使用第三方声明提供商信任 - 不发送预期声明 [英] Using third party Claims Provider Trust - not sending expected claims
问题描述
我在2012 R2上的ADFS中配置了第三方声明提供程序。它正在使用Safenet SAML云服务(本地版本)
我对在这种情况下如何生成并传递令牌感到困惑。 我已启用完整审核,因此请在安全日志中查看整个500/501事件。 当我选择AD作为身份验证源时,我会在这些事件中看到过多
的声明值。 但是,当我使用Safenet提供程序时,我几乎看不到任何内容,只是用户名和几个未解决的OID。
我已尝试测试向提供商和RP添加声明规则我是测试用于添加ldap声明,通过名称声明等,但它们在我进行身份验证时从不出现。
例如,我添加了一条规则,从AD发送一些值,如" ;部门"到"姓"对于RP。 当我使用AD进行身份验证时,会在500事件中发生,但在使用其他CP时,我不这样做。 它总是
相同。 如何向使用此第三方身份验证提供程序的RP发送相同种类的声明?
在Safenet端,您必须配置ADFS的联合。您可能需要启用ADFS身份验证,用户身份验证和配置属性映射(f.e. AccountName)。在ADFS端,您必须编辑Safenet声明的声明规则
提供者并创建转换规则(转换传入声明) - 名称ID(未指定)为Windows帐户名称和 传递所有声明值。
I configured a 3rd party claims provider in ADFS on 2012 R2. It is using the Safenet SAML cloud service (on prem version)
I am confused by how claims are generated and passed in the token in this scenario. I have full auditing turned on so see the whole string of 500/501 events in the security log. When I select AD as the authentication source, I see a plethora of claims values in those events. However when I use the Safenet provider I see hardly any, Just username and a couple unresolved OIDs.
I've tried testing adding claim rules to both the provider and to the RP I'm testing with to add ldap claims, pass through name claims, etc., but they never show up when I authenticate.
For example I added a rule to send a couple values from AD like "department" to "surname" for the RP. When I use AD to authenticate, that comes through in the 500 event, but when using the other CP, I do not. Its always the same. How to I send the same variety of claims to the RPs I have when using this 3rd party auth provider?
Hi,
On the Safenet side you have to configure federation to your ADFS. Probably you need to enable ADFS authentication, user authentication and configure attributes mapping (f.e. AccountName). On the ADFS side you have to edit Claim Rules for Safenet claims provider and create Transform rule (Transform an Incoming Claim) - Name ID (Unspecified) to Windows account name and Pass through all claim values.
这篇关于使用第三方声明提供商信任 - 不发送预期声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
