在 Azure Active Directory B2C 中開始使用自訂原則Get started with custom policies in Azure Active Directory B2C

注意

在 Azure Active Directory B2C自訂原則主要設計來處理複雜的案例。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大部分的情況下,我們建議您使用內建使用者流程For most scenarios, we recommend that you use built-in user flows.

自訂原則是定義 Azure Active Directory (Azure AD) B2C 租用戶行為的設定檔。Custom policies are configuration files that define the behavior of your Azure Active Directory (Azure AD) B2C tenant. 在此文章中,您會建立自訂原則,使用電子郵件地址與密碼來支援本機帳戶註冊或登入。In this article, you create a custom policy that supports local account sign-up or sign-in by using an email address and password. 您也會準備環境以新增識別提供者。You also prepare your environment for adding identity providers.

必要條件Prerequisites

新增簽署與加密金鑰Add signing and encryption keys

  1. 以 Azure AD B2C 租用戶的全域管理員身分登入 Azure 入口網站Sign in to the Azure portal as the global administrator of your Azure AD B2C tenant.
  2. 請確定您使用包含 Azure AD B2C 租用戶的目錄。Make sure you're using the directory that contains your Azure AD B2C tenant. 按一下 目錄和訂用帳戶篩選上方功能表中,然後選擇包含您的租用戶的目錄。Click the Directory and subscription filter in the top menu and choose the directory that contains your tenant.
  3. 選擇 Azure 入口網站左上角的 [所有服務] ,搜尋並選取 [Azure AD B2C] 。Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
  4. 在 [概觀] 頁面上,選取 [識別體驗架構] 。On the Overview page, select Identity Experience Framework.

建立簽署金鑰Create the signing key

  1. 選取 [原則金鑰] ,然後選取 [新增] 。Select Policy Keys and then select Add.
  2. 針對 [選項] 選擇 GenerateFor Options, choose Generate.
  3. 在 [名稱] 中輸入 TokenSigningKeyContainerIn Name, enter TokenSigningKeyContainer. 可能會自動加入前置詞 B2C_1A_The prefix B2C_1A_ might be added automatically.
  4. 針對 [金鑰類型] 選取 [RSA] 。For Key type, select RSA.
  5. 針對 [金鑰使用方法] 選取 [簽章] 。For Key usage, select Signature.
  6. 按一下頁面底部的 [新增] 。Click Create.

建立加密金鑰Create the encryption key

  1. 選取 [原則金鑰] ,然後選取 [新增] 。Select Policy Keys and then select Add.
  2. 針對 [選項] 選擇 GenerateFor Options, choose Generate.
  3. 在 [名稱] 中輸入 TokenEncryptionKeyContainerIn Name, enter TokenEncryptionKeyContainer. 可能會自動加入前置詞 B2C_1AThe prefix B2C_1A might be added automatically.
  4. 針對 [金鑰類型] 選取 [RSA] 。For Key type, select RSA.
  5. 針對 [金鑰使用方法] 選取 [加密] 。For Key usage, select Encryption.
  6. 按一下頁面底部的 [新增] 。Click Create.

建立 Facebook 金鑰Create the Facebook key

如果您已經有 Facebook 應用程式祕密,請將它當作原則金鑰來新增到您的租用戶。If you already have a Facebook application secret, add it as a policy key to your tenant. 否則,您必須建立具有預留位置值的金鑰,原則才能通過驗證。Otherwise, you must create the key with a placeholder value so that your policies pass validation.

  1. 選取 [原則金鑰] ,然後選取 [新增] 。Select Policy Keys and then select Add.
  2. 針對 [選項] 選擇 ManualFor Options, choose Manual.
  3. 針對 [名稱] 輸入 FacebookSecretFor Name, enter FacebookSecret. 可能會自動加入前置詞 B2C_1A_The prefix B2C_1A_ might be added automatically.
  4. 在 [祕密] 中,輸入 developers.facebook.com 提供給您的 Facebook 祕密,或輸入 0 作為預留位置。In Secret, enter your Facebook secret from developers.facebook.com or 0 as a placeholder. 這個值是祕密,而非應用程式識別碼。This value is the secret, not the application ID.
  5. 針對 [金鑰使用方法] 選取 [簽章] 。For Key usage, select Signature.
  6. 按一下頁面底部的 [新增] 。Click Create.

