我正在尝试比较2个声明(一个来自id_token_hint,另一个来自AD B2C)。我的要求是抛出一个错误页面,这2个不匹配,并重定向到登录页面。
为此,我添加了以下步骤:
1.添加了ClaimType(用于比较的布尔值)
<ClaimType Id="agencyClaimMatch">
<DisplayName>Verify if input Agency and agency in AD B2C match</DisplayName>
<DataType>boolean</DataType>
<UserHelpText>Verify if input Agency and agency in AD B2C match</UserHelpText>
</ClaimType>1.创建声明转换(基于post,以比较2个声明(来自AD B2C的extension_agency和来自id_token_hint的输入声明的agency)
<ClaimsTransformation Id="checkSameAgency" TransformationMethod="CompareClaims">
<InputClaims>
<InputClaim ClaimTypeReferenceId="extension_agency" TransformationClaimType="inputClaim1"/>
<InputClaim ClaimTypeReferenceId="agency" TransformationClaimType="inputClaim2"/>
</InputClaims>
<InputParameters>
<InputParameter Id="operator" DataType="string" Value="EQUAL"/>
<InputParameter Id="ignoreCase" DataType="string" Value="true"/>
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="agencyClaimMatch" TransformationClaimType="outputClaim"/>
</OutputClaims>3.添加了技术配置文件以调用转换(我希望agencyClaimMatch布尔值基于转换获得真值或假值,如果假bot不匹配,则需要抛出错误页面,否则允许访问)
<TechnicalProfile Id="CheckAgencyMatch">
<DisplayName>Check Agency Match</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="agency" Required="true" />
<InputClaim ClaimTypeReferenceId="extension_agency" Required="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="agency"/>
<OutputClaim ClaimTypeReferenceId="extension_agency" />
<OutputClaim ClaimTypeReferenceId="agencyClaimMatch"/>
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="checkSameAgency"/>
</OutputClaimsTransformations>
</TechnicalProfile>1.在UserJourney中,我添加了一个ClaimExchange来获取checkSameAgency的值。
<!--Verify claims match and get the boolean value-->
<OrchestrationStep Order="6" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="CheckAgencyMatch" TechnicalProfileReferenceId="CheckAgencyMatch"/>
</ClaimsExchanges>
</OrchestrationStep>1.如果布尔输出checkSameAgency不为“True”,即两个代理不匹配,则抛出错误,否则转至下一步以发出jwt令牌。
<!-- Check if agencID Match-->
<OrchestrationStep Order="7" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>agencyClaimMatch</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="SelfAssertedAgencyNotMatched" TechnicalProfileReferenceId="SelfAssertedAgencyNotMatched" />
</ClaimsExchanges>
</OrchestrationStep>但我得到一个错误“该页无法显示,因为内部服务器错误已经发生。”即使机构匹配或如果他们不匹配。
任何指示都会很有帮助。
=== rbrayb建议的以下解决方案帮助解决了这个问题。我注意到:
<TechnicalProfile Id="CheckAgencyMatch">
<DisplayName>Check Agency Match</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>SelfAssertedAttributeProvider仅用于显示屏幕,但您只是在比较声明。
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />https://learn.microsoft.com/en-us/azure/active-directory-b2c/claims-transformation-technical-profile
1条答案
按热度按时间mwkjh3gx1#
SelfAssertedAttributeProvider仅用于显示屏幕,但您只是在比较声明。
参考this。