我有一个链接到 Ms Entra 的应用程序,我将此应用程序 (App1) 设置为企业应用程序以使用 SSO。该应用程序的用户不多 (3)。它旨在使用 SAML。
一些设置: 证书 Entra 返回的索赔清单
另一方面,我有一个 B2C 租户,打算使用此 MS Entra 应用程序进行 SSO,我需要检索属于登录用户的电子邮件地址。
我已从 MS Entra 复制了证书并将其添加到 SamlAssertionSigning 元数据(通过门户在 B2C 中完成此操作),另一个证书 SamlMessageSigning 是一个新证书。
主要问题是我无法获取来自 SAML 断言(Entra 应用程序)的信息
我有以下代码:
<TechnicalProfile Id="MsEntraId-SAML2">
<DisplayName>Salesforce</DisplayName>
<Description>ENtra SAML</Description>
<Protocol Name="SAML2" />
<Metadata>
<!-- <Item Key="RequestsSigned">false</Item> -->
<Item Key="ResponsesSigned">false</Item>
<Item Key="WantsEncryptedAssertions">false</Item>
<Item Key="WantsSignedAssertions">false</Item>
<Item Key="PartnerEntity">https://login.microsoftonline.com/<guidhere>/federationmetadata/2007-06/federationmetadata.xml</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_EntraMs"/>
<Key Id="SamlMessageSigning"
StorageReferenceId="B2C_1A_MsEntraSAMLCert" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="UserPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="Email" Required="true" PartnerClaimType="Email"/>
<OutputClaim ClaimTypeReferenceId="objectid" PartnerClaimType="Subject"/>
<OutputClaim ClaimTypeReferenceId="issuerUserId"
PartnerClaimType="userprincipalname" DefaultValue="not found"/>
<OutputClaim ClaimTypeReferenceId="givenName"
PartnerClaimType="user.givenname" />
<OutputClaim ClaimTypeReferenceId="surname"
PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="email"
PartnerClaimType="user.mail" />
<OutputClaim ClaimTypeReferenceId="displayName"
PartnerClaimType="username" />
<OutputClaim ClaimTypeReferenceId="authenticationSource"
DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider"
DefaultValue="entra.com" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp" />
</TechnicalProfile>
然后我的依赖方有以下内容:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignInMsEntra" />
<UserJourneyBehaviors>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<!-- <Endpoints> -->
<!-- points to refresh token journey when app makes refresh token request -->
<!-- <Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" /> -->
<!-- </Endpoints> -->
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="userprincipalname" PartnerClaimType="UserPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="Email"/>
<OutputClaim ClaimTypeReferenceId="objectid"/>
<OutputClaim ClaimTypeReferenceId="issuerUserId"/>
<OutputClaim ClaimTypeReferenceId="displayName"/>
<OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email"
PartnerClaimType="user.mail" />
<OutputClaim ClaimTypeReferenceId="objectId"
PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="tenantId"
AlwaysUseDefaultValue="true"
DefaultValue="{Policy:TenantObjectId}" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>
到目前为止,电子邮件还没有回来,userprincipalName 全部来自 B2C,其余链接到 Entra 的都没有出现。
声明没有遵循预期的名称, 这将修复电子邮件地址的问题