我正在遵循https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/single-page-application-with-ad-fs,正在从github克隆代码,并按照所有步骤在ADFS中创建应用程序组并修改代码中的更改。它可以正常工作,然后单击“登录”或尝试访问“待办事项”列表页面,将我带到ADFS登录页面,然后将我重定向回应用程序页面,但是当我尝试“ Todo List”页面时,它给了我{{1} }。 在chrome开发人员工具(以及Fiddler)中检查了网络流量,并且对TodoList的请求(请求URL:https://localhost:44326/api/TodoList)具有Authorization标头: 授权:Beary eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Inp4anhjL 查看所有其他流量,其他一切都很好。
https://pdc.mkdomain.com:44326/#/UserData显示以下结果:
{"Message":"Authorization has been denied for this request."}在中继方信任中,我有:
Id_token content
mohsen@mkdomain.com
aud:https://pdc.mkdomain.com:44326/
iss:https://PDC.mkdomain.com/adfs
iat:1551610099
nbf:
exp:1551613699
ver:
tid:
amr:
oid:
upn:mohsen@mkdomain.com
unique_name:Mohsen@mkdomain.com
sub:JIg5DslCMEyKf8AnKpvNg3XQf+KN58tgOzYEjlZ+WZA=
family_name:
given_name:
pwd_exp:
pwd_url:
在保险转换规则中,我有:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name"),
query = ";displayName,mail,givenName,sn;{0}", param = c.Value);
答案 0 :(得分:0)
我发现问题是ida:Issuer值是小写而计算机名是大写。我将其从pdc.MKDOMAIN.com/adfs更改为PDC.MKDOMAIN.com/adfs后,一切正常。