有没有办法在 SAML 自定义策略中更改 NameId？

Question

我正在尝试将自定义策略中的用户电子邮件更改为 NameID，但不知道如何操作。我们从 Microsoft 上的 SAML tutorial 开始。

邮箱TrustFrameworkBase.xml:

<ClaimType Id="email">
    <DisplayName>Email Address</DisplayName>
    <DataType>string</DataType>
    <DefaultPartnerClaimTypes>
      <Protocol Name="OpenIdConnect" PartnerClaimType="email" />
      <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" />
    </DefaultPartnerClaimTypes>
    <UserHelpText>Email address that can be used to contact you.</UserHelpText>
    <UserInputType>TextBox</UserInputType>
    <Restriction>
      <Pattern RegularExpression="^[a-zA-Z0-9.!#$%&amp;'^_`{}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$" HelpText="Please enter a valid email address." />
    </Restriction>
  </ClaimType>

TrustFrameworkExtensions.xml（仅技术简介）：

 <TechnicalProfile Id="AAD-UserReadUsingObjectId">
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />
        <OutputClaim ClaimTypeReferenceId="extension_company" />
        <OutputClaim ClaimTypeReferenceId="extension_altitude3Id" />
        <OutputClaim ClaimTypeReferenceId="extension_isAvivaBroker" />
        <OutputClaim ClaimTypeReferenceId="extension_avivaAvantageId" />
        <OutputClaim ClaimTypeReferenceId="extension_isApproved" />
        <OutputClaim ClaimTypeReferenceId="extension_phoneExtension" />
        <OutputClaim ClaimTypeReferenceId="mobile" />
        <OutputClaim ClaimTypeReferenceId="streetAddress" />
        <OutputClaim ClaimTypeReferenceId="city" />
        <OutputClaim ClaimTypeReferenceId="state" />
        <OutputClaim ClaimTypeReferenceId="country" />
        <OutputClaim ClaimTypeReferenceId="postalcode" />
      </OutputClaims>
    </TechnicalProfile>

SignUpOrSigninSAML.xml的一部分：

<OutputClaims>
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    <OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
  </OutputClaims>
  <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
</TechnicalProfile>

在元数据中，我有 (SignUpOrSigninSAML.xml)：

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

Answer 1

如果您将RelyingParty 定义更新为以下内容，则应在NameId 中以urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 的格式输出email：

<OutputClaims>
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="sub" />
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    <OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/>
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
  </OutputClaims>
  <SubjectNamingInfo ClaimType="sub" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" ExcludeAsClaim="true"/>
</TechnicalProfile>

我已将 email 作为附加属性保留在您的断言中，但如果您只对 NameId 中的它感兴趣，那么您可以删除 <OutputClaim ClaimTypeReferenceId="email" DefaultValue=""/> 行。