为什么 ADFS 不返回电子邮件声明?
Why is ADFS not returning an email claim?
我在本地网络服务器上设置了 ADFS,并为 b运行d 新 ASP.net Webforms 应用程序设置了依赖方信任。在依赖方信任中,我在 Issuance T运行sform Rules 选项卡下添加了一个名为 Get Attributes 的声明规则,在属性中我的属性存储设置为 Active Directory,在 table 中用于将 LDAP 属性映射到传出索赔我选择了电子邮件地址 -> 电子邮件地址。
我 运行 针对我的新应用程序的 WIF 联合实用程序将其指向 adfs 服务器。我可以 运行 应用程序并向我的服务器进行身份验证,身份验证后它会将我发送回我的页面。但是,当我遍历声明时 none 其中包含一个电子邮件地址。
IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
foreach (Claim claim in claimsIdentity.Claims)
{
Response.Write("<b>" + claim.Subject + "</b></br>");
Response.Write("<b>" + claim.ValueType + "</b></br>");
Response.Write("<b>" + claim.Value + "</b></br>");
}
我从这段代码收到的响应在这里:
http://www.w3.org/2001/XMLSchema#string
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
http://www.w3.org/2001/XMLSchema#dateTime
2016-10-27T15:30:26.412Z
这是我的 web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5" requestValidationMode="2.0" />
<pages>
<namespaces>
<add namespace="System.Web.Optimization" />
</namespaces>
<controls>
<add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt" />
</controls>
</pages>
<httpModules>
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</httpModules>
</system.web>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed" />
<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="WebGrease" culture="neutral" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:6 /nowarn:1659;1699;1701" />
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:14 /nowarn:41008 /define:_MYTYPE=\"Web\" /optionInfer+" />
</compilers>
</system.codedom>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<remove name="ApplicationInsightsWebTracking" />
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
</modules>
</system.webServer>
<appSettings>
<add key="FederationMetadataLocation" value="https://customsts.dev/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
</appSettings>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://dev.XXX.net:44334/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://customsts.dev/adfs/ls/" realm="https://dev.XXX.net:44334/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'http://customsts.dev/adfs/services/trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="123456789XXXX....." name="http://customsts.dev/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</service>
</microsoft.identityModel>
</configuration>
10/27/2016 跟进
我注意到,如果我更改全局身份验证策略并删除 Windows 身份验证并只保留表单身份验证,我会得到以下声明之一:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
而不是这个:
http://www.w3.org/2001/XMLSchema#string http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows.
这对我没有任何帮助,但我想我会提供它以供参考。
您forward/issue是否有任何电子邮件索赔来自已使用的索赔提供商信任?尝试将电子邮件转发给依赖方。
据我所知,您可以使用以下方式转发来自 CP 的所有传入声明:
C:[]
=> 问题(索赔 = c);
有道理吗?
我终于找到了答案。我不知道这一点,但我们的电子邮件是在异地设置的,因此我们的内部 Active Directory 没有为我的 ID 设置电子邮件地址。我们的管理员将我的电子邮件地址放入我的 Active Directory 设置中,现在它显示了。
我在本地网络服务器上设置了 ADFS,并为 b运行d 新 ASP.net Webforms 应用程序设置了依赖方信任。在依赖方信任中,我在 Issuance T运行sform Rules 选项卡下添加了一个名为 Get Attributes 的声明规则,在属性中我的属性存储设置为 Active Directory,在 table 中用于将 LDAP 属性映射到传出索赔我选择了电子邮件地址 -> 电子邮件地址。
我 运行 针对我的新应用程序的 WIF 联合实用程序将其指向 adfs 服务器。我可以 运行 应用程序并向我的服务器进行身份验证,身份验证后它会将我发送回我的页面。但是,当我遍历声明时 none 其中包含一个电子邮件地址。
IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
foreach (Claim claim in claimsIdentity.Claims)
{
Response.Write("<b>" + claim.Subject + "</b></br>");
Response.Write("<b>" + claim.ValueType + "</b></br>");
Response.Write("<b>" + claim.Value + "</b></br>");
}
我从这段代码收到的响应在这里:
http://www.w3.org/2001/XMLSchema#string
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windowshttp://www.w3.org/2001/XMLSchema#dateTime
2016-10-27T15:30:26.412Z
这是我的 web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5" requestValidationMode="2.0" />
<pages>
<namespaces>
<add namespace="System.Web.Optimization" />
</namespaces>
<controls>
<add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt" />
</controls>
</pages>
<httpModules>
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</httpModules>
</system.web>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed" />
<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="WebGrease" culture="neutral" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:6 /nowarn:1659;1699;1701" />
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:14 /nowarn:41008 /define:_MYTYPE=\"Web\" /optionInfer+" />
</compilers>
</system.codedom>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<remove name="ApplicationInsightsWebTracking" />
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
</modules>
</system.webServer>
<appSettings>
<add key="FederationMetadataLocation" value="https://customsts.dev/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
</appSettings>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://dev.XXX.net:44334/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://customsts.dev/adfs/ls/" realm="https://dev.XXX.net:44334/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<!--Following are the claims offered by STS 'http://customsts.dev/adfs/services/trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="123456789XXXX....." name="http://customsts.dev/adfs/services/trust" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</service>
</microsoft.identityModel>
</configuration>
10/27/2016 跟进
我注意到,如果我更改全局身份验证策略并删除 Windows 身份验证并只保留表单身份验证,我会得到以下声明之一:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
而不是这个:
http://www.w3.org/2001/XMLSchema#string http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows.
这对我没有任何帮助,但我想我会提供它以供参考。
您forward/issue是否有任何电子邮件索赔来自已使用的索赔提供商信任?尝试将电子邮件转发给依赖方。
据我所知,您可以使用以下方式转发来自 CP 的所有传入声明: C:[] => 问题(索赔 = c);
有道理吗?
我终于找到了答案。我不知道这一点,但我们的电子邮件是在异地设置的,因此我们的内部 Active Directory 没有为我的 ID 设置电子邮件地址。我们的管理员将我的电子邮件地址放入我的 Active Directory 设置中,现在它显示了。