协助ADFS 4.0本地声明提供者信任接受转换规则或声明发布规则

Question

这是我在生产之前尝试在实验室中进行测试的情况：

1. 两个单独的域（DOMAINA和DOMAINB）之间不信任-所有2016年服务器。
2. ADFS安装在DOMAINA中的服务器上
3. 我有两个Claims Provider Trust关系-一个内置的AD 通过PowerShell Add-LdfsLocalClaimsProviderTrust将DOMAINA和本地通过LDAP设置为DOMAINB
4. 我有两个问题。
   • 来自本地声明提供者信托的索赔仅以sAMAccountName的形式出现，我需要使用DOMAIN \ sAMAccountName格式（本地广告采用正确的格式）
   • 当我认为我已经解决了上述格式（通过在DOMAINB NameID规则的{0}前面添加DOMAINB \时，我认为声明发布规则的查询部分正在查询AD而不是属性存储）本地声明提供者属性。
5. 我已经通过SampApp和AFDS跟踪日志验证了LDAP的传入声明正在使之包括发行人显示为本地授权
6. 这是有关从ADFS跟踪进行格式化的错误：

Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0018: Query ';sAMAccountName;{0}' to attribute store 'Active Directory' failed: 'POLICY3826: User name 'jdoe' in LDAP query ';sAMAccountName;jdoe' is not in the required 'domain\user' format.

注意：我对此设置的要求是由于以下事实：我需要对两个域中的用户进行身份验证，而无需它们之间的信任，但是我的SP（Cisco CallManager）仅支持单个idP。我正在按照以下说明进行DOMAINA设置，然后尝试为DOMAINB进行修改：

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/V10-5-1/config/CSR10-5-SAMLSSO-MicroSoft-ADFS-on-Windows-Configuration.html

这是我的发行声明规则：

#DOMAINA
@RuleName = "NameID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("uid"), query = ";sAMAccountName;{0}", param = c.Value);

#DOMAINB
@RuleName = "NameID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "LOCAL AUTHORITY"]
 => issue(store = "Active Directory", types = ("uid"), query = ";sAMAccountName;{0}", param = c.Value);

@RuleName = "CUCM Claims Rule"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://fs.domaina.com/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "callmanager.domaina.com");