定义采用 Azure Active Directory B2C 的自定义策略的验证技术配置文件Define a validation technical profile in an Azure Active Directory B2C custom policy

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

验证技术配置文件是来自任何协议(如 Azure Active DirectoryREST API)的普通技术配置文件。A validation technical profile is an ordinary technical profile from any protocol, such as Azure Active Directory or a REST API. 验证技术配置文件返回输出声明,或返回 4xx HTTP 状态代码,其中包含以下数据。The validation technical profile returns output claims, or returns 4xx HTTP status code, with the following data. 有关详细信息,请参阅返回错误消息For more information, see returning error message

{
    "version": "1.0.0",
    "status": 409,
    "userMessage": "Your error message"
}

验证技术配置文件的输出声明范围限制为调用验证技术配置文件的自断言技术配置文件及其验证技术配置文件。The scope of the output claims of a validation technical profile is limited to the self-asserted technical profile that invokes the validation technical profile, and its validation technical profiles. 若要在下一个业务流程步骤中使用输出声明,请将输出声明添加到调用验证技术配置文件的自断言技术配置文件。If you want to use the output claims in the next orchestration step, add the output claims to the self-asserted technical profile that invokes the validation technical profile.

验证技术配置文件按它们在 ValidationTechnicalProfiles 元素中出现的顺序进行执行。Validation technical profiles are executed in the sequence that they appear in the ValidationTechnicalProfiles element. 可以在验证技术配置文件中配置在验证技术配置文件引发错误或成功时,任何后续验证技术配置文件是否应继续执行。You can configure in a validation technical profile whether the execution of any subsequent validation technical profiles should continue if the validation technical profile raises an error or is successful.

验证技术配置文件可以基于 ValidationTechnicalProfile 元素中定义的前置条件有条件地执行。A validation technical profile can be conditionally executed based on preconditions defined in the ValidationTechnicalProfile element. 例如,可以检查是否存在特定声明,或声明是否等于指定值。For example, you can check whether a specific claim exists, or if a claim is equal or not to the specified value.

自断言技术配置文件可以定义要用于验证其部分或所有输出声明的验证技术配置文件。A self-asserted technical profile may define a validation technical profile to be used for validating some or all of its output claims. 被引用技术配置文件的所有输入声明都必须出现在引用验证技术配置文件的输出声明中。All of the input claims of the referenced technical profile must appear in the output claims of the referencing validation technical profile.

备注

只有自断言技术配置文件可以使用验证技术配置文件。Only self-asserted technical profiles can use validation technical profiles. 如果需要验证非自断言技术配置文件的输出声明,请考虑在用户旅程中使用额外的业务流程步骤,以适应负责验证的技术配置文件。If you need to validate the output claims from non-self-asserted technical profiles, consider using an additional orchestration step in your user journey to accommodate the technical profile in charge of the validation.

ValidationTechnicalProfilesValidationTechnicalProfiles

ValidationTechnicalProfiles 元素包含下列元素:The ValidationTechnicalProfiles element contains the following elements:

元素Element 出现次数Occurrences 说明Description
ValidationTechnicalProfileValidationTechnicalProfile 1:n1:n 要用于验证引用技术配置文件的部分或所有输出声明的技术配置文件。A technical profile to be used for validating some or all of the output claims of the referencing technical profile.

ValidationTechnicalProfile 元素包含以下属性:The ValidationTechnicalProfile element contains the following attribute:

AttributeAttribute 必选Required 说明Description
ReferenceIdReferenceId Yes 已在策略或父策略中定义的技术配置文件的标识符。An identifier of a technical profile already defined in the policy or parent policy.
ContinueOnErrorContinueOnError No 指示在此验证技术配置文件引发错误时,任何后续验证技术配置文件是否应继续进行验证。Indicating whether validation of any subsequent validation technical profiles should continue if this validation technical profile raises an error. 可能的值:truefalse(默认值,进一步验证配置文件的处理会停止,并且返回错误)。Possible values: true or false (default, processing of further validation profiles will stop and an error returned).
ContinueOnSuccessContinueOnSuccess No 指示在此验证技术配置文件成功时,任何后续验证配置文件是否应继续进行验证。Indicating whether validation of any subsequent validation profiles should continue if this validation technical profile succeeds. 可能的值:truefalsePossible values: true or false. 默认值是 true,表示进一步验证配置文件的处理会继续进行。The default is true, meaning that the processing of further validation profiles will continue.

