ADFS + OpenID Connect Email and External ADFS

I'm having difficulty setting up ADFS with OpenID Connect on Windows Server 2016.

I have configured AD for testing, and I can successfully authenticate, but the email request is not listed in the id token.

In addition, I configured the external ADFS in the proxy of the requirements provider. It is displayed as an option, however, when I log in, I get an error message:

    MSIS9642: The request cannot be completed because an id token is required but the server was unable to construct an id token for the current user.

Anyone have any suggestions on how to fix this?

+4
source share
2 answers

MSIS9642 , OpenID Connect ADFS 2016 . . , , .

AnchorClaimType.

ADFS , AD AUTHORITY AnchorClaimType

Foo://schemas.microsoft.com/ws/2008/06/identity/claims/ windowsaccountname

, powershell get-adfsclaimsprovidertrust.

OpenID Active Directory.

Trust Provider Trust AnchorClaimType. OpenID , , . OpenID .

, :

a) , RTM Windows Server 2016. , powershell AnchorClaimType CTP, .

b) , . Azure Active Directory , - foo://schemas.xmlsoap.org/ws/2005/05/identity/claims/ name

c) AnchorTypeClaim Trust Provider Trust powershell

set-adfsclaimsprovidertrust -targetidentifier -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ name

( powershell get-adfsclaimsprovidertrust)

d) , , Name

,

+6

AnchorClaimType (CPT), Windows Server 2016 TP5 ( ) .

:

  • CPT , CPT.
  • powershell Add-AdfsClaimsProviderTrust
    • (. )
    • URL + -AnchorClaimType "yourAnchorClaimValue".
  • , .

PS :

[String]$ClaimProviderTrustName = "YourCPTName"
[String]$MetaDataURL = "https://..."
[String]$AnchorClaimType = "YourAnchorClaimValue"
Add-AdfsClaimsProviderTrust -Name $ClaimProviderTrustName -MetadataUrl $MetaDataURL -AnchorClaimType $AnchorClaimType
0

Source: https://habr.com/ru/post/1627982/


All Articles