个声明提供程序必须包含一个或多个用于确定终结点的技术配置文件,以及与该声明提供程序通信所需的协议。Every claims provider must have one or more technical profiles that determine the endpoints and the protocols needed to communicate with the claims provider. 一个声明提供程序可以包含多个技术配置文件。A claims provider can have multiple technical profiles.

<ClaimsProvider>
  <DisplayName>Display name</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="Technical profile identifier">
      <DisplayName>Display name of technical profile</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="ServiceUrl">URL of service</Item>
        <Item Key="AuthenticationType">None</Item>
        <Item Key="SendClaimsIn">Body</Item>
      </Metadata>
      <InputTokenFormat>JWT</InputTokenFormat>
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <CryptographicKeys>
        <Key ID="Key identifier" StorageReferenceId="Storage key container identifier"/>
        ...
      </CryptographicKeys>
      <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="Claims transformation identifier" />
        ...
      <InputClaimsTransformations>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="givenName" DefaultValue="givenName" PartnerClaimType="firstName" />
        ...
      </InputClaims>
      <PersistedClaims>
        <PersistedClaim ClaimTypeReferenceId="givenName" DefaultValue="givenName" PartnerClaimType="firstName" />
        ...
      </PersistedClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="loyaltyNumber" DefaultValue="loyaltyNumber" PartnerClaimType="loyaltyNumber" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="Claims transformation identifier" />
        ...
      <OutputClaimsTransformations>
      <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="Technical profile identifier" />
        ...
      </ValidationTechnicalProfiles>
      <SubjectNamingInfo ClaimType="Claim type identifier" />
      <IncludeTechnicalProfile ReferenceId="Technical profile identifier" />
      <UseTechnicalProfileForSessionManagement ReferenceId="Technical profile identifier" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

TechnicalProfile 元素包含以下属性:The TechnicalProfile element contains the following attribute:

AttributeAttribute 必选Required 说明Description
IDId Yes 技术配置文件的唯一标识符。A unique identifier of the technical profile. 可以使用此标识符从策略文件中的其他元素引用技术配置文件。The technical profile can be referenced using this identifier from other elements in the policy file. 例如,OrchestrationStepsValidationTechnicalProfileFor example, OrchestrationSteps and ValidationTechnicalProfile.

TechnicalProfile 包含以下元素:The TechnicalProfile contains the following elements:

