NameIdentifier与ObjectIdentifier [英] NameIdentifier vs ObjectIdentifier

问题描述

我有一个多租户ASP.NET应用程序，使用OpenIdConnect和Azure AD作为Office 365的身份提供程序.对用户进行身份验证后，我在ClaimsPrincipal.Current中收到我的声明.

I have a multitenant ASP.NET application using OpenIdConnect and Azure AD as an Identity provider for Office 365. When the user is authenticated I receive my claims in ClaimsPrincipal.Current.

我想识别一个用户并将此ID引用存储在我的数据库中.我问了这个问题. 答复说

I wanted to identify a user and store this id reference in my database. I asked this question. It was replied that

当尝试唯一标识用户时，[NameIdentifier]应该是您的首选.

When trying to identify a user uniquely [NameIdentifier] should be your go-to choice.

但是NameIdentifier声明http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 取决于应用程序.恰恰是，如果我在Azure AD中创建另一个应用程序，则对于同一 real Office365用户，NameIdentifier将是不同的.请记住，我们可能必须创建另一个Azure AD清单(因为我们可能需要其他作用域)，并且我们应该能够找到相同的最终用户.

But it seems that the NameIdentifier claim, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier depends on the application. Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user. Keep in mind that the we may have to create another Azure AD manifest (because we could need other scopes) and we should be able to find back the same end-users.

与此同时，我评论了另一项主张:ObjectIdentifier http://schemas.microsoft.com/identity/claims/objectidentifier

Meanwhile, I remarked another claim: ObjectIdentifier http://schemas.microsoft.com/identity/claims/objectidentifier

对于给定Office 365用户，所有受Azure AD保护的应用程序似乎ObjectIdentifier都是相同的.

It seems that ObjectIdentifier, is the same for all Azure AD-secured application for a given Office 365 user.

您能准确解释这两种说法之间的区别吗?而且更重要的是，您是否可以确认ObjectIdentifier可以用作任何Office 365订阅中用户的通用"标识符.

Can you explain precisely the difference between those two claims? And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.

推荐答案

准确地说，如果我在Azure AD中创建另一个应用程序，则对于同一真实的Office365用户，NameIdentifier将会是不同的.

Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user.

我做了如下快速测试:

在AD Contoso中注册多租户Web应用程序和单租户Web应用程序.

Register a multi-tenant-webapp and single-tenant-webapp in AD Contoso.

使用user1@contoso.onmicrosoft.com登录并在两个Web应用程序中获取名称标识符，事实证明两个应用程序中的名称标识符相同.因此，名称标识符应该能够识别跨应用程序的用户，但不能用于在Azure AD中识别用户.

Log in with user1@contoso.onmicrosoft.com and get the name identifier in both web applications, it turns out the name identifier are the same in both applications. So the name identifier should be able to identify users cross applications, but it can not be used to identify the user in Azure AD.

对于对象标识符，它是一个GUID，可用于在Azure AD中标识用户.例如，您可以使用对象标识符在Azure AD中查询用户.

For the object identifier, it is a GUID which you can used to identify a user in Azure AD. For example, you can use object identifier to query the user in Azure AD.

Powershell:

Powershell:

$msolcred = get-credential
connect-msolservice -credential $msolcred
get-msoluser -ObjectId "{guid:object_identifier}"  

更重要的是，您是否可以确认ObjectIdentifier可以用作任何Office 365订阅中用户的通用"标识符.

And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.

根据我的理解，对象标识符是一个GUID，可以为Office 365订阅中的用户标识.

Based on my understanding, the object identifier is a GUID which can identify for a user in Office 365 subscriptions.

这篇关于NameIdentifier与ObjectIdentifier的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！