在 Azure Active Directory B2C 自定义策略中定义 SAML 标识提供者技术配置文件Define a SAML identity provider technical profile in an Azure Active Directory B2C custom policy

备注

在 Azure Active Directory B2C 中,custom policies 主要用于解决复杂方案。In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. 大多数情况下,建议使用内置的用户流For most scenarios, we recommend that you use built-in user flows.

Azure Active Directory B2C (Azure AD B2C) 为 SAML 2.0 标识提供者提供支持。Azure Active Directory B2C (Azure AD B2C) provides support for the SAML 2.0 identity provider. 本文介绍了与支持此标准化协议的声明提供程序进行交互的技术配置文件的详细信息。This article describes the specifics of a technical profile for interacting with a claims provider that supports this standardized protocol. 使用 SAML 技术配置文件,可以与基于 SAML 的标识提供者联合。With a SAML technical profile you can federate with a SAML-based identity provider. 这样用户就可以使用其现有的社交或企业标识登录。This federation allows your users to sign in with their existing social or enterprise identities.

元数据交换Metadata exchange

元数据是 SAML 协议中用于公开 SAML 方(例如服务提供程序或身份提供程序)的配置的信息。Metadata is information used in the SAML protocol to expose the configuration of a SAML party, such as a service provider or identity provider. 元数据定义服务的位置,例如登录和注销、证书、登录方法和其他信息。Metadata defines the location of the services, such as sign-in and sign-out, certificates, sign-in method, and more. 身份提供程序使用元数据来了解如何与 Azure AD B2C 进行通信。The identity provider uses the metadata to know how to communicate with Azure AD B2C. 元数据以 XML 格式配置,并且可以用数字签名签名,以便另一方可以验证元数据的完整性。The metadata is configured in XML format and may be signed with a digital signature so that the other party can validate the integrity of the metadata. 当 Azure AD B2C 与 SAML 身份提供程序联合时,它将充当发起 SAML 请求并等待 SAML 响应的服务提供程序。When Azure AD B2C federates with a SAML identity provider, it acts as a service provider initiating a SAML request and waiting for a SAML response. 并且,在某些情况下,会接受未经请求的 SAML 身份验证,也称为标识提供者发起的身份验证。And, in some cases, accepts unsolicited SAML authentication, which is also known as identity provider initiated.

元数据可以在双方中配置为“静态元数据”或“动态元数据”。The metadata can be configured in both parties as "Static Metadata" or "Dynamic Metadata". 在静态模式下,你从一方复制整个元数据并将其设置在另一方中。In static mode, you copy the entire metadata from one party and set it in the other party. 在动态模式下,你将 URL 设置为元数据,而另一方则动态读取配置。In dynamic mode, you set the URL to the metadata while the other party reads the configuration dynamically. 原理是相同的,在身份提供程序中设置 Azure AD B2C 技术配置文件的元数据,并在 Azure AD B2C 中设置身份提供程序的元数据。The principles are the same, you set the metadata of the Azure AD B2C technical profile in your identity provider and set the metadata of the identity provider in Azure AD B2C.

每个 SAML 身份提供程序都有不同的步骤来公开和设置服务提供程序,在本例的 Azure AD B2C 中,在身份提供程序中设置 Azure AD B2C 元数据。Each SAML identity provider has different steps to expose and set the service provider, in this case Azure AD B2C, and set the Azure AD B2C metadata in the identity provider. 请查看你的身份提供程序的文档,以获取有关如何执行此操作的指导。Look at your identity provider’s documentation for guidance on how to do so.

以下示例显示 Azure AD B2C 技术配置文件的 SAML 元数据的 URL 地址:The following example shows a URL address to the SAML metadata of an Azure AD B2C technical profile:

https://your-tenant-name.b2clogin.cn/your-tenant-name/your-policy/samlp/metadata?idptp=your-technical-profile

请替换以下值:Replace the following values:

  • your-tenant-name 替换为你的租户名称,例如 fabrikam.b2clogin.cn。your-tenant-name with your tenant name, such as fabrikam.b2clogin.cn.
  • 将 your-policy 替换为你的策略名称。your-policy with your policy name. 使用配置 SAML 提供者技术配置文件的策略或从该策略继承的策略。Use the policy where you configure the SAML provider technical profile, or a policy that inherits from that policy.
  • your-technical-profile 替换为 SAML 标识提供者技术配置文件名称。your-technical-profile with your SAML identity provider technical profile name.

