1. 首页
  2. 问答
  3. saml的ADFS自定义转换规则:发行者和saml:NameID

saml的ADFS自定义转换规则:发行者和saml:NameID

2014-01-13 160 views
0

我想通过组合saml:Issuer和saml:NameID来发出新的声明,这是可能通过自定义转换规则吗?saml的ADFS自定义转换规则:发行者和saml:NameID

起初我以为我可以使用.Issuer .OriginalIssuer,但似乎在转换ADFS将这些值更改为受众URL。 (http://adfstest.tst.adfstst.gov/adfs/services/trust

下面是一个例子SAML请求

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s224131481a93459a57f69c1bfef9fb86874568dc6" InResponseTo="id-50fbee27-151a-40dd-99fb-2e67678084a1" Version="2.0" IssueInstant="2011-04-21T15:26:12Z" Destination="https://adfstest.tst.adfstst.gov/adfs/ls/"> 
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://test.tst.tst.gov:443/openam_s951</saml:Issuer> 
    <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    Value="urn:oasis:names:tc:SAML:2.0:status:Success"> 
    </samlp:StatusCode> 
    </samlp:Status> 
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2b721b9b7f85b007211e249a3d270391ad5b3f730" IssueInstant="2011-04-21T15:26:03Z" Version="2.0"> 
    <saml:Issuer>https://test.tst.tst.gov:443/openam_s951</saml:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
     <ds:Reference URI="#s2b721b9b7f85b007211e249a3d270391ad5b3f730"> 
      <ds:Transforms> 
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
      </ds:Transforms> 
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
      <ds:DigestValue>mXUwZ/Qmbv06LXkglEabDnB3dug=</ds:DigestValue> 
     </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>... 
     </ds:SignatureValue> 
     <ds:KeyInfo> 
     <ds:X509Data> 
      <ds:X509Certificate>... 
      </ds:X509Certificate> 
     </ds:X509Data> 
     </ds:KeyInfo> 
    </ds:Signature> 
    <saml:Subject> 
     <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://test.tst.tst.gov:443/openam_s951">CN=Mike.Saunders,OU=Users,OU=EXTERNAL,DC=test,DC=test,DC=test,DC=gov</saml:NameID> 
     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
     <saml:SubjectConfirmationData InResponseTo="id-50fbee27-151a-40dd-99fb-2e67678084a1" NotOnOrAfter="2011-04-21T15:36:10Z" Recipient="https://adfstest.tst.adfstst.gov/adfs/ls/"/> 
     </saml:SubjectConfirmation> 
    </saml:Subject> 
    <saml:Conditions NotBefore="2011-04-21T15:16:12Z" NotOnOrAfter="2011-04-21T15:36:12Z"> 
     <saml:AudienceRestriction> 
     <saml:Audience>http://adfstest.tst.adfstst.gov/adfs/services/trust</saml:Audience> 
     </saml:AudienceRestriction> 
    </saml:Conditions> 
    <saml:AuthnStatement AuthnInstant="2011-04-21T15:25:51Z" SessionIndex="s2e5f72dce1e769b18410b4f0f3818ad1070453801"> 
     <saml:AuthnContext> 
     <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> 
     </saml:AuthnContext> 
    </saml:AuthnStatement> 
    <saml:AttributeStatement> 
     <saml:Attribute Name="ssoTokenId"> 
     <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AQIC5wM2LY4SfcygZIrQ4xys%2FBGj9X8JIj7hPR%2BMt7v8%2FMA%3D%40AAJTSQACMDE%3D%23</saml:AttributeValue> 
     </saml:Attribute> 
     <saml:Attribute Name="maxSessionTime"> 
     <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">120</saml:AttributeValue> 
     </saml:Attribute> 
     <saml:Attribute Name="timeLeft"> 
     <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">7167</saml:AttributeValue> 
     </saml:Attribute> 
     <saml:Attribute Name="maxIdleTime"> 
     <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">30</saml:AttributeValue> 
     </saml:Attribute> 
     <saml:Attribute Name="idleTime"> 
     <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">5</saml:AttributeValue> 
     </saml:Attribute> 
     <saml:Attribute Name="authLevel"> 
     <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">0</saml:AttributeValue> 
     </saml:Attribute> 
    </saml:AttributeStatement> 
    </saml:Assertion> 
</samlp:Response>

来源

2014-01-13 BlueFox

回答

1

事情是这样的:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"] 
=> issue(
    Type = "_zort", 
    Value = c.Issuer + ":" + c.Value);

HTH!

来源

2014-01-31 19:10:48

相关问题

 相关问题