声明:UPN,名称与Azure AD之间的区别 [英] Claims: difference between UPN, Name with Azure AD
问题描述
在System.IdentityModel.Claims中,有三个条目:UPN,Name和NameIdentifier " http://schemas.xmlsoap.org/ws/2005/05/身份/声明/名称" " http://schemas.xmlsoap.org/ws/2005/05/身份/声明/UPN " " http://schemas.xmlsoap.org/ws/2005/05/身份/声明/名称标识符"
In System.IdentityModel.Claims there are three entries: UPN, Name and NameIdentifier "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
在使用AzureAD,OpenIdConnect和Office365进行身份验证后进行调试时.我看到名称和upn始终相同,就像给定用户的电子邮件": johndoe@contoso.com或johdoe@contoso.onmicrosoft.com 而nameidentifier是非人类可读的标识符.
While debugging after authentication with AzureAD, OpenIdConnect and Office365. I see that name and upn are always the same, something that looks like the 'email' of a given user: e.g. johndoe@contoso.com or johdoe@contoso.onmicrosoft.com while the nameidentifier is a non human readable identifier.
然后,我确实有几个问题:
Then, I do have a couple of questions:
1)在我的上下文中,名称"和"upn"是否总是相同?
1) Does 'name' and 'upn' will always be the same in my context?
2)它们是可变的吗?我们看到域名(或upn)中存在域名,这是否意味着如果rototo.com收购了contoso.com,则可以修改名称和upn吗?还是类似地,如果公司在没有自定义域名的情况下开始其Office365订阅,但后来他们决定由一个人决定呢?这些声明的值可能会更改?
2) Are they mutable? We see that the domain name is present in the name (or upn) does it means that if contoso.com is acquired by rototo.com the name and upn could be modified? Or similarly, if the company started its Office365 subscription without a custom domain name but later they decide to by one? The values of those claims may change?
3)与2)有关,但是NameIdentifier是获取对特定用户的引用的唯一安全方法吗?例如要作为外键存储在数据库中?
3) It is related to 2) but does NameIdentifier the only safe way to get a reference to a particular user? For example to store as a foreign key in the database?
推荐答案
- UPN是用户主体名称.它始终采用看起来像电子邮件地址的格式.从本质上讲,它分为三个部分.用户帐户名称,分隔符(即@符号)和UPN后缀或域名.其主要目的是在身份验证期间使用.而名称应该是出于显示目的.名称和UPN可以相同或不同.根据您的目标,您应该使用一个还是另一个.
- UPN is the User Principal Name. It is always in the format which looks like an email address. Essentially it has 3 parts. User account name, the separator (i.e. @ symbol) and UPN suffix or Domain name. Its primary purpose is to use during the authentication. Whereas the Name is supposed to be for display purposes. The Name and UPN can be same or different. Depending upon your objective you should use one vs the other.
引用用户名格式
-
第一个部分回答了第二个问题. UPN将根据域而变化.域是UPN后缀.名称是显示名称,除非您在将AD用户从一个域迁移到另一个域时指定规则,否则它不会更改.
The first answers the second question to some part. UPN will change based on the domain. Domain is the UPN suffix. The Name is the display name and may not change unless you specify the rules when migrating AD users from one domain to another.
NameIdentifier 是唯一的用户的SAML名称标识符".换句话说,它只是用户对象的ID. 目的:当尝试唯一标识用户时,这是您的首选.
NameIdentifier is the unique "SAML name identifier of the user". In other terms its just the ID of the user object. Purpose: When trying to identify a user uniquely this should be your go-to choice.
引用:
- The Role of Claims
- Ealier question on Stackoverflow regarding purpose of NameIdentifier
这篇关于声明:UPN,名称与Azure AD之间的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
