How do I iterate an AD attribute as a claims rule in ADFS?
More specifically, I'd like to check whether the user's proxyAddresses contains a predetermined domain, and if so, return that email as Name ID, else the the user's main email.
问问题
104 次
2 回答
0
您将在声明规则上使用正则表达式来检查域,如果存在,则发出 NameID 声明。
然后使用“不存在”规则。
所以像:
NOT EXISTS([Type == "http://contoso.com/NAMID"])
=> add(Type = "http://contoso.com/hasNAMEID", Value = "No");
Sample Rule 2:
c1:[Type == "http://contoso.com/hasNameID"] &&
c2:[Type == "http://contoso.com/email"]
=> issue(Type="http://contoso.com/email", Value=c2.value);
使用正常的电子邮件声明类型等。
写完这篇文章大约 10 分钟后,我发现这个例子更详细地显示了解决方案。
于 2020-10-12T19:35:01.013 回答
0
我昨天玩了一下,最后得到了以下,这似乎有效,但也许不是最干净的方式?
规则1:
Proxy-Addresses 和 User-Principal-Name 的常规属性声明
规则#2:
c:[Type == "fake/proxyAddresses", Value =~ "subdomain.example.com$"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = RegExReplace(c.Value, "smtp:", ""));
规则#3:
NOT EXISTS([Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"])
=> add(Type = "fake/UseUPN", Value = "Yes");
规则#4:
c1:[Type == "fake/UseUPN"]
&& c2:[Type == "fake/UPN"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c2.Value);
于 2020-10-13T10:06:56.953 回答