How to prompt for new claims for a new application

2019-06-11 05:42发布

问题:

I have an existing application "A" using an Azure AD B2C tenant. During registration users have been asked to enter a number (specific for this application "A") that is stored in a Claim with the name "NumberA".

Now I want to create an new application "B" and I want the existing users of my tenant to be able to log into the application "B". But before they can use it they have to be prompted to enter a new number (specific for application "B") that is stored in a Claim with the name "NumberB".

When new users of application "B" register themselves they only have to enter the number for "B".

I think this must be possible but I am not sure how to do this.

Create a new Custom Policy "B2C_AppB_signup_signin"? And then add a new Claim "NumberB" in a new "Extensions" file and "override" the technical profiles (AAD-UserWriteUsingLogonEmail, AAD-UserReadUsingEmailAddress etc)

Or is this the wrong path..

回答1:

You are on the right track.

This can be implemented by creating two user journeys -- one for Application A and another for Application B -- and then adding a ClaimsExist precondition to an orchestration step in both user journeys that prompts for the application-specific claim.

For example: For Application B's sign-up or sign-in user journey, you can add the following orchestration step after the user object is read from Azure Active Directory (after either the end user has signed in with an existing account or signed up with a new account), which checks whether the "extension_NumberB" claim exists for this user object and if not then prompts for it:

<OrchestrationStep Order="4" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>extension_NumberB</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="SelfAssertedApplicationBRegistrationExchange" TechnicalProfileReferenceId="SelfAsserted-ApplicationB-Registration" />
  </ClaimsExchanges>
</OrchestrationStep>

Then add the "SelfAsserted-ApplicationB-Registration" technical profile:

<TechnicalProfile Id="SelfAsserted-ApplicationB-Registration">
  <DisplayName>Application B Registration</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ContentDefinitionReferenceId">api.selfasserted.applicationb.registration</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="extension_NumberB" Required="true" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserWriteProfileUsingObjectId" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

You will then have to add the "extension_NumberB" claim as an <OutputClaim /> for the "AAD-UserReadUsingObjectId" technical profile and it as a <PersistedClaim /> for the "AAD-UserWriteProfileUsingObjectId" technical profile.



回答2:

The option outlined is good although you have to manage to 2 policies and if you decide to have a 3rd or a 4th client the more policies you will have to manage.

I would suggest you create a rest call to a function app that accepts the client_id of the app {OIDC:ClientId} and then returns the value of a claim based on it.

That way you only ever have one policy and then you can modify the function app rather than a policy

I have detailed this approach here

Get the Azure AD B2C Application client id in the custom policy