TrustFrameworkPolicyTrustFrameworkPolicy

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

自定义策略以一个或多个采用 XML 格式的文件表示,这些文件在分层链中相互引用。A custom policy is represented as one or more XML-formatted files, which refer to each other in a hierarchical chain. XML 元素定义策略的元素,例如声明架构、声明转换、内容定义、声明提供程序、技术配置文件、用户旅程和业务流程步骤。The XML elements define elements of the policy, such as the claims schema, claims transformations, content definitions, claims providers, technical profiles, user journey, and orchestration steps. 每个策略文件在策略文件的顶级 TrustFrameworkPolicy 元素中定义。Each policy file is defined within the top-level TrustFrameworkPolicy element of a policy file.

<TrustFrameworkPolicy
  xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="https://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.partner.onmschina.cn"
  PolicyId="B2C_1A_TrustFrameworkBase"
  PublicPolicyUri="http://mytenant.partner.onmschina.cn/B2C_1A_TrustFrameworkBase">
  ...

TrustFrameworkPolicy 元素包含以下属性:The TrustFrameworkPolicy element contains the following attributes:

AttributeAttribute 必选Required 说明Description
PolicySchemaVersionPolicySchemaVersion Yes 用于执行策略的架构版本。The schema version that is to be used to execute the policy. 值必须是 0.3.0.0The value must be 0.3.0.0
TenantObjectIdTenantObjectId No Azure Active Directory B2C (Azure AD B2C) 租户的唯一对象标识符。The unique object identifier of the Azure Active Directory B2C (Azure AD B2C) tenant.
TenantIdTenantId Yes 此策略所属的租户的唯一标识符。The unique identifier of the tenant to which this policy belongs.
PolicyIdPolicyId Yes 策略的唯一标识符。The unique identifier for the policy. 此标识符必须带有 B2C_1A_ 前缀This identifier must be prefixed by B2C_1A_
PublicPolicyUriPublicPolicyUri Yes 策略的 URI,它是租户 ID 和策略 ID 的组合。The URI for the policy, which is combination of the tenant ID and the policy ID.
DeploymentModeDeploymentMode No 可能的值:ProductionDevelopmentPossible values: Production, or Development. Production 为默认值。Production is the default. 使用此属性来调试策略。Use this property to debug your policy.
UserJourneyRecorderEndpointUserJourneyRecorderEndpoint No DeploymentMode 设置为 Development 时使用的终结点。The endpoint that is used when DeploymentMode is set to Development. 值必须是 urn:journeyrecorder:applicationinsightsThe value must be urn:journeyrecorder:applicationinsights.

以下示例演示如何指定 TrustFrameworkPolicy 元素:The following example shows how to specify the TrustFrameworkPolicy element:

<TrustFrameworkPolicy
   xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
   xmlns:xsd="https://www.w3.org/2001/XMLSchema"
   xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
   PolicySchemaVersion="0.3.0.0"
   TenantId="mytenant.partner.onmschina.cn"
   PolicyId="B2C_1A_TrustFrameworkBase"
   PublicPolicyUri="http://mytenant.partner.onmschina.cn/B2C_1A_TrustFrameworkBase">

继承模型Inheritance model

用户旅程中通常使用以下类型的策略文件:These types of policy files are typically used in a user journey:

  • 基本文件:包含大多数定义。A Base file that contains most of the definitions. 为了帮助进行故障排除和长期维护策略,我们建议对此文件进行极少量的更改。To help with troubleshooting and long-term maintenance of your policies, it is recommended that you make a minimum number of changes to this file.
  • 扩展文件:保存租户的独特配置更改。An Extensions file that holds the unique configuration changes for your tenant. 此策略文件派生自“基本”文件。This policy file is derived from the Base file. 使用此文件可以添加新功能或替代现有功能。Use this file to add new functionality or override existing functionality. 例如,使用此文件可与新的标识提供者联合。For example, use this file to federate with new identity providers.
  • 信赖方 (RP) 文件:注重单个任务的文件,由信赖方应用程序(例如 Web、移动或桌面应用程序)直接调用。A Relying Party (RP) file that is the single task-focused file that is invoked directly by the relying party application, such as your web, mobile, or desktop applications. 每个独特的任务(例如注册或登录、密码重置或配置文件编辑)都需要自身的 RP 策略文件。Each unique task such as sign-up or sign-in, password reset, or profile edit, requires its own RP policy file. 此策略文件派生自“扩展”文件。This policy file is derived from the Extensions file.

信赖方应用程序调用 RP 策略文件来执行特定的任务。A relying party application calls the RP policy file to execute a specific task. 例如,启动登录流。For example, to initiate the sign-in flow. Azure AD B2C 中的标识体验框架依次从“基本”文件、“扩展”文件和“RP”策略文件中添加所有元素,以组合当前生效的策略。The Identity Experience Framework in Azure AD B2C adds all of the elements first from the Base file, and then from the Extensions file, and finally from the RP policy file to assemble the current policy in effect. “RP”文件中具有相同类型和名称的元素将替代“扩展”中的这些元素,“扩展”替代“基本”。Elements of the same type and name in the RP file override those elements in the Extensions, and Extensions overrides Base. 下图显示了策略文件与信赖方应用程序之间的关系。The following diagram shows the relationship between the policy files and the relying party applications.

