1

我已将 SAML2 Idp 与 Azure AD B2C 集成。我能够执行 oAuth2 身份验证并成功获取 id_token 和 access_token。

我需要从 SAML 断言中提取 sso sessionIndex 或会话 ID 到 id_token/access_token。我注意到 sessionIndex/ID 不是<saml:Attribute>. 但它可以在以下位置获得<saml:AuthnStatement>

<saml:AuthnStatement AuthnInstant="2018-10-30T18:28:42Z"
        SessionIndex="A659D5A1B123456BA0EA744B80CB1AFA2EB6BBD14"
        SessionNotOnOrAfter="2018-10-31T02:30:42Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>

这是我的自定义策略设置:

    <ClaimsProvider>
  <Domain>samlIdp</Domain>
  <DisplayName>samlIdp</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="samlIdpProfile">
      <DisplayName>samlIdpProfile</DisplayName>
      <Description>Login with your account</Description>
      <Protocol Name="SAML2" />
      <Metadata>
        <Item Key="RequestsSigned">false</Item>
        <Item Key="WantsEncryptedAssertions">false</Item>
        <Item Key="WantsSignedAssertions">false</Item>
        <Item Key="PartnerEntity">https://samlIdp.com/.well-known/samlidp.xml</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SAMLSigningCert" />
        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="userId" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="username" />

        <!-- newly added claims -->
        <OutputClaim ClaimTypeReferenceId="sessionId" DefaultValue="na" PartnerClaimType="ID" />
        <OutputClaim ClaimTypeReferenceId="sessionIndex" DefaultValue="na" PartnerClaimType="sessionIndex" />

      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
      </OutputClaimsTransformations>
      <!--<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> -->
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

我需要将此 sessionIndex 作为我的 oauth2 JWT 的一部分。任何帮助,将不胜感激。

4

0 回答 0