ADFS的基本信息 - 自定义声明规则,声明说明,登录页面... [英] Basic info for ADFS - Custom claims rule, Claim description, login pages...
问题描述
大家好,
我不熟悉ADFS& SAML并尝试通过实现工作。 我知道我的组织将成为IdP&并且有一些关于SP的端点和声明要求的信息。
我正在努力创建自定义声明规则。 我真的不想为此学习另一种Microsoft语言,所以我希望有人能引导我朝着正确的方向前进。
我的问题是:
- 创建声明说明,URI是否可以执行任何操作? 我认为我需要为AD属性EmployeeID创建声明说明,但我对模式使用了什么? 我看过对http://.../test等的引用,但这是否有效?
- 创建自定义声明规则: 我试过了我发现搜索的自定义规则:
Link1 - http://social.msdn.microsoft.com/Forums/vstudio/ en-US / cc7c5271-a23d-4afb-a083-79fb07841cd9 / some-help-with-using-employee-id-as-a-claim?forum = Geneva
Link2 - http://social.msdn.microsoft.com/Forums/vstudio/en-US/74e8a7bf-d659-4c83-b079-0cefceb7f538/adfs-custom-claim?forum=Geneva
...但是当我复制和修改EmployeeID时,它们不被接受。 我需要的是一个接受任何经过身份验证的用户的规则(希望进行Intranet集成身份验证),提取他们的AD employeeID属性,在employeeID前面添加一个值
(对于这个例子,让我们称之为"abcd"和将其作为声明中的"名称"实体发送
- 我们为用户提供哪些网址,以便向SP发起IdP声明?我是看到了网址 https://adfs.server/adfs/ls/IdpInitiatedSignon.aspx ...而我的依赖信任实体就在那里......但有没有办法让
这个自动化用户选择一个条目?这是我看过引用的RelayState功能吗?
提前致谢!
声明名称是松散类型的 - 你可以使用你想要的任何东西。
然而,有一些"标准":
名称是:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name。
所以:
c:[Type ==" http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname " ;, Issuer ==" AD AUTHORITY"]
=> issue(store =" Active Directory",types =(" http://schemas.xmlsoap .org / ws / 2005/05 / identity / claims / name "),query =" ;; employeeID; {0}",param =" abcd" + c.Value);
Hi all,
I'm new to ADFS & SAML and trying to work my way through an implementation. I know that my organisation will be the IdP & and have some info about the SP's endpoint and claim requirements.
What I'm struggling with is creating a custom claim rule. I don't really want to learn another Microsoft language just for this so I'm hoping someone can steer me in the right direction.
My questions are:
- Creating a Claim description, does the URI do anything? I believe I need to create a claim description for AD attribute EmployeeID but what do I use for the schema? I've seen references to http://.../test etc, but is this valid?
- Creating a custom claims rule: I've tried custom rules I've found searching:
Link1 - http://social.msdn.microsoft.com/Forums/vstudio/en-US/cc7c5271-a23d-4afb-a083-79fb07841cd9/some-help-with-using-employee-id-as-a-claim?forum=Geneva
Link2 - http://social.msdn.microsoft.com/Forums/vstudio/en-US/74e8a7bf-d659-4c83-b079-0cefceb7f538/adfs-custom-claim?forum=Geneva
...but they aren't accepted when I copy and modify for EmployeeID. What I need is a rule that accepts any authenticated user (hoping for intranet integrated authentication), pulls their AD employeeID attribute, prepends the employeeID with a value (for this example, let's call it "abcd" and sends that as the "Name" entity in the claim
- What URL do we give users to connect to, that initiates the IdP claim to the SP? I've seen the URL https://adfs.server/adfs/ls/IdpInitiatedSignon.aspx ...and that my Relying Trust entity is in there... but is there a way to make this automated when the user selects an entry? Is this the RelayState feature I've seen referenced?
Thanks in advance!
The claims names are loosely typed - you can use anything you want.
However, there are some "standards":
Name is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
So:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";employeeID;{0}", param = "abcd" + c.Value);
这篇关于ADFS的基本信息 - 自定义声明规则,声明说明,登录页面...的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