元素Element 出现次数Occurrences 说明Description
Domain 0:10:1 技术配置文件的域名。The domain name for the technical profile.
DisplayNameDisplayName 1:11:1 可向用户显示的技术配置文件名称。The name of the technical profile that can be displayed to users.
说明Description 0:10:1 可向用户显示的技术配置文件说明。The description of the technical profile that can be displayed to users.
协议Protocol 0:10:1 用来与另一方通信的协议。The protocol used for the communication with the other party.
元数据Metadata 0:10:1 在事务处理过程中,协议用来与终结点通信的键/值对集合。A collection of key/value pairs that are utilized by the protocol for communicating with the endpoint in the course of a transaction.
InputTokenFormatInputTokenFormat 0:10:1 输入令牌的格式。The format of the input token. 可能的值:JSONJWTSAML11SAML2Possible values: JSON, JWT, SAML11, or SAML2. JWT 值表示符合 IETF 规范的 JSON Web 令牌。The JWT value represents a JSON Web Token as per IETF specification. SAML11 值表示符合 OASIS 规范的 SAML 1.1 安全令牌。The SAML11 value represents a SAML 1.1 security token as per OASIS specification. SAML2 值表示符合 OASIS 规范的 SAML 2.0 安全令牌。The SAML2 value represents a SAML 2.0 security token as per OASIS specification.
OutputTokenFormatOutputTokenFormat 0:10:1 输出令牌的格式。The format of the output token. 可能的值:JSONJWTSAML11SAML2Possible values: JSON, JWT, SAML11, or SAML2.
CryptographicKeysCryptographicKeys 0:10:1 技术配置文件中使用的加密密钥列表。A list of cryptographic keys that are used in the technical profile.
InputClaimsTransformationsInputClaimsTransformations 0:10:1 事先定义的、对在将任何声明发送到声明提供程序或信赖方之前应执行的声明转换的引用列表。A list of previously defined references to claims transformations that should be executed before any claims are sent to the claims provider or the relying party.
InputClaimsInputClaims 0:10:1 事先定义的、对在技术配置文件中用作输入的声明类型的引用列表。A list of the previously defined references to claim types that are taken as input in the technical profile.
PersistedClaimsPersistedClaims 0:10:1 事先定义的、对技术配置文件相关的声明提供程序所保存的声明类型的引用列表。A list of the previously defined references to claim types that are persisted by the claims provider that relates to the technical profile.
DisplayClaimsDisplayClaims 0:10:1 声明提供程序提供的与自断言技术配置文件相关的声明类型的以前定义引用的列表。A list of the previously defined references to claim types that are presented by the claims provider that relates to the self-asserted technical profile. DisplayClaims 功能目前处于预览状态。The DisplayClaims feature is currently in preview.
OutputClaimsOutputClaims 0:10:1 事先定义的、对在技术配置文件中用作输出的声明类型的引用列表。A list of the previously defined references to claim types that are taken as output in the technical profile.
OutputClaimsTransformationsOutputClaimsTransformations 0:10:1 事先定义的、对在从声明提供程序收到声明之后应执行的声明转换的引用列表。A list of previously defined references to claims transformations that should be executed after the claims are received from the claims provider.
ValidationTechnicalProfilesValidationTechnicalProfiles 0:n0:n 对技术配置文件用来进行验证的其他技术配置文件的引用列表。A list of references to other technical profiles that the technical profile uses for validation purposes. 有关详细信息,请参阅验证技术配置文件For more information, see validation technical profile
SubjectNamingInfoSubjectNamingInfo 0:10:1 控制令牌中使用者名称的生成,其中的使用者名称与声明分开指定。Controls the production of the subject name in tokens where the subject name is specified separately from claims. 例如 OAuth 或 SAML。For example, OAuth or SAML.
IncludeInSsoIncludeInSso 0:10:1 使用此技术配置文件时是应当对会话应用单一登录 (SSO) 行为,还是需要显式交互。Whether usage of this technical profile should apply single sign-on (SSO) behavior for the session, or instead require explicit interaction. 此元素仅在验证技术配置文件内使用的 SelfAsserted 配置文件中有效。This element is valid only in SelfAsserted profiles used within a Validation technical profile. 可能的值为 true(默认)或 falsePossible values: true (default), or false.
IncludeClaimsFromTechnicalProfileIncludeClaimsFromTechnicalProfile 0:10:1 要将其中的所有输入和输出声明添加到此技术配置文件的技术配置文件的标识符。An identifier of a technical profile from which you want all of the input and output claims to be added to this technical profile. 必须在同一个策略文件中定义被引用的技术配置文件。The referenced technical profile must be defined in the same policy file.
IncludeTechnicalProfileIncludeTechnicalProfile 0:10:1 要将其中的所有数据添加到此技术配置文件的技术配置文件的标识符。An identifier of a technical profile from which you want all data to be added to this technical profile.
UseTechnicalProfileForSessionManagementUseTechnicalProfileForSessionManagement 0:10:1 用于会话管理的另一个技术配置文件。A different technical profile to be used for session management.
EnabledForUserJourneysEnabledForUserJourneys 0:10:1 控制是否在用户旅程中执行技术配置文件。Controls if the technical profile is executed in a user journey.

协议Protocol

Protocol 元素包含以下属性:The Protocol element contains the following attributes:

AttributeAttribute 必选Required 说明Description
名称Name Yes Azure AD B2C 支持的有效协议的名称,用作技术配置文件的一部分。The name of a valid protocol supported by Azure AD B2C that is used as part of the technical profile. 可能的值:OAuth1OAuth2SAML2OpenIdConnectProprietaryNonePossible values: OAuth1, OAuth2, SAML2, OpenIdConnect, Proprietary, or None.
HandlerHandler No 当协议名称设置为 Proprietary 时,指定 Azure AD B2C 用来确定协议处理程序的程序集的完全限定名称。When the protocol name is set to Proprietary, specify the fully-qualified name of the assembly that is used by Azure AD B2C to determine the protocol handler.

元数据Metadata

Metadata 元素包含以下元素:A Metadata element contains the following elements:

元素Element 出现次数Occurrences 说明Description
ItemItem 0:n0:n 与技术配置文件相关的元数据。The metadata that relates to the technical profile. 每种类型的技术配置文件具有一组不同的元数据项。Each type of technical profile has a different set of metadata items. 有关详细信息,请参阅“技术配置文件类型”部分。See the technical profile types section, for more information.

