我们在身份提供者中有一个OpenID连接,用于在UI上对ADB2C域中的AD用户进行身份验证。我们之前使用graph创建了带有临时密码的ADB2C用户。但现在我需要创建一个联合用户,该用户将能够使用AD凭据登录。我们还删除了注册流程,只留下登录,因为我们只想通过图表创建用户。我有以下代码:
var newUser = new User
{
AccountEnabled = true,
DisplayName = user.DisplayName,
GivenName = user.FirstName,
Surname = user.Surname,
Mail = user.Email,
MobilePhone = user.Telephone,
PasswordProfile = new PasswordProfile
{
ForceChangePasswordNextSignIn = true,
Password = PasswordGenerator.GeneratePassword(16),
},
Identities = new List<ObjectIdentity>
{
new ObjectIdentity
{
SignInType = "federated",
Issuer = "https://login.microsoftonline.com/<AD TENANT>/v2.0",
IssuerAssignedId = "<USER'S OBJECT ID FROM AD>",
}
},
AdditionalData = new Dictionary<string, object>
{
{ "IsAdmin", user.IsAdmin },
},
CreationType = null
};
var res = await _graphClient.Users.PostAsync(newUser);
但当我点击“登录与AD”在UI上,并输入AD用户的凭据,我得到了以下错误:AADB2C99002: User does not exist. Please sign up before you can sign in.
1条答案
按热度按时间mznpcxlj1#
基本上,当您在B2C中配置身份提供者时,您指定将用于标识用户的声明。在OpenID Connect中,默认情况下它是“sub”(主题)声明。如果可能的话,您可以将其更改为使用“oid”(对象ID)声明。你可以在这里阅读他们的差异:https://learn.microsoft.com/en-us/azure/active-directory/develop/id-token-claims-reference#payload-claims。