问题描述
我正在尝试将自定义策略中的用户电子邮件更改为NameID,但不知道如何操作。我们从Microsoft的SAML tutorial开始。
用TrustFrameworkBase.xml发送电子邮件:
<ClaimType Id="email">
<displayName>Email Address</displayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OpenIdConnect" PartnerClaimType="email" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
</DefaultPartnerClaimTypes>
<UserHelpText>Email address that can be used to contact you.</UserHelpText>
<UserInputType>TextBox</UserInputType>
<Restriction>
<Pattern RegularExpression="^[a-zA-Z0-9.!#$%&'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." />
</Restriction>
</ClaimType>
TrustFrameworkExtensions.xml(仅技术资料):
<TechnicalProfile Id="AAD-UserReadUsingObjectId">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
<OutputClaim ClaimTypeReferenceId="extension_company" />
<OutputClaim ClaimTypeReferenceId="extension_altitude3Id" />
<OutputClaim ClaimTypeReferenceId="extension_isAvivabroker" />
<OutputClaim ClaimTypeReferenceId="extension_avivaAvantageId" />
<OutputClaim ClaimTypeReferenceId="extension_isApproved" />
<OutputClaim ClaimTypeReferenceId="extension_phoneExtension" />
<OutputClaim ClaimTypeReferenceId="mobile" />
<OutputClaim ClaimTypeReferenceId="streetAddress" />
<OutputClaim ClaimTypeReferenceId="city" />
<OutputClaim ClaimTypeReferenceId="state" />
<OutputClaim ClaimTypeReferenceId="country" />
<OutputClaim ClaimTypeReferenceId="postalcode" />
</OutputClaims>
</TechnicalProfile>
SignUpOrSigninSAML.xml的一部分:
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenname" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
</TechnicalProfile>
在元数据中,我有(SignUpOrSigninSAML.xm l)
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
解决方法
如果将RelyingParty定义更新为以下内容,则应在email中以NameId的格式输出urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress:
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" ExcludeAsClaim="true"/>
</TechnicalProfile>
我将email作为附加属性保留在断言中,但是如果您只对NameId中的内容感兴趣,则可以删除{{1 }}行。