索赔规则不起作用，有什么不对？ [英] Claim rule not working, what is wrong?

问题描述

我在adfs和"委托getaccess"之间有一个adfs信任。并且需要在SharePoint门户上授予外部用户访问权限。 SAML令牌包含两个声明"电子邮件"。和"组"，"电子邮件"和"电子邮件"。声明工作正常，
"团体"声明将提交以尊重名称格式分隔的所有组; （例如"cn = ADFS-Test-Group，ou = ADFS-Test，ou = GROUPS，ou = GLOBAL，o = Client-Partners，c = com; cn = Users = GROUPS，ou = GLOBAL，o = EON-合作伙伴，c = de"）

I have an adfs trust between adfs and "entrust getaccess" and need to grant external users access on a SharePoint portal. The SAML token contains two claims "email" and "groups", the "email" claim is working fine, the "groups" claim will submit all groups in distinguished name format separated by a ;. (e.g. "cn=ADFS-Test-Group,ou=ADFS-Test,ou=GROUPS,ou=GLOBAL,o=Client-Partners,c=com;cn=Users=GROUPS,ou=GLOBAL,o=EON-Partners,c=de")

我有以下索赔规则：

问题：我是否正确编写了我的声明规则，以便检查名称"ADFS-Test-Group"是否正确。存在于收到的声明中，并将其转换为值为"adfs-getaccess-inbound"的角色声明？我一直拒绝访问被拒绝的
，我不确定可能是什么原因。

Question: Have I written my claim rule correctly, so that it will check if the name "ADFS-Test-Group" exists in the received claim and will transform it to a role claim with the value "adfs-getaccess-inbound"? I keep getting access denied and am unsure what might be the root cause.

Mark

推荐答案

为什么不采用标准的开箱即用组声明行为？

Why don't you go with the standard, out of the box group claim behavior?

参考：
ADFS：将群组发送为声明。

这样你就可以将每个小组作为一个单独的角色。

That way you get each group as a separate role.

然后你可以适当地操纵。

You can then manipulate as appropriate.

这篇关于索赔规则不起作用，有什么不对？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！