获取使用ADFS 2.0实现SSO的NameIDPolicyError

我正尝试使用SSO将ADFS 2.0与第三方系统连接。我创建信赖方信任，以及两个声明规则获取使用ADFS 2.0实现SSO的NameIDPolicyError

规则＃1

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] 
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

规则＃2

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

我能打到ADFS服务器，但得到这个错误

MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: https://xxx.xxx.com/sso. Actual NameID properties: null.

有什么想法？

来源

2013-05-06 Nitesh

这一块是线索：

SPNameQualifier：https://xxx.xxx.com/sso。实际NameID属性： null。

所以SP具有“https://xxx.xxx.com/sso” NameID的（实体ID），但有在ADFS侧没有配置这样的名称。

您需要使用Properties []构造将其添加到声明中。

请参阅：ADFS – SAML 2.0 Identity Provider and SaaS Service Providers。

来源

2013-05-06 19:18:35 nzpcmad

获取使用ADFS 2.0实现SSO的NameIDPolicyError

回答

相关问题