Azure Active Directory SAML2.0 身份验证的用户属性映射 web 应用程序
[英]User attributes mapping for Azure Active Directory SAML2.0 authenticated web app
问题描述
I've deployed two app registrations in Azure for external sites that our organisation uses our Azure AD tenant as the identity provider for.
我在 Azure 中为我们的组织使用我们的 Azure AD 租户作为身份提供者的外部站点部署了两个应用程序注册。 I've got the SAML2.0 authentication working fine, but the only user profile attributes it's mapping are UID, UPN, FirstName and LastName.我的 SAML2.0 身份验证工作正常,但它映射的唯一用户配置文件属性是 UID、UPN、名字和姓氏。 I'd like to try to map some additional AAD profile attributes - specifically jobTitle and physicalDeliveryOfficeName (which in MS Graph is officeLocation).我想尝试 map 一些额外的 AAD 配置文件属性 - 特别是 jobTitle 和 physicalDeliveryOfficeName(在 MS Graph 中是 officeLocation)。
According to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#directory-extension-formatting , I thought I could modify the App manifest by using something similar to my screenshot below, but when I save it I look at the "Token configuration" and see those two claims with a warning " the claim is not supported and will not be returned in the token ".根据https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#directory-extension-formatting ,我想我可以通过使用类似的东西来修改 App 清单到我下面的屏幕截图,但是当我保存它时,我查看了“令牌配置”并看到这两个声明带有警告“该声明不受支持并且不会在令牌中返回”。
My intention was that I'd then use http://schemas.microsoft.com/identity/claims/extn.officeLocation and http://schemas.microsoft.com/identity/claims/extn.jobTitle in the Attribute mapping settings of the apps we use, but this is not working either.我的意图是然后在属性映射设置中使用http://schemas.microsoft.com/identity/claims/extn.officeLocation和http://schemas.microsoft.com/identity/claims/extn.jobTitle我们使用的应用程序,但这也不起作用。
I need some help as this is out of my area of expertise and the app developers have not been able to assist.我需要一些帮助,因为这超出了我的专业领域,而且应用程序开发人员无法提供帮助。
1 个解决方案
解决方案1
1 2020-10-28 09:22:46
You need to create the custom properties officeLocation and jobTitle in the Azure AD application (app registration) which you are trying to configure "Token configuration" in.您需要在您尝试在其中配置“令牌配置”的 Azure AD 应用程序(应用程序注册)中创建自定义属性officeLocation和jobTitle 。
You get the warning "the claim is not supported and will not be returned in the token" because the custom properties are created in another Azure AD application.您收到警告“声明不受支持并且不会在令牌中返回”,因为自定义属性是在另一个 Azure AD 应用程序中创建的。
You can create the extensionProperty through Microsoft Graph like this:您可以像这样通过 Microsoft Graph 创建 extensionProperty :
Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties
{"name":"jobTitle","dataType":"string","targetObjects":["User"]}
Then you will see the extn.jobTitle in Token configuration under your Azure AD app.然后您将在您的 Azure AD 应用程序下的Token 配置中看到extn.jobTitle 。 You can directly select it by clicking Add optional claim .您可以直接 select 点击Add optional claim 。
You are also able to edit the manifest to add it now.您还可以编辑清单以立即添加它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.