我正在关注https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/single-page-application-with-ad-fs,我正在从github克隆代码并按照所有步骤在ADFS中创建应用程序组并修改代码中的更改。它工作正常并单击SignIn或尝试访问Todo列表页面将我带到ADFS登录页面然后它将我重定向回应用程序页面但是当我尝试“Todo List”页面时它给了我{"Message":"Authorization has been denied for this request."}。检查了chrome开发人员工具(以及Fiddler)中的网络流量,并且对TodoList(请求URL:https://localhost:44326/api/TodoList)的请求具有Authorization标头:授权:Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Inp4anhjL查看所有其他流量,其他一切都很好。
https://pdc.mkdomain.com:44326/#/UserData显示以下结果:
Id_token content
[email protected]
aud:https://pdc.mkdomain.com:44326/
iss:https://PDC.mkdomain.com/adfs
iat:1551610099
nbf:
exp:1551613699
ver:
tid:
amr:
oid:
upn:[email protected]
unique_name:[email protected]
sub:JIg5DslCMEyKf8AnKpvNg3XQf+KN58tgOzYEjlZ+WZA=
family_name:
given_name:
pwd_exp:
pwd_url:
在信赖方信任方面,我有:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name"),
query = ";displayName,mail,givenName,sn;{0}", param = c.Value);
在发行转换规则中我有:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"http://schemas.xmlsoap.org/claims/Group",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"),
query = ";mail,givenName,sn,tokenGroups(SID),sAMAccountName;{0}",
param = c.Value);
我发现问题是ida:Issuer值是小写,而机器名是大写。一旦我将其从pdc.MKDOMAIN.com/adfs更改为PDC.MKDOMAIN.com/adfs,一切正常。