註冊身分識別體驗架構應用程式Register Identity Experience Framework applications

Azure AD B2C 會要求您註冊兩個用來註冊和登入使用者的應用程式:IdentityExperienceFramework (Web 應用程式),以及具有來自 IdentityExperienceFramework 應用程式之委派權限的 ProxyIdentityExperienceFramework (原生應用程式)。Azure AD B2C requires you to register two applications that are used to sign up and sign in users: IdentityExperienceFramework (a web app), and ProxyIdentityExperienceFramework (a native app) with delegated permission from the IdentityExperienceFramework app. 本機帳戶只存在於您的租用戶。Local accounts exist only in your tenant. 您的使用者會使用唯一的電子郵件地址/密碼組合進行註冊,以存取您租用戶所註冊的應用程式。Your users sign up with a unique email address/password combination to access your tenant-registered applications.

註冊 IdentityExperienceFramework 應用程式Register the IdentityExperienceFramework application

  1. 選擇所有的服務在 Azure 入口網站左上角,搜尋並選取Azure Active DirectoryChoose All services in the top-left corner of the Azure portal, search for and select Azure Active Directory.
  2. 在功能表中,選取應用程式註冊 (舊版)In the menu, select App registrations (Legacy).
  3. 選取 [新增應用程式註冊] 。Select New application registration.
  4. 針對 [名稱] 輸入 IdentityExperienceFrameworkFor Name, enter IdentityExperienceFramework.
  5. 針對 [應用程式類型] 選擇 [Web 應用程式/API] 。For Application type, choose Web app/API.
  6. 針對 [登入 URL] 輸入 https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com,其中 your-tenant-name 是您的 Azure AD B2C 租用戶網域名稱。For Sign-on URL, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com, where your-tenant-name is your Azure AD B2C tenant domain name. 所有 URL 現在都應會使用 b2clogin.comAll URLs should now be using b2clogin.com.
  7. 按一下頁面底部的 [新增] 。Click Create. 建立之後,複製應用程式識別碼,並儲存它以供日後使用。After it's created, copy the application ID and save it to use later.

註冊 ProxyIdentityExperienceFramework 應用程式Register the ProxyIdentityExperienceFramework application

  1. 應用程式註冊 (傳統) ,選取新的應用程式註冊In App registrations (Legacy), select New application registration.
  2. 針對 [名稱] 輸入 ProxyIdentityExperienceFrameworkFor Name, enter ProxyIdentityExperienceFramework.
  3. 針對 [應用程式類型] 選擇 [原生] 。For Application type, choose Native.
  4. 針對 [重新導向 URI] 輸入 https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com,其中 your-tenant-name 是您的 Azure AD B2C 租用戶。For Redirect URI, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com, where your-tenant-name is your Azure AD B2C tenant.
  5. 按一下頁面底部的 [新增] 。Click Create. 建立之後,複製應用程式識別碼,並儲存它以供日後使用。After it's created, copy the application ID and save it to use later.
  6. 在 [設定] 頁面上,選取 [必要權限] ,然後選取 [新增] 。On the Settings page, select Required permissions, and then select Add.
  7. 選擇選取 API,搜尋並選取IdentityExperienceFramework,然後按一下選取Choose Select an API, search for and select IdentityExperienceFramework, and then click Select.
  8. 選取 [存取 IdentityExperienceFramework] 旁的核取方塊、按一下 [選取] ,然後按一下 [完成] 。Select the check box next to Access IdentityExperienceFramework, click Select, and then click Done.
  9. 選取 [授與權限] ,然後選取 [是] 加以確認。Select Grant Permissions, and then confirm by selecting Yes.

下載入門套件和修改原則Download starter pack and modify policies

自訂原則是一組需要上傳至 Azure AD B2C 租用戶的 XML 檔案。Custom policies are a set of XML files that need to be uploaded to your Azure AD B2C tenant. 我們提供檔案的入門套件以協助您加快進展速度。Starter packs of files are provided to get you going quickly. 下列清單中的每個入門套件,針對要完成所述的案例,均包含所需的最小數目技術設定檔與使用者旅程圖:Each starter pack in the following list contains the smallest number of technical profiles and user journeys needed to achieve the scenarios described:

  • LocalAccounts - 只能使用本機帳戶。LocalAccounts - Enables the use of local accounts only.
  • SocialAccounts - 只能使用社交 (或同盟) 帳戶。SocialAccounts - Enables the use of social (or federated) accounts only.
  • SocialAndLocalAccounts - 可使用本機帳戶與社交帳戶。SocialAndLocalAccounts - Enables both the use of local accounts and social accounts.
  • SocialAndLocalAccountsWithMFA - 啟用社交、本機與 Multi-Factor Authentication 選項。SocialAndLocalAccountsWithMFA - Enables social, local, and Multi-Factor Authentication options.

每個入門套件均包含:Each starter pack contains:

  • 基底檔案。The base file. 需要對基底做一些修改。Few modifications are required to the base.
  • 擴充檔案。The extension file. 大部分的設定變更都在這個檔案中完成。This file is where most configuration changes are made.
  • 信賴憑證者檔案。The relying party files. 工作特有的檔案,由應用程式所呼叫。Task-specific files called by your application.

