我正在尝试通过主动联盟向ADFS服务器进行身份验证,但在尝试对用户进行身份验证之前,需要通过AD / LDAP查询转换传入的用户名。
我正在使用UsernameMixed端点和UserNameWSTrustBinding:
WSTrustChannelFactory factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), "https://nobody.com/adfs/services/trust/13/UsernameMixed");
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
IWSTrustChannelContract channel = factory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue, WSTrust13Constants.KeyTypes.Bearer);
SecurityToken token = channel.Issue(rst);
我的问题是,我想在运行身份验证之前将传递给endpoing的“用户名”转换为ADFS服务器上用户的电子邮件地址(通过AD或LDAP)。这可能吗?
答案 0 :(得分:0)
据我所知,在进行身份验证之前,AD FS服务器上没有简单的方法来转换传入的用户名。在身份验证已经发生后,转发将在传出声明中完成。
您可能需要在依赖方应用程序中查询AD / LDAP以获取此信息。做这样的事情(取自here):
string domain = "YourDomain";
List<string> emailAddresses = new List<string>();
PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, domain);
UserPrincipal user = UserPrincipal.FindByIdentity(domainContext, userName);
// Add the "mail" entry
emailAddresses.Add(user.EmailAddress);
// Add the "proxyaddresses" entries.
PropertyCollection properties = ((DirectoryEntry)user.GetUnderlyingObject()).Properties;
foreach (object property in properties["proxyaddresses"])
{
emailAddresses.Add(property.ToString());
}