ItemItem

Metadata 元素的 Item 元素包含以下属性:The Item element of the Metadata element contains the following attributes:

AttributeAttribute 必选Required 说明Description
密钥Key Yes 元数据密钥。The metadata key. 请参阅每种技术配置文件类型了解元数据项的列表。See each technical profile type, for the list of metadata items.

CryptographicKeysCryptographicKeys

CryptographicKeys 元素包含以下元素:The CryptographicKeys element contains the following element:

元素Element 出现次数Occurrences 说明Description
密钥Key 1:n1:n 此技术配置文件中使用的加密密钥。A cryptographic key used in this technical profile.

密钥Key

Key 元素包含以下属性:The Key element contains the following attribute:

AttributeAttribute 必选Required 说明Description
IDId No 从策略文件中的其他元素引用的特定密钥对的唯一标识符。A unique identifier of a particular key pair referenced from other elements in the policy file.
StorageReferenceIdStorageReferenceId Yes 从策略文件中的其他元素引用的存储密钥容器的标识符。An identifer of a storage key container referenced from other elements in the policy file.

InputClaimsTransformationsInputClaimsTransformations

InputClaimsTransformations 元素包含以下元素:The InputClaimsTransformations element contains the following element:

元素Element 出现次数Occurrences 说明Description
InputClaimsTransformationInputClaimsTransformation 1:n1:n 在将任何声明发送到声明提供程序或信赖方之前应执行的声明转换的标识符。The identifier of a claims transformation that should be executed before any claims are sent to the claims provider or the relying party. 声明转换可用于修改现有的或生成新的 ClaimsSchema 声明。A claims transformation can be used to modify existing ClaimsSchema claims or generate new ones.

InputClaimsTransformationInputClaimsTransformation

InputClaimsTransformation 元素包含以下属性:The InputClaimsTransformation element contains the following attribute:

AttributeAttribute 必选Required 说明Description
ReferenceIdReferenceId Yes 已在策略文件或父策略文件中定义的声明转换的标识符。An identifier of a claims transformation already defined in the policy file or parent policy file.

InputClaimsInputClaims

InputClaims 元素包含以下元素:The InputClaims element contains the following element:

元素Element 出现次数Occurrences 说明Description
InputClaimInputClaim 1:n1:n 预期的输入声明类型。An expected input claim type.

InputClaimInputClaim

InputClaim 元素包含以下属性:The InputClaim element contains the following attributes:

AttributeAttribute 必选Required 说明Description
ClaimTypeReferenceIdClaimTypeReferenceId Yes 已在策略文件或父策略文件的 ClaimsSchema 节中定义的声明类型的标识符。The identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file.
DefaultValueDefaultValue No 当 ClaimTypeReferenceId 指示的声明不存在时用来创建声明的默认值。技术配置文件可将生成的声明用作 InputClaim。A default value to use to create a claim if the claim indicated by ClaimTypeReferenceId does not exist so that the resulting claim can be used as an InputClaim by the technical profile.
PartnerClaimTypePartnerClaimType No 指定的策略声明类型映射到的外部合作伙伴声明类型的标识符。The identifier of the claim type of the external partner that the specified policy claim type maps to. 如果未指定 PartnerClaimType 属性,则指定的策略声明类型将映射到同名的合作伙伴声明类型。If the PartnerClaimType attribute is not specified, then the specified policy claim type is mapped to the partner claim type of the same name. 当声明类型名称不同于另一方时,请使用此属性。Use this property when your claim type name is different from the other party. 例如,第一个声明名称为“givenName”,而合作伙伴使用名为“first_name”的声明。For example, the first claim name is 'givenName', while the partner uses a claim named 'first_name'.

DisplayClaimsDisplayClaims

DisplayClaims 元素包含以下元素:The DisplayClaims element contains the following element:

元素Element 出现次数Occurrences 说明Description
DisplayClaimDisplayClaim 1:n1:n 预期的输入声明类型。An expected input claim type.

DislayClaims 功能目前处于预览状态。The DislayClaims feature is currently in preview.

DisplayClaimDisplayClaim

DisplayClaim 元素包含以下属性:The DisplayClaim element contains the following attributes:

AttributeAttribute 必选Required 说明Description
ClaimTypeReferenceIdClaimTypeReferenceId No 已在策略文件或父策略文件的 ClaimsSchema 节中定义的声明类型的标识符。The identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file.
DisplayControlReferenceIdDisplayControlReferenceId No 已在策略文件或父策略文件的 ClaimsSchema 节中定义的显示控件的标识符。The identifier of a display control already defined in the ClaimsSchema section in the policy file or parent policy file.
必选Required No 指示是否需要显示声明。Indicates whether the display claim is required.

