作为我们从 VS 2010 迁移到 VS 2012 的一部分,我们已经开始在开发阶段使用 Identity and Access Tools 中的 LocalSTS 作为 STS。它很容易设置,但是我们确实遇到了一个问题,这就是将其配置为在生成的令牌中为每种声明类型包含多个声明值。典型的配置可能如下所示:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="localSTSConfiguration" type="System.IdentityModel.Tools.LocalSTS.LocalSTSConfiguration, LocalSTS, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
<localSTSConfiguration port="13248" signingCertificate="LocalSTS.pfx" signingCertificatePassword="LocalSTS" issuerName="LocalSTS" tokenFormat="Saml11">
<claims>
<add type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" displayName="Name" value="Terry" />
<add type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" displayName="Surname" value="Adams" />
<add type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" displayName="Role" value="Member" />
<add type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" displayName="Email" value="terry@contoso.com" />
<add type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" displayName="Name Identifier" value="terry@contoso.com" />
</claims>
</localSTSConfiguration>
</configuration>
以上将毫无问题,但如果我希望用户同时成为成员角色和管理员角色的成员,我该如何表达。我尝试了以下方法,但它只包含给定声明类型的最后一个指定声明值。因此,结果是给定下面的配置,用户将只是管理员角色的成员,而不是成员角色。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
...
</configSections>
<startup>
...
</startup>
<localSTSConfiguration port="13248" signingCertificate="LocalSTS.pfx" signingCertificatePassword="LocalSTS" issuerName="LocalSTS" tokenFormat="Saml11">
<claims>
...
<add type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" displayName="Role" value="Member" />
<add type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" displayName="Role" value="Administrator" />
...
</claims>
</localSTSConfiguration>
</configuration>