ADFS + OpenID Connect电子邮件声明和外部ADFS [英] ADFS + OpenID Connect email claim and external ADFS
问题描述
我在Windows Server 2016上使用OpenID Connect设置ADFS遇到困难.
I'm having difficulties setting up ADFS with OpenID Connect on Windows Server 2016.
我已经设置了AD用于测试,并且可以成功进行身份验证,但是电子邮件声明不在id令牌中.
I've setup AD for testing and I can successfully authenticate, however the email claim is not in the id token.
此外,我还在Claims Provider信任关系中设置了外部ADFS.它显示为一个选项,但是登录后出现错误:
Additionally I've setup an external ADFS in the Claims Provider trust. It is displayed as an option, however upon logging in I get the error:
MSIS9642: The request cannot be completed because an id token is required but the server was unable to construct an id token for the current user.
有人对如何解决此问题有建议吗?
Anybody have suggestions on how to fix this?
推荐答案
MSIS9642 的根本原因是ADFS 2016中的新OpenID Connect应用程序组功能需要向您的应用程序颁发访问令牌.该令牌必须包含用户身份.为了发行令牌,子系统必须了解入站声明中的哪个声明用于唯一标识用户.
The root cause of MSIS9642 is that the new OpenID Connect Application Group features in ADFS 2016 need to issue an access token to your application. This token must include the users identity. In order to issue the token the subsystem must understand which claim in the inbound claims is used to uniquely identify the user.
已将一个名为 AnchorClaimType 的新属性添加到索赔提供者信任"模型中.
A new property called AnchorClaimType has been added to the Claim Provider Trust model.
首次安装ADFS时,它会注册一个内置的AD AUTHORITY声明提供者信任并将 AnchorClaimType 的值设置为
When ADFS is first installed it registers a built in Claim Provider Trust for AD AUTHORITY and sets the value for AnchorClaimType to
foo://schemas.microsoft.com/ws/2008/06/identity/claims/ Windows帐户名
foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
您可以使用powershell命令 get-adfsclaimsprovidertrust 来查看.
You can see this by using the powershell command get-adfsclaimsprovidertrust.
这就是在对Active Directory进行身份验证时OpenID适用的原因.
This is why OpenID works for when authenticating against Active Directory.
创建新的索赔提供者信任"时,系统未设置 AnchorClaimType . OpenID系统无法发出令牌,因为它不知道哪个入站声明构成了唯一的用户身份.这就是为什么在对外部Claim Provider信任进行身份验证时,OpenID不起作用的原因.
When you create a new Claim Provider Trust the system does not set an AnchorClaimType. The OpenID system can't issue a token because it does not know which inbound claim constitutes the unique user identity. This is why OpenID does not work when authenticating against an external Claim Provider trust.
为了解决此问题,您需要采取一些措施:
In order to resolve this problem you need to take a few actions:
a)确认您正在运行 Windows Server 2016 RTM .不幸的是,用于设置AnchorClaimType的powershell属性在CTP中不存在,并且无法使用UI设置该属性.
a) Verify that you are running Windows Server 2016 RTM Unfortunately the powershell attribute to set AnchorClaimType does not exist in the CTP, and the property cannot be set using the UI.
b)从入站令牌中选择代表用户身份的声明,并标识声明类型.在我们的示例中,我们与Azure Active Directory联合,并选择了名称,类型为foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/名称
b) Choose a claim from the inbound token that represents the users identity and identify the claim type. In our case we were federating with an Azure Active Directory and chose name, and the type is foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
c)将声明提供者信任的 AnchorTypeClaim 设置为使用powershell选择的类型
c) Set the AnchorTypeClaim for the Claim Provider Trust to the type selected by using powershell
set-adfsclaimsprovidertrust -targetidentifier 标识符 -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ 名称
set-adfsclaimsprovidertrust -targetidentifier identifier -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
(从powershell get-adfsclaimsprovidertrust中获取标识符)
(get identifier from powershell get-adfsclaimsprovidertrust)
d)创建至少一个通过主输入声明值的入站规则,在本例中为Name
d) Create at least one inbound rule that passes through the value for the primary input claim, in our case Name
希望这会有所帮助
这篇关于ADFS + OpenID Connect电子邮件声明和外部ADFS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
