协助ADFS 4.0本地声明提供者信任接受转换规则或声明发布规则

时间:2019-09-02 15:04:47

标签: powershell saml adfs adfs4.0

这是我在生产之前尝试在实验室中进行测试的情况:

  1. 两个单独的域(DOMAINA和DOMAINB)之间不信任-所有2016年服务器。
  2. ADFS安装在DOMAINA中的服务器上
  3. 我有两个Claims Provider Trust关系-一个内置的AD 通过PowerShell Add-LdfsLocalClaimsProviderTrust将DOMAINA和本地通过LDAP设置为DOMAINB
  4. 我有两个问题。
    • 来自本地声明提供者信托的索赔仅以sAMAccountName的形式出现,我需要使用DOMAIN \ sAMAccountName格式(本地广告采用正确的格式)
    • 当我认为我已经解决了上述格式(通过在DOMAINB NameID规则的{0}前面添加DOMAINB \时,我认为声明发布规则的查询部分正在查询AD而不是属性存储)本地声明提供者属性。
  5. 我已经通过SampApp和AFDS跟踪日志验证了LDAP的传入声明正在使之包括发行人显示为本地授权
  6. 这是有关从ADFS跟踪进行格式化的错误:
Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0018: Query ';sAMAccountName;{0}' to attribute store 'Active Directory' failed: 'POLICY3826: User name 'jdoe' in LDAP query ';sAMAccountName;jdoe' is not in the required 'domain\user' format.

注意:我对此设置的要求是由于以下事实:我需要对两个域中的用户进行身份验证,而无需它们之间的信任,但是我的SP(Cisco CallManager)仅支持单个idP。我正在按照以下说明进行DOMAINA设置,然后尝试为DOMAINB进行修改:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/V10-5-1/config/CSR10-5-SAMLSSO-MicroSoft-ADFS-on-Windows-Configuration.html

这是我的发行声明规则:

#DOMAINA
@RuleName = "NameID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("uid"), query = ";sAMAccountName;{0}", param = c.Value);

#DOMAINB
@RuleName = "NameID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "LOCAL AUTHORITY"]
 => issue(store = "Active Directory", types = ("uid"), query = ";sAMAccountName;{0}", param = c.Value);

@RuleName = "CUCM Claims Rule"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://fs.domaina.com/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "callmanager.domaina.com");

0 个答案:

没有答案