数字签名证书交换Digital signing certificates exchange

若要在 Azure AD B2C 与 SAML 身份提供程序之间建立信任,你需要提供带有私钥的有效 X509 证书。To build a trust between Azure AD B2C and your SAML identity provider, you need to provide a valid X509 certificate with the private key. 将带私钥的证书(.pfx 文件)上传到 Azure AD B2C 策略密钥存储库。You upload the certificate with the private key (.pfx file) to the Azure AD B2C policy key store. Azure AD B2C 使用你提供的证书对 SAML 登录请求进行数字签名。Azure AD B2C digitally signs the SAML sign-in request using the certificate that you provide.

可通过以下方式使用证书:The certificate is used in the following ways:

  • Azure AD B2C 使用证书的 Azure AD B2C 私钥生成 SAML 请求并对其进行签名。Azure AD B2C generates and signs a SAML request, using the Azure AD B2C private key of the certificate. SAML 请求将发送到身份提供程序,该提供程序使用证书的 Azure AD B2C 公钥验证请求。The SAML request is sent to the identity provider, which validates the request using Azure AD B2C public key of the certificate. 通过技术配置文件元数据可访问 Azure AD B2C 公用证书。The Azure AD B2C public certificate is accessible through technical profile metadata. 或者,可以将 .cer 文件手动上传到 SAML 身份提供程序。Alternatively, you can manually upload the .cer file to your SAML identity provider.
  • 身份提供程序使用身份提供程序的证书私钥对发送到 Azure AD B2C 的数据进行签名。The identity provider signs the data sent to Azure AD B2C using the identity provider's private key of the certificate. Azure AD B2C 会使用身份提供程序的公共证书验证数据。Azure AD B2C validates the data using the identity provider's public certificate. 每个标识提供者都有不同的设置步骤,请查看标识提供者的文档,以获取有关如何执行此操作的指导。Each identity provider has different steps for setup, look at your identity provider’s documentation for guidance on how to do so. 在 Azure AD B2C 中,你的策略需要使用身份提供程序的元数据访问证书公钥。In Azure AD B2C, your policy needs access to the certificate public key using the identity provider's metadata.

在大多数情况下,自签名证书都是可接受的。A self-signed certificate is acceptable for most scenarios. 对于生产环境,建议使用由证书颁发机构颁发的 X509 证书。For production environments, it is recommended to use an X509 certificate that is issued by a certificate authority. 此外,如本文档后面所述,对于非生产环境,你可以禁用两端的 SAML 签名。Also, as described later in this document, for a non-production environment you can disable the SAML signing on both sides.

下图显示了元数据和证书交换:The following diagram shows the metadata and certificate exchange:

元数据和证书交换

数字加密Digital encryption

若要加密 SAML 响应断言,身份提供程序应始终在 Azure AD B2C 技术配置文件中使用加密证书的公钥。To encrypt the SAML response assertion, the identity provider always uses a public key of an encryption certificate in an Azure AD B2C technical profile. 当 Azure AD B2C 需要对数据进行解密时,它使用加密证书的专用部分。When Azure AD B2C needs to decrypt the data, it uses the private portion of the encryption certificate.

若要加密 SAML 响应断言:To encrypt the SAML response assertion:

  1. 将带私钥的有效 X509 证书(.pfx 文件)上传到 Azure AD B2C 策略密钥存储库。Upload a valid X509 certificate with the private key (.pfx file) to the Azure AD B2C policy key store.
  2. 将标识符为 SamlAssertionDecryption 的 CryptographicKey 元素添加到技术配置文件 CryptographicKeys 集合。Add a CryptographicKey element with an identifier of SamlAssertionDecryption to the technical profile CryptographicKeys collection. 将 StorageReferenceId 设为在步骤 1 中创建的策略密钥的名称。Set the StorageReferenceId to the name of the policy key you created in step 1.
  3. 将技术配置文件元数据 WantsEncryptedAssertions 设为 trueSet the technical profile metadata WantsEncryptedAssertions to true.
  4. 使用新的 Azure AD B2C 技术配置文件元数据更新身份提供程序。Update the identity provider with the new Azure AD B2C technical profile metadata. 你应该会看到 KeyDescriptor,其中的“使用”属性设置为包含你的证书的公钥的 encryptionYou should see the KeyDescriptor with the use property set to encryption containing the public key of your certificate.

以下示例显示了用于加密的 SAML 元数据的“密钥描述符”部分:The following example shows the Key Descriptor section of the SAML metadata used for encryption:

<KeyDescriptor use="encryption">
  <KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig#">
    <X509Data>
      <X509Certificate>valid certificate</X509Certificate>
    </X509Data>
  </KeyInfo>
</KeyDescriptor>

协议Protocol

“协议”元素的“名称”属性必须设置为 SAML2The Name attribute of the Protocol element needs to be set to SAML2.