DisplayClaim 要求指定 ClaimTypeReferenceIdDisplayControlReferenceIdThe DisplayClaim requires that you specify either a ClaimTypeReferenceId or DisplayControlReferenceId.

PersistedClaimsPersistedClaims

PersistedClaims 元素包含以下元素:The PersistedClaims element contains the following elements:

元素Element 出现次数Occurrences 说明Description
PersistedClaimPersistedClaim 1:n1:n 要保存的声明类型。The claim type to persist.

PersistedClaimPersistedClaim

PersistedClaim 元素包含以下属性:The PersistedClaim element contains the following attributes:

AttributeAttribute 必选Required 说明Description
ClaimTypeReferenceIdClaimTypeReferenceId Yes 已在策略文件或父策略文件的 ClaimsSchema 节中定义的声明类型的标识符。The identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file.
DefaultValueDefaultValue No 当 ClaimTypeReferenceId 指示的声明不存在时用来创建声明的默认值。技术配置文件可将生成的声明用作 InputClaim。A default value to use to create a claim if the claim indicated by ClaimTypeReferenceId does not exist so that the resulting claim can be used as an InputClaim by the technical profile.
PartnerClaimTypePartnerClaimType No 指定的策略声明类型映射到的外部合作伙伴声明类型的标识符。The identifier of the claim type of the external partner that the specified policy claim type maps to. 如果未指定 PartnerClaimType 属性,则指定的策略声明类型将映射到同名的合作伙伴声明类型。If the PartnerClaimType attribute is not specified, then the specified policy claim type is mapped to the partner claim type of the same name. 当声明类型名称不同于另一方时,请使用此属性。Use this property when your claim type name is different from the other party. 例如,第一个声明名称为“givenName”,而合作伙伴使用名为“first_name”的声明。For example, the first claim name is 'givenName', while the partner uses a claim named 'first_name'.

OutputClaimsOutputClaims

OutputClaims 元素包含以下元素:The OutputClaims element contains the following element:

元素Element 出现次数Occurrences 说明Description
OutputClaimOutputClaim 1:n1:n 预期的输出声明类型。An expected output claim type.

OutputClaimOutputClaim

OutputClaim 元素包含以下属性:The OutputClaim element contains the following attributes:

AttributeAttribute 必选Required 说明Description
ClaimTypeReferenceIdClaimTypeReferenceId Yes 已在策略文件或父策略文件的 ClaimsSchema 节中定义的声明类型的标识符。The identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file.
DefaultValueDefaultValue No 当 ClaimTypeReferenceId 指示的声明不存在时用来创建声明的默认值。技术配置文件可将生成的声明用作 InputClaim。A default value to use to create a claim if the claim indicated by ClaimTypeReferenceId does not exist so that the resulting claim can be used as an InputClaim by the technical profile.
AlwaysUseDefaultValueAlwaysUseDefaultValue No 强制使用默认值。Force the use of the default value.
PartnerClaimTypePartnerClaimType No 指定的策略声明类型映射到的外部合作伙伴声明类型的标识符。The identifier of the claim type of the external partner that the specified policy claim type maps to. 如果未指定 PartnerClaimType 属性,则指定的策略声明类型将映射到同名的合作伙伴声明类型。If the PartnerClaimType attribute is not specified, then the specified policy claim type is mapped to the partner claim type of the same name. 当声明类型名称不同于另一方时,请使用此属性。Use this property when your claim type name is different from the other party. 例如,第一个声明名称为“givenName”,而合作伙伴使用名为“first_name”的声明。For example, the first claim name is 'givenName', while the partner uses a claim named 'first_name'.

OutputClaimsTransformationsOutputClaimsTransformations

OutputClaimsTransformations 元素包含以下元素:The OutputClaimsTransformations element contains the following element:

元素Element 出现次数Occurrences 说明Description
OutputClaimsTransformationOutputClaimsTransformation 1:n1:n 在将任何声明发送到声明提供程序或信赖方之前应执行的声明转换的标识符。The identifiers of claims transformations that should be executed before any claims are sent to the claims provider or the relying party. 声明转换可用于修改现有的或生成新的 ClaimsSchema 声明。A claims transformation can be used to modify existing ClaimsSchema claims or generate new ones.

