如何将自定义声明规则与 OpenID 和 ADFS 3.0 一起使用
How can I utilize Custom Claims rules with OpenID and ADFS 3.0
对于某些背景,我遵循的步骤类似于:https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/customize-id-token-ad-fs-2016
连接到我的应用程序时,我可以在 id 令牌中看到 'nameid'、'upn' 和 'unique_name',但在我的自定义中定义了 none 声明声明规则:
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
虽然用户已成功登录,但我无法传递额外的声明来帮助定义用户的身份。
更改或删除此声明规则似乎不会影响结果,但删除 permit everyone 的颁发授权规则会导致访问被拒绝消息,因此我可以推断出 Web 应用程序属性实际上在起作用。有什么建议吗?
您真的打算将所有这些声明类型的 URI 作为 "foo://" 吗?
根据你写的,
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
只有当您满足管道中 foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 索赔的条件时,才会发出所有索赔。
我建议做一些更简单的事情,例如添加以下自定义规则。
=> issue(type = "http://contoso.com/partner", value = "Adatum");
然后看id_token发的。您应该会看到像这样的自定义声明以及其他声明。
然后您可以根据需要使用声明规则语法。
http://contoso.com/partner: "Adatum",
对于某些背景,我遵循的步骤类似于:https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/customize-id-token-ad-fs-2016
连接到我的应用程序时,我可以在 id 令牌中看到 'nameid'、'upn' 和 'unique_name',但在我的自定义中定义了 none 声明声明规则:
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
虽然用户已成功登录,但我无法传递额外的声明来帮助定义用户的身份。
更改或删除此声明规则似乎不会影响结果,但删除 permit everyone 的颁发授权规则会导致访问被拒绝消息,因此我可以推断出 Web 应用程序属性实际上在起作用。有什么建议吗?
您真的打算将所有这些声明类型的 URI 作为 "foo://" 吗?
根据你写的,
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
只有当您满足管道中 foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 索赔的条件时,才会发出所有索赔。
我建议做一些更简单的事情,例如添加以下自定义规则。
=> issue(type = "http://contoso.com/partner", value = "Adatum");
然后看id_token发的。您应该会看到像这样的自定义声明以及其他声明。
然后您可以根据需要使用声明规则语法。
http://contoso.com/partner: "Adatum",