ADFS Custom Transformation Rule for saml:Issuer and saml:NameID

https://stackoverflow.com/questions/21097085

adfs2.0

27-09-2022
|

题

I'm trying to issue a new claim by combining the saml:Issuer and saml:NameID, is this possible through the custom transformation rule?

At first I thought I could use .Issuer .OriginalIssuer, but seems like upon transformation ADFS changes those value to the audience URL instead. (http://adfstest.tst.adfstst.gov/adfs/services/trust)

Following is an example SAML request

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s224131481a93459a57f69c1bfef9fb86874568dc6" InResponseTo="id-50fbee27-151a-40dd-99fb-2e67678084a1" Version="2.0" IssueInstant="2011-04-21T15:26:12Z" Destination="https://adfstest.tst.adfstst.gov/adfs/ls/">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://test.tst.tst.gov:443/openam_s951</saml:Issuer>
  <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:StatusCode  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    Value="urn:oasis:names:tc:SAML:2.0:status:Success">
    </samlp:StatusCode>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2b721b9b7f85b007211e249a3d270391ad5b3f730" IssueInstant="2011-04-21T15:26:03Z" Version="2.0">
    <saml:Issuer>https://test.tst.tst.gov:443/openam_s951</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#s2b721b9b7f85b007211e249a3d270391ad5b3f730">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>mXUwZ/Qmbv06LXkglEabDnB3dug=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>...
      </ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>...
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://test.tst.tst.gov:443/openam_s951">CN=Mike.Saunders,OU=Users,OU=EXTERNAL,DC=test,DC=test,DC=test,DC=gov</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData InResponseTo="id-50fbee27-151a-40dd-99fb-2e67678084a1" NotOnOrAfter="2011-04-21T15:36:10Z" Recipient="https://adfstest.tst.adfstst.gov/adfs/ls/"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2011-04-21T15:16:12Z" NotOnOrAfter="2011-04-21T15:36:12Z">
      <saml:AudienceRestriction>
        <saml:Audience>http://adfstest.tst.adfstst.gov/adfs/services/trust</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2011-04-21T15:25:51Z" SessionIndex="s2e5f72dce1e769b18410b4f0f3818ad1070453801">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="ssoTokenId">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AQIC5wM2LY4SfcygZIrQ4xys%2FBGj9X8JIj7hPR%2BMt7v8%2FMA%3D%40AAJTSQACMDE%3D%23</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="maxSessionTime">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">120</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="timeLeft">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">7167</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="maxIdleTime">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">30</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="idleTime">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">5</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="authLevel">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">0</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

解决方案

Something like this:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"]
=> issue(
  Type = "_zort", 
  Value = c.Issuer + ":" + c.Value);

HTH!

许可以下： CC-BY-SA 和归因

不隶属于 StackOverflow