注意

如果 XML 編輯器支援驗證,請根據入門套件根目錄中的 TrustFrameworkPolicy_0.3.0.0.xsd XML 結構描述來驗證檔案。If your XML editor supports validation, validate the files against the TrustFrameworkPolicy_0.3.0.0.xsd XML schema that is located in the root directory of the starter pack. 在上載之前,XML 結構描述驗證會識別錯誤。XML schema validation identifies errors before uploading.

  1. 下載 .zip 檔案或執行:Download the .zip file or run:

    git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
    
  2. 在 SocialAndLocalAccounts 資料夾中,透過使用您的租用戶名稱取代 yourtenant 以編輯所有檔案。In the SocialAndLocalAccounts folder, edit all of the files replacing yourtenant with the name for your tenant. 例如: contosoTenant.onmicrosoft.comFor example, contosoTenant.onmicrosoft.com. 如果您需要 XML 編輯器,請試用 Visual Studio Code,這是一個輕巧的跨平台編輯器。If you need an XML editor, try Visual Studio Code, a lightweight cross-platform editor.

將應用程式識別碼新增至自訂原則Add application IDs to the custom policy

將應用程式識別碼新增至擴充檔案 TrustFrameworkExtensions.xmlAdd the application IDs to the extensions file TrustFrameworkExtensions.xml.

  1. 開啟 TrustFrameworkExtensions.xml 檔案,並尋找 <TechnicalProfile Id="login-NonInteractive"> 元素。Open the TrustFrameworkExtensions.xml file and find the element <TechnicalProfile Id="login-NonInteractive">.
  2. 以您稍早建立之身分識別體驗架構應用程式的應用程式識別碼,取代 IdentityExperienceFrameworkAppId 的兩個執行個體。Replace both instances of IdentityExperienceFrameworkAppId with the application ID of the Identity Experience Framework application that you created earlier. 以您稍早建立之 Proxy 識別體驗架構應用程式的應用程式識別碼,取代 ProxyIdentityExperienceFrameworkAppId 的兩個執行個體。Replace both instances of ProxyIdentityExperienceFrameworkAppId with the application ID of the Proxy Identity Experience Framework application that you created earlier.
  3. 儲存擴充檔案。Save your extensions file.

上傳原則Upload the policies

  1. 在識別體驗架構的 [自訂原則] 頁面上,選取 [上傳原則] 。On the Custom Policies page of Identity Experience Framework, select Upload Policy.
  2. 依此順序上傳 TrustFrameworkBase.xmlTrustFrameworkExtensions.xmlSignUpOrSignin.xmlProfileEdit.xmlPasswordReset.xmlIn this order, upload TrustFrameworkBase.xml, TrustFrameworkExtensions.xml, SignUpOrSignin.xml, ProfileEdit.xml, and PasswordReset.xml. 上傳檔案時,原則檔案的名稱前面會加上 B2C_1A_When a file is uploaded, the name of the policy file is prepended with B2C_1A_.

測試自訂原則Test the custom policy

  1. 在 [自訂原則] 頁面上,選取 [B2C_1A_signup_signin] 。On the Custom Policies page, select B2C_1A_signup_signin.
  2. 針對選取 應用程式自訂原則的 概觀 頁面上選取 web 應用程式名稱webapp1先前登錄。For Select application on the overview page of the custom policy, select the web application named webapp1 that you previously registered. 請確定回覆 URLhttps://jwt.msMake sure that the Reply URL is https://jwt.ms.
  3. 選取 [立即執行] 。Select Run now.
  4. 您應該可以使用電子郵件地址註冊。You should be able to sign up using an email address.
  5. 使用相同的帳戶登入,以確認您的設定正確。Sign in with the same account to confirm that you have the correct configuration.

將 Facebook 新增為識別提供者Add Facebook as an identity provider

  1. 設定 Facebook 應用程式Configure a Facebook application.

  2. TrustFrameworkExtensions.xml 檔案中,使用 Facebook 應用程式識別碼來取代 client_id 的值:In the TrustFrameworkExtensions.xml file, replace the value of client_id with the Facebook application ID:

    <TechnicalProfile Id="Facebook-OAUTH">
      <Metadata>
      <!--Replace the value of client_id in this technical profile with the Facebook app ID"-->
        <Item Key="client_id">00000000000000</Item>
    
  3. TrustFrameworkExtensions.xml 檔案上傳至您的租用戶。Upload the TrustFrameworkExtensions.xml file to your tenant.

  4. 使用 [立即執行] 進行測試,或直接從您已註冊的應用程式中叫用原則。Test by using Run now or by invoking the policy directly from your registered application.

後續步驟Next steps