OutputClaimsTransformationOutputClaimsTransformation

OutputClaimsTransformation 元素包含以下属性:The OutputClaimsTransformation element contains the following attribute:

AttributeAttribute 必选Required 说明Description
ReferenceIdReferenceId Yes 已在策略文件或父策略文件中定义的声明转换的标识符。An identifier of a claims transformation already defined in the policy file or parent policy file.

ValidationTechnicalProfilesValidationTechnicalProfiles

ValidationTechnicalProfiles 元素包含以下元素:The ValidationTechnicalProfiles element contains the following element:

元素Element 出现次数Occurrences 说明Description
ValidationTechnicalProfileValidationTechnicalProfile 1:n1:n 用于验证引用技术配置文件的部分或所有输出声明的技术配置文件的标识符。The identifiers of technical profiles that are used validate some or all of the output claims of the referencing technical profile. 被引用技术配置文件的所有输入声明必须出现在引用技术配置文件的输出声明中。All of the input claims of the referenced technical profile must appear in the output claims of the referencing technical profile.

ValidationTechnicalProfileValidationTechnicalProfile

ValidationTechnicalProfile 元素包含以下属性:The ValidationTechnicalProfile element contains the following attribute:

AttributeAttribute 必选Required 说明Description
ReferenceIdReferenceId Yes 已在策略文件或父策略文件中定义的技术配置文件的标识符。An identifier of a technical profile already defined in the policy file or parent policy file.

SubjectNamingInfoSubjectNamingInfo

SubjectNamingInfo 包含以下属性:The SubjectNamingInfo contains the following attribute:

AttributeAttribute 必选Required 说明Description
ClaimTypeClaimType Yes 已在策略文件的 ClaimsSchema 节中定义的声明类型的标识符。An identifier of a claim type already defined in the ClaimsSchema section in the policy file.

IncludeTechnicalProfileIncludeTechnicalProfile

IncludeTechnicalProfile 元素包含以下属性:The IncludeTechnicalProfile element contains the following attribute:

AttributeAttribute 必选Required 说明Description
ReferenceIdReferenceId Yes 已在策略文件或父策略文件中定义的技术配置文件的标识符。An identifier of a technical profile already defined in the policy file, or parent policy file.

UseTechnicalProfileForSessionManagementUseTechnicalProfileForSessionManagement

UseTechnicalProfileForSessionManagement 元素包含以下属性:The UseTechnicalProfileForSessionManagement element contains the following attribute:

AttributeAttribute 必选Required 说明Description
ReferenceIdReferenceId Yes 已在策略文件或父策略文件中定义的技术配置文件的标识符。An identifier of a technical profile already defined in the policy file or parent policy file.

EnabledForUserJourneysEnabledForUserJourneys

用户旅程中的 ClaimsProviderSelections 定义声明提供程序选项的列表及其顺序。The ClaimsProviderSelections in a user journey defines the list of claims provider selection options and their order. 使用 EnabledForUserJourneys 元素可以筛选用户可用的声明提供程序。With the EnabledForUserJourneys element you filter, which claims provider is available to the user. EnabledForUserJourneys 元素包含以下值之一:The EnabledForUserJourneys element contains one of the following values:

  • Always:执行技术配置文件。Always, execute the technical profile.
  • Never:跳过技术配置文件。Never, skip the technical profile.
  • OnClaimsExistence:仅当技术配置文件中指定的特定声明存在时才执行技术配置文件。OnClaimsExistence execute only when a certain claim, specified in the technical profile exists.
  • OnItemExistenceInStringCollectionClaim:仅当字符串集合声明中存在某个项时才执行技术配置文件。OnItemExistenceInStringCollectionClaim, execute only when an item exists in a string collection claim.
  • OnItemAbsenceInStringCollectionClaim:仅当字符串集合声明中不存在某个项时才执行技术配置文件。OnItemAbsenceInStringCollectionClaim execute only when an item does not exist in a string collection claim.

使用 OnClaimsExistenceOnItemExistenceInStringCollectionClaimOnItemAbsenceInStringCollectionClaim 时需要提供以下元数据:ClaimTypeOnWhichToEnable 指定要评估的声明类型,ClaimValueOnWhichToEnable 指定要比较的值。Using OnClaimsExistence, OnItemExistenceInStringCollectionClaim or OnItemAbsenceInStringCollectionClaim, requires you to provide the following metadata: ClaimTypeOnWhichToEnable specifies the claim's type that is to be evaluated, ClaimValueOnWhichToEnable specifies the value that is to be compared.