ADFS + OpenID Connect 电子邮件声明和外部 ADFS [英] ADFS + OpenID Connect email claim and external ADFS
问题描述
我在 Windows Server 2016 上使用 OpenID Connect 设置 ADFS 时遇到困难.
I'm having difficulties setting up ADFS with OpenID Connect on Windows Server 2016.
我已经设置了 AD 进行测试并且我可以成功进行身份验证,但是电子邮件声明不在 id 令牌中.
I've setup AD for testing and I can successfully authenticate, however the email claim is not in the id token.
此外,我在 Claims Provider 信任中设置了一个外部 ADFS.它显示为一个选项,但是在登录时出现错误:
Additionally I've setup an external ADFS in the Claims Provider trust. It is displayed as an option, however upon logging in I get the error:
MSIS9642: The request cannot be completed because an id token is required but the server was unable to construct an id token for the current user.
有人对如何解决这个问题有建议吗?
Anybody have suggestions on how to fix this?
推荐答案
MSIS9642 的根本原因是 ADFS 2016 中新的 OpenID Connect 应用程序组功能需要向您的应用程序颁发访问令牌.此令牌必须包含用户身份.为了发出令牌,子系统必须了解入站声明中的哪个声明用于唯一标识用户.
The root cause of MSIS9642 is that the new OpenID Connect Application Group features in ADFS 2016 need to issue an access token to your application. This token must include the users identity. In order to issue the token the subsystem must understand which claim in the inbound claims is used to uniquely identify the user.
一个名为 AnchorClaimType 的新属性已添加到 Claim Provider Trust 模型中.
A new property called AnchorClaimType has been added to the Claim Provider Trust model.
首次安装 ADFS 时,它会为 AD AUTHORITY 注册一个内置的 Claim Provider Trust,并将 AnchorClaimType 的值设置为
When ADFS is first installed it registers a built in Claim Provider Trust for AD AUTHORITY and sets the value for AnchorClaimType to
foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
您可以使用 powershell 命令 get-adfsclaimsprovidertrust 看到这一点.
You can see this by using the powershell command get-adfsclaimsprovidertrust.
这就是 OpenID 在针对 Active Directory 进行身份验证时起作用的原因.
This is why OpenID works for when authenticating against Active Directory.
当您创建新的 Claim Provider Trust 时,系统不会设置 AnchorClaimType.OpenID 系统无法发出令牌,因为它不知道哪个入站声明构成了唯一的用户身份.这就是 OpenID 在针对外部声明提供者信任进行身份验证时不起作用的原因.
When you create a new Claim Provider Trust the system does not set an AnchorClaimType. The OpenID system can't issue a token because it does not know which inbound claim constitutes the unique user identity. This is why OpenID does not work when authenticating against an external Claim Provider trust.
为了解决这个问题,您需要采取一些措施:
In order to resolve this problem you need to take a few actions:
a) 确认您正在运行 Windows Server 2016 RTM 不幸的是,CTP 中不存在用于设置 AnchorClaimType 的 powershell 属性,并且无法使用 UI 设置该属性.
a) Verify that you are running Windows Server 2016 RTM Unfortunately the powershell attribute to set AnchorClaimType does not exist in the CTP, and the property cannot be set using the UI.
b) 从代表用户身份的入站令牌中选择一个声明并标识声明类型.在我们的例子中,我们与 Azure Active Directory 联合并选择了 name,类型是 foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
b) Choose a claim from the inbound token that represents the users identity and identify the claim type. In our case we were federating with an Azure Active Directory and chose name, and the type is foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
c) 将 Claim Provider Trust 的 AnchorTypeClaim 设置为使用 powershell 选择的类型
c) Set the AnchorTypeClaim for the Claim Provider Trust to the type selected by using powershell
set-adfsclaimsprovidertrust -targetidentifier identifier -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/名称
set-adfsclaimsprovidertrust -targetidentifier identifier -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
(从 powershell get-adfsclaimsprovidertrust 获取标识符)
(get identifier from powershell get-adfsclaimsprovidertrust)
d) 创建至少一个传入规则,通过主要输入声明的值,在我们的例子中名称
d) Create at least one inbound rule that passes through the value for the primary input claim, in our case Name
希望能帮到你
这篇关于ADFS + OpenID Connect 电子邮件声明和外部 ADFS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