ValidationTechnicalProfile 元素包含以下元素:The ValidationTechnicalProfile element contains the following element:

元素Element 出现次数Occurrences 说明Description
PreconditionsPreconditions 0:10:1 为执行验证技术配置文件而必须满足执行的前置条件的列表。A list of preconditions that must be satisfied for the validation technical profile to execute.

Precondition 元素包含以下属性:The Precondition element contains the following attribute:

AttributeAttribute 必选Required 说明Description
Type Yes 要对前置条件执行的检查或查询的类型。The type of check or query to perform for the precondition. 指定 ClaimsExist 以确保在用户当前声明集中存在指定声明时应执行操作,或指定 ClaimEquals 以便仅当指定声明存在且其值等于指定值时才应执行操作。Either ClaimsExist is specified to ensure that actions should be performed if the specified claims exist in the user's current claim set, or ClaimEquals is specified that the actions should be performed if the specified claim exists and its value is equal to the specified value.
ExecuteActionsIf Yes 指示在测试为 true 或 false 时是否应执行前置条件中的操作。Indicates whether the actions in the precondition should be performed if the test is true or false.

Precondition 元素包含以下元素:The Precondition element contains following elements:

元素Element 出现次数Occurrences 说明Description
Value 1:n1:n 检查使用的数据。The data that is used by the check. 如果此检查的类型是 ClaimsExist,则此字段指定要进行查询的 ClaimTypeReferenceId。If the type of this check is ClaimsExist, this field specifies a ClaimTypeReferenceId to query for. 如果检查的类型是 ClaimEquals,则此字段指定要进行查询的 ClaimTypeReferenceId。If the type of check is ClaimEquals, this field specifies a ClaimTypeReferenceId to query for. 而另一个值元素包含要检查的值。While another value element contains the value to be checked.
操作Action 1:11:1 在业务流程步骤中的前置条件检查为 true 时应执行的操作。The action that should be taken if the precondition check within an orchestration step is true. Action 的值设置为 SkipThisValidationTechnicalProfileThe value of the Action is set to SkipThisValidationTechnicalProfile. 指定不应执行关联的验证技术配置文件。Specifies that the associated validation technical profile should not be executed.

示例Example

下面的示例使用这些验证技术配置文件:Following example uses these validation technical profiles:

  1. 第一个验证技术配置文件检查用户凭据,在发生错误(如用户名无效或密码错误)时不会继续。The first validation technical profile checks user credentials and doesn't continue if an error occurs, such as invalid username or bad password.
  2. 如果 userType 声明不存在,或 userType 的值为 Partner,则下一个验证技术配置文件不会执行。The next validation technical profile, doesn't execute if the userType claim does not exist, or if the value of the userType is Partner. 验证技术配置文件会尝试从内部客户数据库读取用户配置文件,并在发生错误(如 REST API 服务不可用或任何内部错误)时继续。The validation technical profile tries to read the user profile from the internal customer database and continue if an error occurs, such as REST API service not available, or any internal error.
  3. 如果 userType 声明不存在,或 userType 的值为 Customer,则最后一个验证技术配置文件不会执行。The last validation technical profile, doesn't execute if the userType claim has not existed, or if the value of the userType is Customer. 验证技术配置文件会尝试从内部合作伙伴数据库读取用户配置文件,并在发生错误(如 REST API 服务不可用或任何内部错误)时继续。The validation technical profile tries to read the user profile from the internal partner database and continues if an error occurs, such as REST API service not available, or any internal error.
<ValidationTechnicalProfiles>
  <ValidationTechnicalProfile ReferenceId="login-NonInteractive" ContinueOnError="false" />
  <ValidationTechnicalProfile ReferenceId="REST-ReadProfileFromCustomertsDatabase" ContinueOnError="true" >
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
        <Value>userType</Value>
        <Action>SkipThisValidationTechnicalProfile</Action>
      </Precondition>
      <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
        <Value>userType</Value>
        <Value>Partner</Value>
        <Action>SkipThisValidationTechnicalProfile</Action>
      </Precondition>
    </Preconditions>
  </ValidationTechnicalProfile>
  <ValidationTechnicalProfile ReferenceId="REST-ReadProfileFromPartnersDatabase" ContinueOnError="true" >
    <Preconditions>
      <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
        <Value>userType</Value>
        <Action>SkipThisValidationTechnicalProfile</Action>
      </Precondition>
      <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
        <Value>userType</Value>
        <Value>Customer</Value>
        <Action>SkipThisValidationTechnicalProfile</Action>
      </Precondition>
    </Preconditions>
  </ValidationTechnicalProfile>
</ValidationTechnicalProfiles>