在单个规则中发出多个声明

tag-icon tag-icon adfs
在单个规则中发出多个声明

有没有一种简单的方法可以在单个 ADFS 声明规则中发出多个声明?我能看到的唯一示例是查询属性存储的示例,并且每个检索到的列都映射到不同的声明类型。

我尝试了一种“显而易见”的方法,即使用Types而不是Type,将两种类型放在括号中(按照 SQL 示例),但随后我需要提供多个值 - 因此我想使用Values而不是Value。 但无论如何,它还是会卡住Types

这不起作用:

c:[Type == incomingClaim, Value =~ incomingMatch]
 => issue(Types = (type1,type2), Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer,
      Values = (value1,value2), ValueType = c.ValueType);

其中incomingClaim,,,和是简单的字符串文字,并且type1是正则表达式。type2value1value2incomingMatch

当然,我可以将其作为多条声明规则来执行,但我希望暂时保持简单。- 目前将有大约 5 条传出声明,但我想设置一些用户来获取所有声明,而不必设置 5 条规则。随着时间的推移,声明的数量将会增加。

(我仅将其标记为 ADFS - 我看不到任何其他明显的可包含的标签)

答案1

=>ADFS 规则由条件、令牌、命令(issue或)组成add,并以分号结尾。您不能为每个规则发出多个文字,但您可以使用 powershell 使其更易于使用。

您无需进入 UI 并经过 5 次向导,而是可以Set-AdfsRelyingPartyTrust一次性设置所有规则。

Set-RelyingPartyTrust -TargetName SharePoint_Prod -IssuanceTransformRulesFile c:\drop\rules.txt

rules.txt 如下所示

c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type1, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value1, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type2, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value2, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type3, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value3, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type4, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value4, ValueType = c.ValueType);
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type5, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value5, ValueType = c.ValueType);

与 UI 相关的差异?我使用了复制和粘贴。

答案2

虽然 Mitch 的方法是正确的,但这里存在一个根本问题。使用上面提到的 cmdlet:

Set-RelyingPartyTrust -TargetName SharePoint_Prod -IssuanceTransformRulesFile c:\drop\rules.txt

将用文本文件的内容替换所有发行转换规则。如果我错了,请纠正我,但这种方法中没有“附加”选项。此外,我不确定是否真的尝试过,但这会导致错误。PS 期望每条规则都以以下内容开头:

@RuleName = "$Rulename"

如果多条规则只有一个规则名称,ADFS 将提示错误(我还没有实际尝试过)。如果您想使用 cmdlet,最好的工作选项是让文本文件如下所示:

@RuleName = "RuleName1"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type1, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value1, ValueType = c.ValueType);

@RuleName = "RuleName2"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type2, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value2, ValueType = c.ValueType);

@RuleName = "RuleName3"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type3, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value3, ValueType = c.ValueType);

@RuleName = "RuleName4"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type4, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value4, ValueType = c.ValueType);

@RuleName = "RuleName5"
c:[Type == incomingClaim, Value =~ incomingMatch] => issue(Type = type5, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = value5, ValueType = c.ValueType);

在 PowerShell 中编写代码相对来说还是比较容易的,但对于本质上非常相似的声明规则使用多个规则名称会很麻烦。如果您实际上可以在一个规则语句中发出多个声明,那仍然是最好的。我希望将来可以添加此功能。

相关内容