Question

我在本地网络服务器上设置了ADFS，并为全新的ASP.net Webforms应用程序设置了信赖方信任。在依赖方信任中，我在“发布转换规则”选项卡下添加了一个名为“获取属性”的声明规则，并且在我的属性存储设置为Active Directory的属性中，以及用于将LDAP属性映射到传出声明的表中，我选择了电子邮件地址 - ＆GT;电子邮件地址。

我针对新应用程序运行了WIF联合实用程序，并将其指向adfs服务器。我可以运行应用程序并对我的服务器进行身份验证，并在身份验证后将其发送回我的页面。但是，当我遍历声明时，它们都没有包含电子邮件地址。

IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;

IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;

foreach (Claim claim in claimsIdentity.Claims)
{
    Response.Write("<b>" + claim.Subject + "</b></br>");
    Response.Write("<b>" + claim.ValueType + "</b></br>");
    Response.Write("<b>" + claim.Value + "</b></br>");              
}

我从这段代码收到的回复是：

http://www.w3.org/2001/XMLSchema#string
  http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows

http://www.w3.org/2001/XMLSchema#dateTime
  2016-10-27T15：30：26.412Z

这是我的web.config：

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
    <authentication mode="None" />
    <compilation debug="true" targetFramework="4.5">
      <assemblies>
        <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
      </assemblies>
    </compilation>
    <httpRuntime targetFramework="4.5" requestValidationMode="2.0" />
    <pages>
      <namespaces>
        <add namespace="System.Web.Optimization" />
      </namespaces>
      <controls>
        <add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt" />
      </controls>
    </pages>
    <httpModules>
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </httpModules>
  </system.web>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="WebGrease" culture="neutral" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
  <system.codedom>
    <compilers>
      <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:6 /nowarn:1659;1699;1701" />
      <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:14 /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+" />
    </compilers>
  </system.codedom>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules>
      <remove name="ApplicationInsightsWebTracking" />
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    </modules>
  </system.webServer>
  <appSettings>
    <add key="FederationMetadataLocation" value="https://customsts.dev/FederationMetadata/2007-06/FederationMetadata.xml" />
        <add key="autoFormsAuthentication" value="false" />
        <add key="enableSimpleMembership" value="false"/>
  </appSettings>
  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="https://dev.XXX.net:44334/" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://customsts.dev/adfs/ls/" realm="https://dev.XXX.net:44334/" requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <!--Following are the claims offered by STS 'http://customsts.dev/adfs/services/trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" />          
        </claimTypeRequired>
      </applicationService>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="123456789XXXX....." name="http://customsts.dev/adfs/services/trust" />
        </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>
</configuration>

2016/10/27 Followup

我注意到如果我更改了全局身份验证策略并删除了Windows身份验证，并且只是保留了表单身份验证，那么我将其作为声明之一：

瓮：绿洲：名称：TC：SAML：2.0：AC：类：PasswordProtectedTransport

而不是：

http://www.w3.org/2001/XMLSchema#string http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows。

这对我没有任何帮助，但我认为我会提供信息。

Answer 1

您是否从使用过的声明提供商信托转发/发出任何电子邮件声明？尝试在依赖方上转发电子邮件。

我记得您可以使用以下方法转发来自CP的所有诉讼请求： C：[] =＆GT;问题（claim = c）;

有意义吗？

Answer 2

我终于找到了答案。我不知道这一点，但我们的电子邮件是在异地设置的，因此我们的内部Active Directory没有为我的ID设置电子邮件地址。我们的管理员将我的电子邮件地址放在我的Active Directory设置中，现在显示。

为什么ADFS未返回电子邮件声明？

2016/10/27 Followup

2 个答案: