我正在尝试使用SSO将第三方系统与ADFS 2.0连接。我创建了依赖方信任和两个声明规则
规则#1
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
规则#2
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
我能够点击ADFS服务器,但收到此错误
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: https://xxx.xxx.com/sso. Actual NameID properties: null.
有什么想法吗?
答案 0 :(得分:4)
这篇文章是线索:
SPNameQualifier:https://xxx.xxx.com/sso。实际的NameID属性: 空。
因此SP的NameID(实体ID)为“https://xxx.xxx.com/sso”,但ADFS端没有配置此名称。
您需要使用Properties []构造将其添加到声明中。
参考:ADFS – SAML 2.0 Identity Provider and SaaS Service Providers。