[英]Transforming incoming username claim in ADFS when doing active authentication
I'm attempting to authenticate to an ADFS server via active federation, but need to transform the incoming username via an AD/LDAP query before attempting to authenticate the user. 我正在尝试通过主动联盟对ADFS服务器进行身份验证,但是在尝试对用户进行身份验证之前,需要通过AD / LDAP查询转换传入的用户名。
I'm using the UsernameMixed endpoint with a UserNameWSTrustBinding: 我正在将UsernameMixed端点与UserNameWSTrustBinding一起使用:
WSTrustChannelFactory factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), "https://nobody.com/adfs/services/trust/13/UsernameMixed");
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
IWSTrustChannelContract channel = factory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue, WSTrust13Constants.KeyTypes.Bearer);
SecurityToken token = channel.Issue(rst);
My problem is, I want to transform the "username" passed to the endpoing to the user's email address (via AD or LDAP) on the ADFS server before running authentication. 我的问题是,在运行身份验证之前,我想将传递给终端的“用户名”转换为ADFS服务器上用户的电子邮件地址(通过AD或LDAP)。 Is this possible to do? 这可能吗?
As far as I know, there's no simple way on the AD FS server to transform the incoming username before doing authentication. 据我所知,在执行身份验证之前,AD FS服务器上没有简单的方法来转换传入的用户名。 The transformations are done on outgoing claims after authentication has already happened. 身份验证已经发生后,将对传出的声明进行转换。
You'll probably need to query AD/LDAP in your relying party application to get this information. 您可能需要在依赖方应用程序中查询AD / LDAP以获得此信息。 Do something like this (taken from here ): 做这样的事情(从这里获取 ):
string domain = "YourDomain";
List<string> emailAddresses = new List<string>();
PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, domain);
UserPrincipal user = UserPrincipal.FindByIdentity(domainContext, userName);
// Add the "mail" entry
emailAddresses.Add(user.EmailAddress);
// Add the "proxyaddresses" entries.
PropertyCollection properties = ((DirectoryEntry)user.GetUnderlyingObject()).Properties;
foreach (object property in properties["proxyaddresses"])
{
emailAddresses.Add(property.ToString());
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.