ADFS 客户声明具有本地组成员身份
我根据全局安全组的组成员身份创建了自定义 ADFS 声明规则。 它工作顺利,但我们需要添加来自不同林的信任我们的用户。 因此,将全局组转换为域本地组,以便我们可以添加来自不同林的用户,但不知何故它不起作用,只有全局组起作用,而不是域本地组,即使用户来自同一域。 如果我们用于声明属性,有人可以帮助我获得 ADFS 不支持的正确解决方案或域本地组吗?
我们全球集团的当前设置如下(工作中) 发送令牌组:-
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("corporate_groups"), query = ";tokenGroups;{0}", param = c.Value);
获取令牌组:-
c:[Type == "corporate_groups", Value =~ ".APP_Test."] =>问题(类型=“http://schemas.microsoft.com/ws/2008/06/identity/claims/group”,值= c.Value);
注意:如果我访问此链接,则不适用于跨林信任用户。 https://social.technet.microsoft.com/wiki/contents/articles/13829.ad-fs-2-0-domain-local-groups-in-a-claim.aspx
I created custome ADFS claim rule base on group membership with global security groups.
And its working smoothly, but wee need to add users from different forest which trusted with us.
So, converted global group to Domain local group so that we can add user from different forest but somehow its not working, only Global group is working not Domain local, even if user is from same domain.
Can someone help me to get the proper solution or Domain Local group not supported by ADFS if we used for claim attributes.
Current setup with our Global Group is given below (working)
Send Token group:-
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("corporate_groups"), query = ";tokenGroups;{0}", param = c.Value);
Get Token group:-
c:[Type == "corporate_groups", Value =~ ".APP_Test."]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/group", Value = c.Value);
Note: If I go through this link is not working for cross forest trust user.
https://social.technet.microsoft.com/wiki/contents/articles/13829.ad-fs-2-0-domain-local-groups-in-a-claim.aspx
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
• 您当然可以创建一条规则来发送组成员身份,作为 Windows Server 上 ADFS 中依赖方信任的声明。但为此,您需要确保用于登录 ADFS 服务器的用户 ID 应该是域管理员或本地系统管理员组的成员。此外,您还可以通过下面的文档链接来执行此操作。它指出您可以创建一个规则模板,用于通过 ADFS 服务器管理管理单元本身发送组成员身份作为声明。
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim#to -create-a-rule-to-send-group-membership-as-a-claim-on-a-relying-party-trust-in-windows-server-2016
• 如果您遵循上述文档创造基于模板的规则,它应该可以帮助您工作。另外,请确保参考并遵循以下文档,了解何时应使用组成员身份作为声明规则:-
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff678036(v=ws.11)
• You can surely create a rule to send a group membership as a claim on a relying party trust in ADFS on a Windows Server. But for that, you need to make sure that the user ID through which you are going to login onto the ADFS server should be a member of the Domain administrators or the local system administrators’ group. Also, you can do this by following the documentation link below. It states that you can create a rule template for sending group membership as a claim through the ADFS Server Management snap-in itself.
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-group-membership-as-a-claim#to-create-a-rule-to-send-group-membership-as-a-claim-on-a-relying-party-trust-in-windows-server-2016
• If you follow the above document for creating rules based on template, it should get you working. Also, ensure to refer and follow the documentation below on when you should use a Group Membership as a claim rule: -
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff678036(v=ws.11)