显示信任框架策略继承模型的示意图

继承模型如下所示:The inheritance model is as follows:

  • 父策略和子策略的架构相同。The parent policy and child policy are of the same schema.
  • 任何级别的子策略可以继承自父策略,并通过添加新元素来扩展父策略。The child policy at any level can inherit from the parent policy and extend it by adding new elements.
  • 级别数没有限制。There is no limit on the number of levels.

基本策略Base policy

若要从另一个策略继承某个策略,必须在策略文件的 TrustFrameworkPolicy 元素下声明 BasePolicy 元素。To inherit a policy from another policy, a BasePolicy element must be declared under the TrustFrameworkPolicy element of the policy file. BasePolicy 元素是对从中派生此策略的基本策略的引用。The BasePolicy element is a reference to the base policy from which this policy is derived.

BasePolicy 元素包含以下元素:The BasePolicy element contains the following elements:

元素Element 出现次数Occurrences 说明Description
TenantIdTenantId 1:11:1 Azure AD B2C 租户的标识符。The identifier of your Azure AD B2C tenant.
PolicyIdPolicyId 1:11:1 父策略的标识符。The identifier of the parent policy.

以下示例演示如何指定基本策略。The following example shows how to specify a base policy. B2C_1A_TrustFrameworkExtensions 策略派生自 B2C_1A_TrustFrameworkBase 策略。This B2C_1A_TrustFrameworkExtensions policy is derived from the B2C_1A_TrustFrameworkBase policy.

<TrustFrameworkPolicy
   xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
   xmlns:xsd="https://www.w3.org/2001/XMLSchema"
   xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
   PolicySchemaVersion="0.3.0.0"
   TenantId="mytenant.partner.onmschina.cn"
   PolicyId="B2C_1A_TrustFrameworkExtensions"
   PublicPolicyUri="http://mytenant.partner.onmschina.cn/B2C_1A_TrustFrameworkExtensions">

  <BasePolicy>
    <TenantId>yourtenant.partner.onmschina.cn</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
  </BasePolicy>
  ...
</TrustFrameworkPolicy>

策略执行Policy execution

信赖方应用程序(例如 Web、移动或桌面应用程序)调用信赖方 (RP) 策略A relying party application, such as a web, mobile, or desktop application, calls the relying party (RP) policy. RP 策略文件执行特定任务,例如登录、重置密码,或编辑配置文件。The RP policy file executes a specific task, such as signing in, resetting a password, or editing a profile. RP 策略将信赖方应用程序收到的声明列表配置为所颁发令牌的一部分。The RP policy configures the list of claims the relying party application receives as part of the token that is issued. 多个应用程序可以使用同一策略。Multiple applications can use the same policy. 所有应用程序都会收到包含声明的相同令牌,用户会经历相同的用户旅程。All applications receive the same token with claims, and the user goes through the same user journey. 单个应用程序可以使用多个策略。A single application can use multiple policies.

在 RP 策略文件中,指定指向 UserJourneyDefaultUserJourney 元素。Inside the RP policy file, you specify the DefaultUserJourney element, which points to the UserJourney. 用户旅程通常在基本或扩展策略中定义。The user journey usually is defined in the Base or Extensions policy.

B2C_1A_signup_signin 策略:B2C_1A_signup_signin policy:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn">
  ...

B2C_1A_TrustFrameWorkBase 或 B2C_1A_TrustFrameworkExtensionPolicy:B2C_1A_TrustFrameWorkBase or B2C_1A_TrustFrameworkExtensionPolicy:

<UserJourneys>
  <UserJourney Id="SignUpOrSignIn">
  ...

用户旅程定义用户所要经历的业务逻辑。A user journey defines the business logic of what a user goes through. 每个用户旅程是按顺序执行一系列操作,以进行身份验证和收集信息的一组业务流程步骤。Each user journey is a set of orchestration steps that performs a series of actions, in sequence in terms of authentication and information collection.

starter pack 中的 SocialAndLocalAccounts 策略文件包含 SignUpOrSignIn、ProfileEdit 和 PasswordReset 用户旅程。The SocialAndLocalAccounts policy file in the starter pack contains the SignUpOrSignIn, ProfileEdit, PasswordReset user journeys. 可为其他方案添加更多的用户旅程,例如,更改电子邮件地址或链接和取消链接社交帐户。You can add more user journeys for other scenarios, such as changing an email address or linking and unlinking a social account.

业务流程步骤可以调用技术配置文件The orchestration steps may call a Technical Profile. 技术配置文件提供带有内置机制的框架来与不同类型的参与方通信。A technical profile provides a framework with a built-in mechanism to communicate with different types of parties. 例如,技术配置文件可执行以下操作:For example, a technical profile can perform these actions among others:

  • 呈现用户体验。Render a user experience.
  • 允许用户使用社交或企业帐户登录。Allow users to sign in with social or an enterprise account.
  • 设置 MFA 的电话验证。Set up phone verification for MFA.
  • 在 Azure AD B2C 标识存储中读取和写入数据。Read and write data to and from an Azure AD B2C identity store.
  • 调用自定义 Restful API 服务。Call a custom Restful API service.

显示策略执行流的示意图

TrustFrameworkPolicy 元素包含以下元素:The TrustFrameworkPolicy element contains the following elements: