如何利用OpenID和ADFS 3.0的自定义索赔规则

对于某些背景，我下面的步骤类似于：

连接到我的应用程序时，我可以在id令牌中看到'nameid'、'upn'和'unique_name'，但没有自定义声明规则中定义的声明：

c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);

虽然用户已成功登录，但我无法传递其他声明来帮助定义用户的身份

---

更改或删除此声明规则似乎不会影响结果，但删除permit everyone的颁发授权规则会导致一条拒绝访问的消息，因此我可以推断web应用程序属性实际上在起作用。有什么建议吗？

您真的打算将所有这些声明类型的URI都设置为“foo://”吗

根据你写的

c:[Type == "foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "Telephone-Number", "Department", "Country", "Description", "foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";mail,mail,givenName,sn,telephoneNumber,department,c,Description,displayName;{0}", param = c.Value);

只有当您满足以下条件时，才会发出所有索赔：foo://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 索赔正在酝酿中

我建议做一些简单的事情，比如添加下面的自定义规则

=> issue(type = "http://contoso.com/partner", value = "Adatum");

然后查看已颁发的id_令牌。您应该看到这样的自定义声明以及其他声明

然后，您可以根据需要使用索赔规则语法

http://contoso.com/partner: "Adatum",

---

StackOverflow将它们视为URL，因此我将它们更改为foo://。我试试看。感谢您的回复。看起来这是我们的应用程序。这个答案为故障排除提供了一个清晰的方法。谢谢