[英]Custom MFA ADFS extension does not work with e-mail claim
I have built an MFA extension for ADFS using this guide: https://blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs-in-windows-server-2012-r2-walk-through-part-1/我使用本指南为 ADFS 构建了 MFA 扩展: https : //blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs- in-windows-server-2012-r2-walk-through-part-1/
I am trying get the incoming claim in the IAuthenticationAdapter.BeginAuthentication(Claim claim, ...)
to have the e-mail of the user that is authenticating.我正在尝试获取IAuthenticationAdapter.BeginAuthentication(Claim claim, ...)
的传入声明,以获取进行身份验证的用户的电子邮件。 Based on the guide, i should be able to specify in my metadata the IdentityClaims
to return "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
and then i should get the e-mail.根据指南,我应该能够在我的元数据中指定IdentityClaims
以返回"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
,然后我应该收到电子邮件.
However, my code is never hit.但是,我的代码从未被击中。
Instead, i get the following error in the Event Viewer logs:相反,我在事件查看器日志中收到以下错误:
System.IO.InvalidDataException: The identity information provided does not contain a Windows account name.
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
I tried specifying the relying party trusts to pass on the LDAP parameters but i am unable to access those in my code.我尝试指定依赖方信任来传递 LDAP 参数,但我无法在我的代码中访问这些参数。
Any suggestions?有什么建议吗?
We ran into this question when trying to debug this exact issue, ourselves.我们自己在尝试调试这个确切的问题时遇到了这个问题。 We were experimenting with IAuthenticationAdapterMetadata.IdentityClaims
.我们正在试验IAuthenticationAdapterMetadata.IdentityClaims
。 When our adapter requested emailaddress
as our input claim, ADFS threw the above exception immediately before calling BeginAuthentication
.当我们的适配器请求emailaddress
作为我们的输入声明时,ADFS 在调用BeginAuthentication
之前立即抛出上述异常。
The main issue was that our Claims Provider (Active Directory, in this case) was not configured to provide the user's email address.主要问题是我们的声明提供程序(在本例中为 Active Directory)未配置为提供用户的电子邮件地址。 We discovered this with help from Microsoft's (free) Claims X-Ray service, which I highly recommend for those debugging ADFS claims issues.我们在 Microsoft 的(免费) Claims X-Ray服务的帮助下发现了这一点,我强烈建议那些调试 ADFS 索赔问题的人使用该服务。
Secondarily, ADFS was giving a misleading error.其次,ADFS 给出了一个误导性错误。 ADFS does not actually seem to validate the Claim
value passed to BeginAuthentication
. ADFS 实际上似乎并未验证传递给BeginAuthentication
的Claim
值。 Once we resolved the main issue, there were no restrictions on the user's email address, so long as it was defined.一旦我们解决了主要问题,只要定义了用户的电子邮件地址,就没有限制。
Note: if you have multiple Claims Provider Trusts, you may need to do this with each of them.注意:如果您有多个理赔提供者信托,您可能需要对每一个进行此操作。
AD FS Management
app on the relevant machine.导航到相关计算机上的AD FS Management
应用程序。Claims Provider Trusts
.选择Claims Provider Trusts
。Edit Claim rules...
右键单击要“修复”的提供程序,然后选择Edit Claim rules...
Add Rule...
and then select Send LDAP Attributes as Claims
.选择Add Rule...
,然后选择Send LDAP Attributes as Claims
。Attribute store
for this rule.我假设您应该选择您正在处理的提供程序作为此规则的Attribute store
。 You may need to experiment if you can't.如果不能,您可能需要进行试验。E-Mail-Addresses
to claim type E-Mail Address
.将 LDAP 属性E-Mail-Addresses
映射到声明类型E-Mail Address
。 Additional note: Only the first value in the E-Mail-Addresses
array will be sent to BeginAuthentication
.附加说明:只有E-Mail-Addresses
数组中的第一个值会被发送到BeginAuthentication
。 This seems to be a quirk of the interface, not a quirk of this solution.这似乎是界面的一个怪癖,而不是这个解决方案的怪癖。
Is it possible to parse all the available claims for the current user? 是否可以解析当前用户的所有可用声明? In my case, I need to figure out what primary authentication method the user used before showing specific options in the custom MFA page. 就我而言,在自定义MFA页面中显示特定选项之前,我需要弄清楚用户使用了哪种主要身份验证方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.