【发布时间】:2017-04-11 16:55:12
【问题描述】:
对于某些背景,我遵循的步骤类似于:https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/customize-id-token-ad-fs-2016
连接到我的应用程序时,我可以在 id 令牌中看到“nameid”、“upn”和“unique_name”,但没有看到我的自定义声明规则中定义的声明:
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
虽然用户已成功登录,但我无法传递其他声明来帮助定义用户的身份。
更改或删除此声明规则似乎不会影响结果,但删除允许所有人的颁发授权规则会导致访问被拒绝消息,因此我可以推断 Web 应用程序属性实际上在起作用。有什么建议吗?
【问题讨论】:
标签: openid adfs claims-based-identity windows-server-2016