规则对于一些背景,那我下面的步骤类似于:https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/customize-id-token-ad-fs-2016我怎样才能利用自定义声明与OpenID和ADFS 3.0
当连接到我的应用程序,我可以看到“填充NameID”,“UPN” ,并在ID令牌,但没有在我的自定义声明规则定义的索赔“UNIQUE_NAME”:
c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);
虽然用户成功登录,我不能沿着额外索赔传球帮助确定用户的身份。
更改或删除此声明规则似乎没有影响结果,但删除了允许所有人都导致访问被拒绝的消息的颁发授权规则,因此我可以推断Web应用程序属性实际上在播放。有什么建议么?
StackOverflow将它们视为URL,因此我将它们更改为foo://。 我会试试看。感谢您的回应。 –
看起来像是我们的应用程序。此答案提供了一种明确的故障排除方法。谢谢! –