使用单一登录和ADFS从SAML响应获取电子邮件地址 [英] Get email address from SAML Response using Single Sign On and ADFS
问题描述
我正在使用ADFS和SAML 2.0设置单点登录(SSO)系统.我必须遵循以下方案:
I am in the process of setting up a single sign on (SSO) system using ADFS and SAML 2.0. I have to following scenario that I am stuck on:
1)用户尝试访问Web资源,但未登录,因此被定向到ADFS SSO服务.
1) User attempts to access web resource, is not logged in so is directed to ADFS SSO service.
2)用户已成功针对ADFS进行身份验证.
2) User successfully authenticates against ADFS.
3)ADFS将SAML响应传递回Web资源.
3) ADFS passes SAML Response back to web resource.
4)Web资源本身具有一个用户数据库,但该用户不存在.
4) The web resource itself has a user database but the user does not exist here.
5)因此,Web资源必须静默创建用户帐户.为此,我需要电子邮件地址.
5) So, the web resource must create the user account silently. To do this I need the email address.
那么,是否可以将ADFS配置为在成功的SAML响应消息中返回用户的电子邮件地址?
So, is it possible to configure ADFS to return the email address of the user in a successful SAML response message?
推荐答案
您可以将ADFS配置为返回电子邮件声明,前提是ADFS具有某种方式来获取此声明(Active Directory或某些其他属性存储,也许它可以访问的数据库) ?),并提供您的应用程序来解密返回的令牌以读取其中的声明.
You can configure ADFS to return an Email claim, provided ADFS has some way of getting this (Active Directory or some other attribute store, maybe a database it can access?) and provided your application is set up to decrypt the returned token to read the claims inside.
假设这是ADFS 2.0:
Assuming this is ADFS 2.0:
- 将您的网络资源设置为信赖方信任(听起来像您这样做的话)
- 右键单击RP,然后选择编辑声明规则...
- 在发行转换规则"标签上,为电子邮件地址添加新规则
如果由于用户正在通过域进行身份验证而可以从Active Directory中获取电子邮件,则可以选择将LDAP属性作为声明发送"规则模板.
If you can get the email from Active Directory because your users are authenticating through a domain, then you can choose the "Send LDAP Attributes as Claims" rule template.
否则,您将必须选择使用自定义规则发送索赔"并设置一个自定义属性存储(到数据库或其他任何属性),并完成编写索赔规则的动作.
Otherwise, you'll have to pick "Send Claims Using a Custom Rule" and set up a custom attribute store (to the database or whatever it is) and go through the motions of writing a claim rule to do it.
设置完成后,需要在ASP.NET应用程序中对其进行配置,以将ADFS用作令牌发行者.这是通过 Windows Identity Framework Microsoft.IdentityModel.dll和关联的配置来完成的.如果您已安装 WIF SDK ,则应该安装一些Visual Studio中的其他选项,即,如果右键单击Web项目,则应该有一个添加STS参考"选项.这将运行FedUtil,这是一个向导,将自动适当地设置您的web.config.围绕Google进行设置.
Once you have that set up, in your ASP.NET app you'll need to configure it to use ADFS as your token issuer. This is accomplished with the Windows Identity Framework Microsoft.IdentityModel.dll and associated configuration. If you've installed the WIF SDK, you should have some extra options in Visual Studio, namely if you right-click your web project there should be an "Add STS Reference" option. This will run FedUtil which is a wizard that will automatically set up your web.config appropriately. Google around for how to set things up.
现在您的网站正在使用ADFS进行声明,因此您需要进行一些更改.在web.config的<microsoft.identityModel>部分下,确保已将其设置为保存引导令牌(<service saveBootstrapTokens="true">).现在,在您的代码中,您可以通过以下任何方式访问电子邮件声明:
Now that your site is using ADFS for claims, you'll need to make a few changes. Under the <microsoft.identityModel> section in your web.config, ensure that you have set it to save the bootstrap token (<service saveBootstrapTokens="true">). In your code, you can now access the email claim whenever you need it by doing:
string email = (User.Identity as IClaimsIdentity).Claims.Where(c => c.ClaimType == ClaimTypes.Email).FirstOrDefault().Value;
如果您未将其设置为保存引导令牌,那么Claims集合将为空.
If you don't set it to save the bootstrap token, then the Claims collection there will be empty.
尽管如此,可能还有很多其他因素可能会使事情一团糟.希望这能使您走上正确的轨道.
There's potentially a lot of other factors that can mess things up along the way, though. Hopefully this will get you on the right track.
这篇关于使用单一登录和ADFS从SAML响应获取电子邮件地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
