这是我在生产之前尝试在实验室中进行测试的情况:
Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0018: Query ';sAMAccountName;{0}' to attribute store 'Active Directory' failed: 'POLICY3826: User name 'jdoe' in LDAP query ';sAMAccountName;jdoe' is not in the required 'domain\user' format.
注意:我对此设置的要求是由于以下事实:我需要对两个域中的用户进行身份验证,而无需它们之间的信任,但是我的SP(Cisco CallManager)仅支持单个idP。我正在按照以下说明进行DOMAINA设置,然后尝试为DOMAINB进行修改:
这是我的发行声明规则:
#DOMAINA
@RuleName = "NameID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("uid"), query = ";sAMAccountName;{0}", param = c.Value);
#DOMAINB
@RuleName = "NameID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "LOCAL AUTHORITY"]
=> issue(store = "Active Directory", types = ("uid"), query = ";sAMAccountName;{0}", param = c.Value);
@RuleName = "CUCM Claims Rule"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://fs.domaina.com/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "callmanager.domaina.com");