ADFS V1配置文件与V2兼容 [英] ADFS V1 profile compatibility with V2

问题描述

我有一个带有ADFS V1声明代理的简单.net应用程序（UPN是唯一的声明）。我有一个POC ADFS V2服务器，在这种情况下是IDP。登录后，我从服务器看到一个成功的身份验证令牌，但是应用程序给了我一个403，应用服务器上的事件日志显示了"客户端提供了一个无效的入站令牌作为证据。 令牌包含无效的XML或不符合受支持的ADFS令牌配置文件。  "
错误是安全事件日志。

我通过将服务器切换到新的V2来尝试在其他正在运行的ADFS V1代理上进行相同的设置，我得到了相同的所有情况都有错误。

这里是否存在兼容性问题？有没有人用V2服务器成功完成了V1代理应用程序？

这似乎是MS在检查向后兼容性时会测试的第一个用例......

I have a simple .net application with ADFS V1 Claims agent (UPN is the only claim). I have a POC ADFS V2 server which is the IDP in this scenario. And after the login i see a successful authentication token from the server, but the application gives me a 403 and the event log on the application server shows a
"The client presented an invalid inbound token as evidence.  The token contained invalid XML or did not conform to a supported ADFS token profile.  "
error is the security event log.

I tried the same set up on other working ADFS V1 agent with V1 server cases by switching the sever to the new V2 and i get the same error on all the cases.

Is there a compatibility issue here? Has any one successfully done a V1 agent application with V2 server ?

Seems like this would be the first use case MS would test when they are checking backward compatibility ......

推荐答案

ADFS 1.x Web代理通常会在调试日志中提供更多详细信息。您可以通过在web.config中添加以下部分来启用Web代理应用程序的调试日志：

ADFS 1.x web agent usually gives more detail in debug logs. You can enable debug logs for web agent apps by adding following section in you web.config:

  < System.Diagnostics程序>
&NBSP;&NBSP;&NBSP; <开关>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < add name =" WebSsoDebugLevel"值= QUOT; 255" />
&NBSP;&NBSP;&NBSP; < /开关>
&NBSP;&NBSP;&NBSP; < trace autoflush =" true" indentsize = QUOT; 3英寸;>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; <听众>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < add name =" ADFSLogListener" type =" System.Web.Security.SingleSignOn.BoundedSizeLogFileTraceListener，System.Web.Security.SingleSignOn，Version = 1.0.0.0，Culture = neutral，PublicKeyToken = 31bf3856ad364e35，Custom = null" initializeData = QUOT; C：\logs\webagent.log" />
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < /听众>
&NBSP;&NBSP;&NBSP; < /跟踪>
&NBSP; < /system.diagnostics>

  <system.diagnostics>
    <switches>
      <add name="WebSsoDebugLevel" value="255" />
    </switches>
    <trace autoflush="true" indentsize="3">
      <listeners>
        <add name="ADFSLogListener" type="System.Web.Security.SingleSignOn.BoundedSizeLogFileTraceListener, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" initializeData="C:\logs\webagent.log" />
      </listeners>
    </trace>
  </system.diagnostics>

确保网络代理应用程序可以写入c：\ ass（可能需要将网络服务写入ACL添加到文件夹权限 - 这取决于应用程序池帐户）。

Make sure c:\logs is writeable by web agent app (likely you need to add Network Service write ACL to folder permissions - that depends on app pool account).

如果没有调试日志我可以猜测，名称标识符声明不是来自ADFS 2.0索赔发布政策。如果是这种情况，您可以设置声明转换规则 - 输入声明是ADFS UPN，输出声明应该是"名称ID"。和传出的名称标识符格式是UPN。

Without debug logs I can guess that name identifier claim is not emited from ADFS 2.0 claim issuance policy. If that's the case you can setup claim transform rule - input claim is ADFS UPN and outgoing claim should be "Name ID" and outgoing name identifier format is UPN.

这篇关于ADFS V1配置文件与V2兼容的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！