ADFS / SAML2.0-如何通过联合身份验证元数据设置声明规则？ [英] ADFS/SAML2.0 - How to set Claim Rules through Federation Metadata?

问题描述

我正在尝试针对Web应用程序针对Windows ADFS实施SAML 2.0身份验证。到目前为止，我已经通过手动配置依赖方信任和分配的索赔规则成功地从ADFS进行身份验证并获得了我所需要的东西。

I'm trying to implement a SAML 2.0 authentication against Windows ADFS for a web application. So far I succeeded in authenticating and getting what I need from ADFS by manually configuring the Relying Party Trust and the assigned Claim Rules.

现在，我想为我的联盟提供元数据应用程序，以便更轻松地在ADFS中设置所需的内容。但是我无法弄清楚如何在该元数据中传递所需的索赔规则。

Now I want to provide federation metadata for my application to make it easier to set up the required stuff in ADFS. However I can't figure out how to pass the required Claim Rules in that metadata.

到目前为止，这是我所拥有的：

Here's what I have so far:

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="dokuwiki-entity" validUntil="2015-03-24T20:30:16Z">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true">
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
    <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://perd.cosmo/dw-2014-01-13/doku.php?id=start"/>

    <AttributeConsumingService index="1">
      <ServiceName xml:lang="en">DokuWiki</ServiceName>
      <RequestedAttribute isRequired="true" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail-Adresse" />
    </AttributeConsumingService>
  </SPSSODescriptor>
  <Organization>
    <OrganizationName xml:lang="en">DokuWiki</OrganizationName>
    <OrganizationDisplayName xml:lang="en">DokuWiki</OrganizationDisplayName>
    <OrganizationURL xml:lang="en">https://www.dokuwiki.org</OrganizationURL>
  </Organization>
</EntityDescriptor>

据我了解， RequestedAttribute 应该说明ADFS通过身份验证向我发送用户的电子邮件地址。不幸的是，在使用此元数据设置依赖方信任之后，未设置任何索赔规则。

From what I understand the RequestedAttribute should tell the ADFS to send me the user's E-Mail address upon authentication. Unfortunately after using this metadata to set up the Relying Party Trust no Claim Rules are set up.

问题：是否可以通过元数据来设置索赔规则，或者总是这样手动完成？如果可以在哪里找到合适的文档？

Question: Is it possible to set up Claim Rules through metadata or has this always to be done manually? If it is possible where do I find the appropriate documentation?

推荐答案

您必须手动（或通过Powershell）设置声明规则。 ADFS不会查看元数据的那部分。

You have to setup the claimsrules manually (or through powershell). ADFS does not look at that part of the metadata.

这篇关于ADFS / SAML2.0-如何通过联合身份验证元数据设置声明规则？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！