是否可以使用来自ADFS服务器的自定义c#模块将声明插入SAML令牌中?
[英]Is it possible to inject claims into a SAML token using a custom c# module from an ADFS server?
问题描述
I have an asp.net web app that uses ADFS to authenticate users. 
我有一个使用ADFS验证用户身份的asp.net Web应用程序。 The ADFS server is configured to issue claims to the web app once it determines that the user is a valid member of an AD domain. ADFS服务器配置为一旦确定用户是AD域的有效成员,便向Web应用发布声明。
What I want to do is deploy a module on the ADFS server that is invoked after the basic claims are issued. 我要做的是在发布基本声明之后调用的ADFS服务器上部署一个模块。 The module would then query an alternate DB (say SQL), retrieve some information about the user based on the claims that have already been issued, and inject that information as one or more claims/assertions into the SAML token that is sent back to the web server. 然后,该模块将查询备用数据库(例如SQL),基于已发出的声明检索有关用户的一些信息,并将该信息作为一个或多个声明/声明注入SAML令牌中,并发送回给SAML令牌。网络服务器。
I have tried implementing a custom authentication adapter on the ADFS server, but that is geared towards MFA and will only return a single additional claim that asserts that some form of MFA was used. 我已经尝试在ADFS服务器上实现自定义身份验证适配器,但这是针对MFA的,并且只会返回一个声称使用了某种形式的MFA的附加声明。
1 个解决方案
解决方案1
1 已采纳 2016-06-02 20:20:52
Absolutely. 绝对。
You need a custom attribute store. 您需要一个自定义属性存储。 This runs the SQL and then you add a claims rules deriving from the custom store. 这将运行SQL,然后添加从定制存储派生的声明规则。
Refer: AD FS 2.0 Attribute Store Overview and How to create a Custom Attribute Store for Active Directory Federation Services 3.0 . 请参阅: AD FS 2.0属性存储概述和如何为Active Directory联合身份验证服务3.0创建自定义属性存储 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.