配置 ADFS 依赖方 SAML 响应以在属性中包含 "NameFormat"
Configure ADFS Relying Party SAML response to include "NameFormat" in Attributes
我在 Server 2012 R2 上有一个较旧的 ADFS 系统 运行。我们正在尝试根据服务提供商的规范配置 IDP 发起的依赖方信任,以便传出 SAML 响应如下所示:
<Attribute Name="Company" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>ABCD1234</AttributeValue>
</Attribute>
<Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>Basic</AttributeValue>
</Attribute>
<Attribute Name="UserName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue> employee@company.com </AttributeValue>
</AttributeStatement>
但是,在 ADFS 中配置依赖方信任和关联声明规则后,我们的传出 SAML 响应缺少“NameFormat”部分,如下所示:
<Attribute Name="Company">
<AttributeValue>ABCD1234</AttributeValue>
</Attribute>
<Attribute Name="Group">
<AttributeValue>Basic</AttributeValue>
</Attribute>
<Attribute Name="UserName">
<AttributeValue>employee@company.com</AttributeValue>
</Attribute>
</AttributeStatement>
做出响应的三个声明规则是:
=> issue(Type = "Company", Value = "ABCD1234");
=> issue(Type = "Group", Value = "Basic");
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("UserName"), query = ";mail;{0}", param = c.Value);
如何配置以在传出属性中包含“NameFormat”部分? SP 声明必须包含它们。
您也许可以使用“属性”来完成此操作。
例如
c:[类型 == "http:///mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.Value类型,属性["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
属性["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = http://xxx/adfs/services/trust, 属性["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sp_test");
我在 Server 2012 R2 上有一个较旧的 ADFS 系统 运行。我们正在尝试根据服务提供商的规范配置 IDP 发起的依赖方信任,以便传出 SAML 响应如下所示:
<Attribute Name="Company" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>ABCD1234</AttributeValue>
</Attribute>
<Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>Basic</AttributeValue>
</Attribute>
<Attribute Name="UserName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue> employee@company.com </AttributeValue>
</AttributeStatement>
但是,在 ADFS 中配置依赖方信任和关联声明规则后,我们的传出 SAML 响应缺少“NameFormat”部分,如下所示:
<Attribute Name="Company">
<AttributeValue>ABCD1234</AttributeValue>
</Attribute>
<Attribute Name="Group">
<AttributeValue>Basic</AttributeValue>
</Attribute>
<Attribute Name="UserName">
<AttributeValue>employee@company.com</AttributeValue>
</Attribute>
</AttributeStatement>
做出响应的三个声明规则是:
=> issue(Type = "Company", Value = "ABCD1234");
=> issue(Type = "Group", Value = "Basic");
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("UserName"), query = ";mail;{0}", param = c.Value);
如何配置以在传出属性中包含“NameFormat”部分? SP 声明必须包含它们。
您也许可以使用“属性”来完成此操作。
例如
c:[类型 == "http:///mycompany/internal/sessionid"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.Value类型,属性["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
属性["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = http://xxx/adfs/services/trust, 属性["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "sp_test");