进行主动身份验证时，转换ADFS中的传入用户名声明

Question

I'm attempting to authenticate to an ADFS server via active federation, but need to transform the incoming username via an AD/LDAP query before attempting to authenticate the user.

I'm using the UsernameMixed endpoint with a UserNameWSTrustBinding:

WSTrustChannelFactory factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), "https://nobody.com/adfs/services/trust/13/UsernameMixed");          

factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;

IWSTrustChannelContract channel = factory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue, WSTrust13Constants.KeyTypes.Bearer);
SecurityToken token = channel.Issue(rst);

My problem is, I want to transform the "username" passed to the endpoing to the user's email address (via AD or LDAP) on the ADFS server before running authentication. Is this possible to do?

Answer 1

As far as I know, there's no simple way on the AD FS server to transform the incoming username before doing authentication. The transformations are done on outgoing claims after authentication has already happened.

You'll probably need to query AD/LDAP in your relying party application to get this information. Do something like this (taken from here ):

string domain = "YourDomain";

List<string> emailAddresses = new List<string>();

PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, domain);
UserPrincipal user = UserPrincipal.FindByIdentity(domainContext, userName);

// Add the "mail" entry
emailAddresses.Add(user.EmailAddress);

// Add the "proxyaddresses" entries.
PropertyCollection properties = ((DirectoryEntry)user.GetUnderlyingObject()).Properties;
foreach (object property in properties["proxyaddresses"])
{
   emailAddresses.Add(property.ToString());
}