对于某些背景,我所遵循的步骤类似于:https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/customize-id-token-ad-fs-2016
连接到我的应用程序时,我可以在ID令牌中看到“nameid”,“upn”和“unique_name”,但我的自定义声明规则中未定义任何声明:
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
虽然用户已成功登录,但我无法传递其他声明以帮助定义用户的身份。
更改或删除此声明规则似乎不会影响结果,但删除允许每个人的颁发授权规则会导致拒绝访问消息,因此我可以推断出Web应用程序属性实际上正在发挥作用。有什么建议吗?
答案 0 :(得分:0)
您是否真的打算将所有这些声明类型的URI设置为" foo://"?
根据你所写的内容,
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
只有在满足foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname声明的条件时,才会发出所有声明。
我建议做一些更简单的事情,例如添加以下自定义规则。
=> issue(type = "http://contoso.com/partner", value = "Adatum");
然后看到发出的id_token。您应该看到这样的自定义声明以及其他声明。
然后,您可以根据需要使用声明规则语法。
http://contoso.com/partner: "Adatum",