问题描述

我在adfs和"委托getaccess"之间有一个adfs信任。并且需要在SharePoint门户上授予外部用户访问权限。 SAML令牌包含两个声明"电子邮件"。和"组"，"电子邮件"和"电子邮件"。声明工作正常，
"团体"声明将提交以尊重名称格式分隔的所有组; （例如"cn = ADFS-Test-Group，ou = ADFS-Test，ou = GROUPS，ou = GLOBAL，o = Client-Partners，c = com; cn = Users = GROUPS，ou = GLOBAL，o = EON-合作伙伴，c = de"）

I have an adfs trust between adfs and "entrust getaccess" and need to grant external users access on a SharePoint portal. The SAML token contains two claims "email" and "groups", the "email" claim is working fine, the "groups" claim will submit all groups in distinguished name format separated by a ;. (e.g. "cn=ADFS-Test-Group,ou=ADFS-Test,ou=GROUPS,ou=GLOBAL,o=Client-Partners,c=com;cn=Users=GROUPS,ou=GLOBAL,o=EON-Partners,c=de")

我有以下索赔规则：

问题：我是否正确编写了我的声明规则，以便检查名称"ADFS-Test-Group"是否正确。存在于收到的声明中，并将其转换为值为"adfs-getaccess-inbound"的角色声明？我一直拒绝访问被拒绝的
，我不确定可能是什么原因。

Question: Have I written my claim rule correctly, so that it will check if the name "ADFS-Test-Group" exists in the received claim and will transform it to a role claim with the value "adfs-getaccess-inbound"? I keep getting access denied and am unsure what might be the root cause.

Mark

推荐答案

参考：
ADFS：将群组发送为声明。

这样你就可以将每个小组作为一个单独的角色。

That way you get each group as a separate role.

然后你可以适当地操纵。

You can then manipulate as appropriate.

这篇关于索赔规则不起作用，有什么不对？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！