獲取使用ADFS 2.0實現SSO的NameIDPolicyError

Question

我正嘗試使用SSO將ADFS 2.0與第三方系統連接。我創建信賴方信任，以及兩個聲明規則

規則＃1

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] 
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"); 

規則＃2

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value); 

我能打到ADFS服務器，但得到這個錯誤

MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: https://xxx.xxx.com/sso. Actual NameID properties: null. 

有什麼想法？

Answer 1

這一塊是線索：

SPNameQualifier：https://xxx.xxx.com/sso。實際NameID屬性： null。

所以SP具有「https://xxx.xxx.com/sso」 NameID的（實體ID），但有在ADFS側沒有配置這樣的名稱。

您需要使用Properties []構造將其添加到聲明中。

請參閱：ADFS – SAML 2.0 Identity Provider and SaaS Service Providers。