如何从本地ADFS声明中获取用户组 [英] How to get user groups from on-premise ADFS claims
问题描述
我已按照这篇文章使用内部ADFS联盟构建演示应用程序。
我能够使用简单的代码为用户获取所需的信息
Dim UserEmail = System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.Email).Value
但是如何获取用户名所属的用户组,并检查用户帐户是否是Active Directory中Windows组的成员?
我尝试使用 System.Security.Claims.ClaimsPrincipal.Current.IsInRole
检查用户是否在组中,但无法使用
在ADFS声明规则中,您需要配置规则将LDAP属性作为声明发送 /令牌组-不合格名称,并映射为角色作为传出声明类型。 / p>
然后,ADFS以角色格式提供用户是memberOf的所有安全组,然后WIF将其映射到IsInRole构造。
I have followed this article to build demo app with on-premise ADFS federation.
I am able to get needed information for user using simple code
Dim UserEmail = System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.Email).Value
But how I can get user groups where the username belongs and check if user account is member of Windows group in Active Directory?
I have tried to use System.Security.Claims.ClaimsPrincipal.Current.IsInRole
to check if user is in group, but it won't work
In ADFS claims rules, you need to configure a rule "Send LDAP Attributes as Claims" / "Token Groups - Unqualified Names" and map to "Role" as the "Outgoing Claim Type".
ADFS then provides all the security groups the user is memberOf in Role format and WIF maps them to the IsInRole construct.
这篇关于如何从本地ADFS声明中获取用户组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!