3

我正在尝试使用 SSO 将第三方系统与 ADFS 2.0 连接起来。我创建了依赖方信任和两个声明规则

规则1

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

规则 #2

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

我能够访问 ADFS 服务器但收到此错误

MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: https://xxx.xxx.com/sso. Actual NameID properties: null.

有什么想法吗?

4

1 回答 1

4

这条线索是:

SPNameQualifier:https://xxx.xxx.com/sso。实际 NameID 属性:null。

所以 SP 的 NameID(实体 ID)为“ https://xxx.xxx.com/sso ”,但在 ADFS 端没有配置这样的名称。

您需要使用 Properties [] 构造将此添加到声明中。

请参阅:ADFS – SAML 2.0 身份提供者和 SaaS 服务提供者

于 2013-05-06T19:18:35.227 回答