0

我希望使用声明转换来满足密码复杂性要求。当用户经历密码重置过程时,我想通过将 newPassword 声明与包含用户电子邮件前缀的扩展属性(例如 jdoe@contoso.com 中的 jdoe)进行比较来防止密码类似于用户名。我不想使用 REST 技术配置文件。

索赔转换

  <ClaimsTransformation Id="CheckUserSuppliedPassword" TransformationMethod="CompareClaims">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="newPassword" TransformationClaimType="inputClaim1" />
      <InputClaim ClaimTypeReferenceId="userEmailPrefix" TransformationClaimType="inputClaim2" />
    </InputClaims>
    <InputParameters>
      <InputParameter Id="operator" DataType="string" Value="NOT EQUAL" />
      <InputParameter Id="ignoreCase" DataType="string" Value="true" />
    </InputParameters>
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="SameAsEmailPrefix" TransformationClaimType="outputClaim" />
    </OutputClaims>
  </ClaimsTransformation>

我添加了另一个调用转换的技术配置文件 (MyLocalAccountCheckUserPassword)。此技术配置文件用作验证技术配置文件,在本地帐户声明提供商的“LocalAccountWritePasswordUsingObjectId”技术配置文件中引用。以下是两个技术配置文件。

<TechnicalProfile Id="MyLocalAccountCheckUserPassword">
  <DisplayName>Check User Password</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
  <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
  </Metadata>
  <IncludeInSso>false</IncludeInSso>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="newPassword" Required="true" />
    <InputClaim ClaimTypeReferenceId="reenterPassword" Required="false" />
  </InputClaims>
  
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="newPassword"/>
    <OutputClaim ClaimTypeReferenceId="reenterPassword" />
    <OutputClaim ClaimTypeReferenceId="SameAsEmailPrefix"/>
  </OutputClaims>

  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CheckUserSuppliedPassword"/>
  </OutputClaimsTransformations>
</TechnicalProfile>


    <TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">
      <DisplayName>Change password (username)</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" />

        <InputClaim ClaimTypeReferenceId="Verified.strongAuthenticationPhoneNumber" />

  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
    <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
    <OutputClaim ClaimTypeReferenceId="sameAsEmailPrefix" Required="true" />
  </OutputClaims>
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId" />
    <ValidationTechnicalProfile ReferenceId="MyLocalAccountCheckUserPassword" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

现在,我只想验证 SameAsEmailMessage 声明中的内容(真/假),以查看比较是否按预期进行。因此,我已将其作为输出声明添加到依赖方技术配置文件中。但在密码重置过程完成后,它不会显示为索赔。最终,我想在本地帐户登录屏幕上向用户显示一条错误消息。

请帮忙。

4

1 回答 1

0

在自定义策略文件的依赖方部分中添加 SameAsEmailPrefix 作为输出声明。

于 2020-09-25T22:35:16.507 回答