NameIdentifier 与 ObjectIdentifier [英] NameIdentifier vs ObjectIdentifier
问题描述
我有一个使用 OpenIdConnect 和 Azure AD 作为 Office 365 身份提供程序的多租户 ASP.NET 应用程序.当用户通过身份验证时,我在 ClaimsPrincipal.Current 中收到我的声明.
我想识别一个用户并将这个 id 引用存储在我的数据库中.我问了这个问题.有人回复说
<块引用>在尝试唯一标识用户时,[NameIdentifier] 应该是您的首选.
但似乎 NameIdentifier 声明,http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier取决于应用程序.准确地说,如果我在 Azure AD 中创建另一个应用程序,那么对于同一 real Office365 用户,NameIdentifier 将不一样.请记住,我们可能必须创建另一个 Azure AD 清单(因为我们可能需要其他范围)并且我们应该能够找到相同的最终用户.
同时,我评论了另一个声明:ObjectIdentifier http://schemas.microsoft.com/identity/claims/objectidentifier
ObjectIdentifier 似乎对于给定 Office 365 用户的所有受 Azure AD 保护的应用程序都是相同的.
您能否准确解释这两种说法之间的区别?更重要的是,您能否确认 ObjectIdentifier 可用作任何 Office 365 订阅中用户的通用"标识符.
确切地说,如果我在 Azure AD 中创建另一个应用程序,那么对于同一个真实 Office365 用户,NameIdentifier 将不一样.
我做了如下快速测试:
在 AD Contoso 中注册多租户 Web 应用和单租户 Web 应用.
使用 user1@contoso.onmicrosoft.com 登录并获取两个 Web 应用程序中的名称标识符,结果表明 两个应用程序中的名称标识符相同.所以名称标识符应该能够跨应用程序识别用户,但不能用于在Azure AD中识别用户.
对于对象标识符,它是一个 GUID,可用于识别 Azure AD 中的用户.例如,您可以使用对象标识符在 Azure AD 中查询用户.
Powershell:
$msolcred = 获取凭证连接-msolservice-credential $msolcred获取-msoluser -ObjectId "{guid:object_identifier}"<块引用>
更重要的是,您能否确认 ObjectIdentifier 可用作任何 Office 365 订阅中用户的通用"标识符.
根据我的理解,对象标识符是一个 GUID,可以识别 Office 365 订阅中的用户.
I have a multitenant ASP.NET application using OpenIdConnect and Azure AD as an Identity provider for Office 365. When the user is authenticated I receive my claims in ClaimsPrincipal.Current.
I wanted to identify a user and store this id reference in my database. I asked this question. It was replied that
When trying to identify a user uniquely [NameIdentifier] should be your go-to choice.
But it seems that the NameIdentifier claim, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
depends on the application. Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user. Keep in mind that the we may have to create another Azure AD manifest (because we could need other scopes) and we should be able to find back the same end-users.
Meanwhile, I remarked another claim: ObjectIdentifier http://schemas.microsoft.com/identity/claims/objectidentifier
It seems that ObjectIdentifier, is the same for all Azure AD-secured application for a given Office 365 user.
Can you explain precisely the difference between those two claims? And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.
Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user.
I made a quick test as following:
Register a multi-tenant-webapp and single-tenant-webapp in AD Contoso.
Log in with user1@contoso.onmicrosoft.com and get the name identifier in both web applications, it turns out the name identifier are the same in both applications. So the name identifier should be able to identify users cross applications, but it can not be used to identify the user in Azure AD.
For the object identifier, it is a GUID which you can used to identify a user in Azure AD. For example, you can use object identifier to query the user in Azure AD.
Powershell:
$msolcred = get-credential
connect-msolservice -credential $msolcred
get-msoluser -ObjectId "{guid:object_identifier}"
And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.
Based on my understanding, the object identifier is a GUID which can identify for a user in Office 365 subscriptions.
这篇关于NameIdentifier 与 ObjectIdentifier的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
