我通过OpenID Connect将ADFS用作Azure B2C的IdP。登录工作,B2C从ADFS发送UPN作为JWT令牌中的socialIdpUserId声明。
但来自ADFS的群组声明不起作用。如何在JWT中接收团体索赔?
以下是设置:ADFS声明规则:域安全组和upn c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"] =>
issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/claims/Group"),
query = ";userPrincipalName,tokenGroups(longDomainQualifiedName);{0}",
param = c.Value);
ClaimsSchema中TrustFrameworkBase策略中的新组声明类型定义:
<ClaimsSchema><ClaimType Id="group">
<DisplayName>group</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="group" />
<Protocol Name="OpenIdConnect" PartnerClaimType="group" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/claims/Group" />
</DefaultPartnerClaimTypes>
</ClaimType></ClaimsSchema>
TrustFrameworkExtensions策略中的TechnicalProfile中的输出组声明定义:
<OutputTokenFormat>JWT</OutputTokenFormat><OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="UPN" />
<OutputClaim ClaimTypeReferenceId="group" PartnerClaimType="group" />
</OutputClaims>
SignUpOrSignIn策略文件中的TechnicalProfile中的输出组声明定义
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" />
<OutputClaim ClaimTypeReferenceId="group" />
<OutputClaim ClaimTypeReferenceId="authmethod" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
但JWT令牌没有集体声称!为什么?
以下是如何从B2C发出组声明:1。为基本策略文件中的组定义新的声明类型。这个定义应该在<ClaimsSchema>元素的末尾(是的,写过stringCollection的人写的是!)
<ClaimType Id="IdpUserGroups">
<DisplayName>Security groups</DisplayName>
<DataType>stringCollection</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="groups" />
<Protocol Name="OpenIdConnect" PartnerClaimType="groups" />
<Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/claims/Group" />
</DefaultPartnerClaimTypes>
</ClaimType>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" />
<OutputClaim ClaimTypeReferenceId="IdpUserGroups" PartnerClaimType="http://schemas.xmlsoap.org/claims/Group" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="SAML fmdadfs4.local"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="SAML ADFS4 fmdadfs4.local" />
</OutputClaims>
看起来OP只是让partnerclaimtype拼写错误。不确定,因为您可能已经映射了非标准的东西,但我认为您只需要将PartnerClaimType从一个组更改为组。
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" />
<OutputClaim ClaimTypeReferenceId="IdpUserGroups" />
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />