SAML2

SAML2

关注
发信
关注(28)粉丝(399)

ADFS / SAML2.0-如何通过联合身份验证元数据设置声明规则?

本文介绍了ADFS / SAML2.0-如何通过联合身份验证元数据设置声明规则?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试针对Web应用程序针对Windows ADFS实施SAML 2.0身份验证。到目前为止,我已经通过手动配置依赖方信任和分配的索赔规则成功地从ADFS进行身份验证并获得了我所需要的东西。

I'm trying to implement a SAML 2.0 authentication against Windows ADFS for a web application. So far I succeeded in authenticating and getting what I need from ADFS by manually configuring the Relying Party Trust and the assigned Claim Rules.

现在,我想为我的联盟提供元数据应用程序,以便更轻松地在ADFS中设置所需的内容。但是我无法弄清楚如何在该元数据中传递所需的索赔规则。

Now I want to provide federation metadata for my application to make it easier to set up the required stuff in ADFS. However I can't figure out how to pass the required Claim Rules in that metadata.

到目前为止,这是我所拥有的:

Here's what I have so far:

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="dokuwiki-entity" validUntil="2015-03-24T20:30:16Z">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true">
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
    <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://perd.cosmo/dw-2014-01-13/doku.php?id=start"/>

    <AttributeConsumingService index="1">
      <ServiceName xml:lang="en">DokuWiki</ServiceName>
      <RequestedAttribute isRequired="true" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail-Adresse" />
    </AttributeConsumingService>
  </SPSSODescriptor>
  <Organization>
    <OrganizationName xml:lang="en">DokuWiki</OrganizationName>
    <OrganizationDisplayName xml:lang="en">DokuWiki</OrganizationDisplayName>
    <OrganizationURL xml:lang="en">https://www.dokuwiki.org</OrganizationURL>
  </Organization>
</EntityDescriptor>

据我了解, RequestedAttribute 应该说明ADFS通过身份验证向我发送用户的电子邮件地址。不幸的是,在使用此元数据设置依赖方信任之后,未设置任何索赔规则。

From what I understand the RequestedAttribute should tell the ADFS to send me the user's E-Mail address upon authentication. Unfortunately after using this metadata to set up the Relying Party Trust no Claim Rules are set up.

问题:是否可以通过元数据来设置索赔规则,或者总是这样手动完成?如果可以在哪里找到合适的文档?

Question: Is it possible to set up Claim Rules through metadata or has this always to be done manually? If it is possible where do I find the appropriate documentation?

推荐答案

您必须手动(或通过Powershell)设置声明规则。 ADFS不会查看元数据的那部分。

You have to setup the claimsrules manually (or through powershell). ADFS does not look at that part of the metadata.

这篇关于ADFS / SAML2.0-如何通过联合身份验证元数据设置声明规则?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-12 21:48
Powered by LMLPHP ©2024 SAML2 0.041897