有没有办法更改 SAML 自定义策略中的 NameId?
Is there a way to change NameId in SAML custom policies?
我正在尝试为自定义策略中的用户电子邮件更改为 NameID,但不知道如何操作。我们从 Microsoft 上的 SAML tutorial 开始。
TrustFrameworkBase.xml 中的电子邮件:
<ClaimType Id="email">
<DisplayName>Email Address</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="email" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
</DefaultPartnerClaimTypes>
<UserHelpText>Email address that can be used to contact you.</UserHelpText>
<UserInputType>TextBox</UserInputType>
<Restriction>
<Pattern RegularExpression="^[a-zA-Z0-9.!#$%&'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." />
</Restriction>
</ClaimType>
TrustFrameworkExtensions.xml(仅技术简介):
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="extension_company" />
<OutputClaim ClaimTypeReferenceId="extension_altitude3Id" />
<OutputClaim ClaimTypeReferenceId="extension_isAvivaBroker" />
<OutputClaim ClaimTypeReferenceId="extension_avivaAvantageId" />
<OutputClaim ClaimTypeReferenceId="extension_isApproved" />
<OutputClaim ClaimTypeReferenceId="extension_phoneExtension" />
<OutputClaim ClaimTypeReferenceId="mobile" />
<OutputClaim ClaimTypeReferenceId="streetAddress" />
<OutputClaim ClaimTypeReferenceId="city" />
<OutputClaim ClaimTypeReferenceId="state" />
<OutputClaim ClaimTypeReferenceId="country" />
<OutputClaim ClaimTypeReferenceId="postalcode" />
</OutputClaims>
</TechnicalProfile>
SignUpOrSigninSAML.xml的一部分:
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
</TechnicalProfile>
在元数据中,我有 (SignUpOrSigninSAML.xml):
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
如果您将 RelyingParty 定义更新为以下内容,则应以 urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress:
的格式在 NameId 中输出 email
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" ExcludeAsClaim="true"/>
</TechnicalProfile>
我已将 email 作为附加属性包含在您的断言中,但如果您只对它在 NameId 中感兴趣,那么您可以删除 <OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>行。
我正在尝试为自定义策略中的用户电子邮件更改为 NameID,但不知道如何操作。我们从 Microsoft 上的 SAML tutorial 开始。
TrustFrameworkBase.xml 中的电子邮件:
<ClaimType Id="email">
<DisplayName>Email Address</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="email" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
</DefaultPartnerClaimTypes>
<UserHelpText>Email address that can be used to contact you.</UserHelpText>
<UserInputType>TextBox</UserInputType>
<Restriction>
<Pattern RegularExpression="^[a-zA-Z0-9.!#$%&'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." />
</Restriction>
</ClaimType>
TrustFrameworkExtensions.xml(仅技术简介):
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="extension_company" />
<OutputClaim ClaimTypeReferenceId="extension_altitude3Id" />
<OutputClaim ClaimTypeReferenceId="extension_isAvivaBroker" />
<OutputClaim ClaimTypeReferenceId="extension_avivaAvantageId" />
<OutputClaim ClaimTypeReferenceId="extension_isApproved" />
<OutputClaim ClaimTypeReferenceId="extension_phoneExtension" />
<OutputClaim ClaimTypeReferenceId="mobile" />
<OutputClaim ClaimTypeReferenceId="streetAddress" />
<OutputClaim ClaimTypeReferenceId="city" />
<OutputClaim ClaimTypeReferenceId="state" />
<OutputClaim ClaimTypeReferenceId="country" />
<OutputClaim ClaimTypeReferenceId="postalcode" />
</OutputClaims>
</TechnicalProfile>
SignUpOrSigninSAML.xml的一部分:
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
</TechnicalProfile>
在元数据中,我有 (SignUpOrSigninSAML.xml):
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
如果您将 RelyingParty 定义更新为以下内容,则应以 urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress:
NameId 中输出 email
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" ExcludeAsClaim="true"/>
</TechnicalProfile>
我已将 email 作为附加属性包含在您的断言中,但如果您只对它在 NameId 中感兴趣,那么您可以删除 <OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>行。