SSO 不适用于使用自定义策略进行 MFA 的多个应用程序-解网

问：

我们在 B2C 中使用相同的应用程序（客户端 ID）有多个 Angular SPA。我们已为每个应用程序独立调用的电话或电子邮件选项为用户流 - MFA 实施了自定义策略。

我们希望在应用程序之间实现 SSO，即如果应用程序 A 成功登录并且用户尝试打开应用程序 B，则它应该自动登录。

通过自定义策略中的以下 SSO 配置，当在浏览器中访问应用程序 B 但用户无法通过 MFA 并且始终显示 MFA 屏幕时，即使用户已经使用应用程序 A 登录，我们也能够绕过登录屏幕。

<UserJourneyBehaviors> 
     <SingleSignOn Scope="Tenant" KeepAliveInDays="7" /> 
     <SessionExpiryType>Rolling</SessionExpiryType> 
     <SessionExpiryInSeconds>86400</SessionExpiryInSeconds> 
</UserJourneyBehaviors>

不确定是否需要任何其他设置才能绕过 MFA。

我还尝试使用前提条件来检查“isActiveMFASession”并跳过 MFA 旅程，但无法使其工作。我们有以下业务流程步骤。

<UserJourneys>
    <UserJourney Id="SignUpOrSignInMFAOption" DefaultCpimIssuerTechnicalProfileReferenceId="JwtIssuer">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange"/> -->
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- Check if the user has selected to sign in using one of the social providers -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH"/> -->
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>socialIdpAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!--Sample: If uses is enrolled for MFA, ask the user to select the preferred method-->
        <OrchestrationStep Order="4" Type="ClaimsExchange">
         <Preconditions>
           <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>isActiveMFASession</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
        </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" />
          </ClaimsExchanges>
        </OrchestrationStep>
        
         <!-- Throw error if control was bypassed -->
        <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Return-MFA-Method-Incorrect-Error">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>extension_mfaByPhoneOrEmail</Value>
              <Value>email</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>extension_mfaByPhoneOrEmail</Value>
              <Value>phone</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
        </OrchestrationStep>
        <!-- Phone verification: If MFA is not required, the next three steps (#5-#7) should be removed.
             This step checks whether there's a phone number on record,  for the user. If found, then the user is challenged to verify it. -->
        <OrchestrationStep Order="6" Type="ClaimsExchange">
          <Preconditions>
           <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>isActiveMFASession</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
            <!--Sample: If the preferred MFA method is not 'phone' skip this orchestration step-->
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>extension_mfaByPhoneOrEmail</Value>
              <Value>phone</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>        
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- Save MFA phone number: The precondition verifies whether the user provided a new number in the 
             previous step. If so, then the phone number is stored in the directory for future authentication 
             requests. -->
        <OrchestrationStep Order="7" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
              <Value>newPhoneNumberEntered</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserWriteWithObjectId" TechnicalProfileReferenceId="AAD-UserWritePhoneNumberUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!--Sample: MFA with email-->
        <OrchestrationStep Order="8" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>extension_mfaByPhoneOrEmail</Value>
              <Value>email</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="Email-Verify" TechnicalProfileReferenceId="EmailVerifyOnSignIn" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="9" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>
  </UserJourneys>

我还尝试阅读了 SM-AAD 和 SM-MFA 的文档，但在如何与我的策略集成方面没有太多运气。

非常感谢任何关于为这项工作提供正确方向的帮助。

更新 1 ：

我能够使 SSO 工作，但是如果我注销任何应用程序，它不会要求我选择“电话”或“电子邮件”选项进行 MFA，而是在用户尝试登录时默认为最后选择的选项。

是因为我对extension_mfaByPhoneOrEmail的要求吗？

我有一个编排步骤，首先要跳过它来实现 SSO


 <!--Sample: If uses is enrolled for MFA, ask the user to select the preferred method-->
        <OrchestrationStep Order="5" Type="ClaimsExchange">
         <Preconditions> 
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>extension_mfaByPhoneOrEmail</Value> 
               <Action>SkipThisOrchestrationStep</Action> 
            </Precondition> 
         </Preconditions> 
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" />
          </ClaimsExchanges>
        </OrchestrationStep>

甚至单点注销也不起作用，即如果我注销一个应用程序，则另一个应用程序有一个活动会话。

你能帮我解决这个问题吗，我尝试使用前提条件，但如果我删除上述声明，我的 SSO 首先不起作用。

azure-ad-b2c azure-ad-b2c-custom-policy 多重身份验证

SSO 不适用于使用自定义策略进行 MFA 的多个应用程序

SSO not working for multiple applications with MFA using custom polices

评论

评论