如何从本地ADFS声明中获取用户组 [英] How to get user groups from on-premise ADFS claims

问题描述

我已按照这篇文章使用内部ADFS联盟构建演示应用程序。

http：// www。 cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/

我能够使用简单的代码为用户获取所需的信息

  Dim UserEmail = System.Security.Claims.ClaimsPrincipal.Current.FindFirst（System.IdentityModel.Claims.ClaimTypes.Email）.Value 
  

但是如何获取用户名所属的用户组，并检查用户帐户是否是Active Directory中Windows组的成员？

我尝试使用 System.Security.Claims.ClaimsPrincipal.Current.IsInRole 检查用户是否在组中，但无法使用

解决方案

在ADFS声明规则中，您需要配置规则将LDAP属性作为声明发送 /令牌组-不合格名称，并映射为角色作为传出声明类型。 / p>

然后，ADFS以角色格式提供用户是memberOf的所有安全组，然后WIF将其映射到IsInRole构造。

I have followed this article to build demo app with on-premise ADFS federation.

http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/

I am able to get needed information for user using simple code

Dim UserEmail = System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.Email).Value

But how I can get user groups where the username belongs and check if user account is member of Windows group in Active Directory?

I have tried to use System.Security.Claims.ClaimsPrincipal.Current.IsInRole to check if user is in group, but it won't work

解决方案

In ADFS claims rules, you need to configure a rule "Send LDAP Attributes as Claims" / "Token Groups - Unqualified Names" and map to "Role" as the "Outgoing Claim Type".

ADFS then provides all the security groups the user is memberOf in Role format and WIF maps them to the IsInRole construct.

这篇关于如何从本地ADFS声明中获取用户组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！