我们有多个Angular SPA使用相同的应用程序(客户端ID)在B2C。我们已经实现了自定义策略的用户流- MFA使用电话或电子邮件选项,在每个应用程序中独立调用。
我们希望实现应用程序之间的SSO,即如果应用程序A成功登录,用户尝试打开应用程序B,它应该自动登录。
使用自定义策略中的以下SSO配置,当在浏览器中访问应用程序B时,我们能够绕过登录屏幕,但用户无法通过MFA,并且即使在用户已经使用应用程序A登录后,也始终显示MFA屏幕。
<UserJourneyBehaviors><SingleSignOn Scope="Tenant" KeepAliveInDays="7" /><SessionExpiryType>Rolling</SessionExpiryType><SessionExpiryInSeconds>86400</SessionExpiryInSeconds></UserJourneyBehaviors>
字符串
不确定是否需要任何额外的设置来绕过MFA。
我也试过使用Preconditions来检查'isActiveMFASession'并跳过MFA之旅,但无法使其工作。我们有以下演示步骤。
<UserJourneys><UserJourney Id="SignUpOrSignInMFAOption" DefaultCpimIssuerTechnicalProfileReferenceId="JwtIssuer"><OrchestrationSteps><OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"><ClaimsProviderSelections><!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> --><ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" /></ClaimsProviderSelections><ClaimsExchanges><ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" /></ClaimsExchanges></OrchestrationStep><!-- Check if the user has selected to sign in using one of the social providers --><OrchestrationStep Order="2" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>objectId</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> --><ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" /></ClaimsExchanges></OrchestrationStep><OrchestrationStep Order="3" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimEquals" ExecuteActionsIf="true"><Value>authenticationSource</Value><Value>socialIdpAuthentication</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /></ClaimsExchanges></OrchestrationStep><!--Sample: If uses is enrolled for MFA, ask the user to select the preferred method--><OrchestrationStep Order="4" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>isActiveMFASession</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" /></ClaimsExchanges></OrchestrationStep><!-- Throw error if control was bypassed --><OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Return-MFA-Method-Incorrect-Error"><Preconditions><Precondition Type="ClaimEquals" ExecuteActionsIf="true"><Value>extension_mfaByPhoneOrEmail</Value><Value>email</Value><Action>SkipThisOrchestrationStep</Action></Precondition><Precondition Type="ClaimEquals" ExecuteActionsIf="true"><Value>extension_mfaByPhoneOrEmail</Value><Value>phone</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions></OrchestrationStep><!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed.This step checks whether there's a phone number on record, for the user. If found, then the user is challenged to verify it. --><OrchestrationStep Order="6" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>isActiveMFASession</Value><Action>SkipThisOrchestrationStep</Action></Precondition><!--Sample: If the preferred MFA method is not 'phone' skip this orchestration step--><Precondition Type="ClaimEquals" ExecuteActionsIf="false"><Value>extension_mfaByPhoneOrEmail</Value><Value>phone</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" /></ClaimsExchanges></OrchestrationStep><!-- Save MFA phone number: The precondition verifies whether the user provided a new number in theprevious step. If so, then the phone number is stored in the directory for future authenticationrequests. --><OrchestrationStep Order="7" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="false"><Value>newPhoneNumberEntered</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" /></ClaimsExchanges></OrchestrationStep><!--Sample: MFA with email--><OrchestrationStep Order="8" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimEquals" ExecuteActionsIf="false"><Value>extension_mfaByPhoneOrEmail</Value><Value>email</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="Email-Verify" TechnicalProfileReferenceId="EmailVerifyOnSignIn" /></ClaimsExchanges></OrchestrationStep><OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" /></OrchestrationSteps><ClientDefinition ReferenceId="DefaultWeb" /></UserJourney></UserJourneys>
型
我也试着阅读SM-AAD和SM-MFA的文档,但在如何与我的策略集成方面没有太多的运气。
任何帮助给予正确的方向,使这项工作是高度赞赏。
更新1:
我能够使单点登录的工作,但如果我注销的任何应用程序,它不是要求我选择的选项,无论是电话或电子邮件的MFA和默认我的最后选定的一个,当用户试图登录。
是因为我为extension_mfaByPhoneOrEmail设置的声明吗?
我有一个业务流程步骤,首先跳过它来实现SSO
<!--Sample: If uses is enrolled for MFA, ask the user to select the preferred method--><OrchestrationStep Order="5" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>extension_mfaByPhoneOrEmail</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" /></ClaimsExchanges></OrchestrationStep>
型
甚至单点登录也不起作用,即如果我注销一个应用程序,则另一个应用程序会有一个活动会话。
你能帮我解决这个问题吗?我试过使用前提条件,但如果我删除上述声明,我的SSO首先就不工作了。
1条答案
按热度按时间qmb5sa221#
要在整个过程中实现SSO,您需要为每个步骤使用相同的SM。
我通常做一个新的SM,结合SM-AAD和SM-MFA,然后使用它。