0

How do I iterate an AD attribute as a claims rule in ADFS?

More specifically, I'd like to check whether the user's proxyAddresses contains a predetermined domain, and if so, return that email as Name ID, else the the user's main email.

4

2 回答 2

0

您将在声明规则上使用正则表达式来检查域,如果存在,则发出 NameID 声明。

然后使用“存在”规则。

所以像:

NOT EXISTS([Type == "http://contoso.com/NAMID"])
=> add(Type = "http://contoso.com/hasNAMEID", Value = "No");

Sample Rule 2:

c1:[Type == "http://contoso.com/hasNameID"] &&
c2:[Type == "http://contoso.com/email"]
=> issue(Type="http://contoso.com/email", Value=c2.value);

使用正常的电子邮件声明类型等。

写完这篇文章大约 10 分钟后,我发现这个例子更详细地显示了解决方案。

于 2020-10-12T19:35:01.013 回答
0

我昨天玩了一下,最后得到了以下,这似乎有效,但也许不是最干净的方式?

规则1:

Proxy-Addresses 和 User-Principal-Name 的常规属性声明

规则#2:

c:[Type == "fake/proxyAddresses", Value =~ "subdomain.example.com$"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = RegExReplace(c.Value, "smtp:", ""));

规则#3:

NOT EXISTS([Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"])
 => add(Type = "fake/UseUPN", Value = "Yes");

规则#4:

c1:[Type == "fake/UseUPN"]
 && c2:[Type == "fake/UPN"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c2.Value);
于 2020-10-13T10:06:56.953 回答