如何在OpenID和ADFS 3.0中使用自定义声明规则

Question

对于某些背景，我所遵循的步骤类似于：https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/customize-id-token-ad-fs-2016

连接到我的应用程序时，我可以在ID令牌中看到“nameid”，“upn”和“unique_name”，但我的自定义声明规则中未定义任何声明：

c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);

虽然用户已成功登录，但我无法传递其他声明以帮助定义用户的身份。

更改或删除此声明规则似乎不会影响结果，但删除允许每个人的颁发授权规则会导致拒绝访问消息，因此我可以推断出Web应用程序属性实际上正在发挥作用。有什么建议吗？

Answer 1

您是否真的打算将所有这些声明类型的URI设置为＆＃34; foo：//＆＃34;？

根据你所写的内容，

c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);

只有在满足foo：//schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname声明的条件时，才会发出所有声明。

我建议做一些更简单的事情，例如添加以下自定义规则。

=> issue(type = "http://contoso.com/partner", value = "Adatum");

然后看到发出的id_token。您应该看到这样的自定义声明以及其他声明。

然后，您可以根据需要使用声明规则语法。

http://contoso.com/partner: "Adatum",