输入声明Input claims

InputClaims 元素用于在 SAML AuthN 请求的 Subject 内发送 NameId。The InputClaims element is used to send a NameId within the Subject of the SAML AuthN Request. 为此,请添加一个输入声明并将 PartnerClaimType 设为 subject,如下所示。To achieve this add an input claim with a PartnerClaimType set to subject as shown below.

<InputClaims>
    <InputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="subject" />
</InputClaims>

输出声明Output claims

OutputClaims 元素在 AttributeStatement 节下包含 SAML 标识提供者返回的声明列表。The OutputClaims element contains a list of claims returned by the SAML identity provider under the AttributeStatement section. 可能需要将策略中定义的声明名称映射到标识提供者中定义的名称。You may need to map the name of the claim defined in your policy to the name defined in the identity provider. 只要设置了 DefaultValue 属性,就还可以包含标识提供者不会返回的声明。You can also include claims that aren't returned by the identity provider as long as you set the DefaultValue attribute.

使用者名称输出声明Subject name output claim

若要将 Subject 中的 SAML 断言 NameId 读取为规范化声明,请将声明 PartnerClaimType 设置为 SPNameQualifier 属性的值。To read the SAML assertion NameId in the Subject as a normalized claim, set the claim PartnerClaimType to value of the SPNameQualifier attribute. 如果未提供 SPNameQualifier 属性,请将声明 PartnerClaimType 设置为 NameQualifier 属性的值。If the SPNameQualifierattribute is not presented, set the claim PartnerClaimType to value of the NameQualifier attribute.

SAML 断言:SAML assertion:

<saml:Subject>
  <saml:NameID SPNameQualifier="http://your-idp.com/unique-identifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">david@contoso.com</saml:NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <SubjectConfirmationData InResponseTo="_cd37c3f2-6875-4308-a9db-ce2cf187f4d1" NotOnOrAfter="2020-02-15T16:23:23.137Z" Recipient="https://your-tenant.b2clogin.cn/your-tenant.partner.onmschina.cn/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer" />
    </SubjectConfirmation>
  </saml:SubjectConfirmation>
</saml:Subject>

输出声明:Output claim:

<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="http://your-idp.com/unique-identifier" />

如果 SPNameQualifierNameQualifier 属性都未在 SAML 断言中出现,请将声明 PartnerClaimType 设置为 assertionSubjectNameIf both SPNameQualifier or NameQualifier attributes are not presented in the SAML assertion, set the claim PartnerClaimType to assertionSubjectName. 确保 NameId 是断言 XML 中的第一个值。Make sure the NameId is the first value in assertion XML. 定义多个断言时,Azure AD B2C 会选取上一个声明中的主题值。When you define more than one assertion, Azure AD B2C picks the subject value from the last assertion.

以下示例演示 SAML 标识提供者返回的声明:The following example shows the claims returned by a SAML identity provider:

  • issuerUserId 声明映射到 assertionSubjectName 声明。The issuerUserId claim is mapped to the assertionSubjectName claim.
  • first_name 声明已映射到 givenName 声明。The first_name claim is mapped to the givenName claim.
  • last_name 声明已映射到 surname 声明。The last_name claim is mapped to the surname claim.
  • displayName 声明已映射到 name 声明。The displayName claim is mapped to the name claim.
  • 没有名称映射的 email 声明。The email claim without name mapping.

技术配置文件还会返回标识提供者不返回的声明:The technical profile also returns claims that aren't returned by the identity provider:

  • identityProvider 声明,其中包含标识提供者的名称。The identityProvider claim that contains the name of the identity provider.
  • authenticationSource 声明,其默认值为 socialIdpAuthenticationThe authenticationSource claim with a default value of socialIdpAuthentication.
<OutputClaims>
  <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="assertionSubjectName" />
  <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="first_name" />
  <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name" />
  <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
  <OutputClaim ClaimTypeReferenceId="email"  />
  <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="contoso.com" />
  <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
</OutputClaims>

OutputClaimsTransformations 元素可能包含用于修改输出声明或生成新输出声明的 OutputClaimsTransformation 元素集合。The OutputClaimsTransformations element may contain a collection of OutputClaimsTransformation elements that are used to modify the output claims or generate new ones.

MetadataMetadata

属性Attribute 必需Required 说明Description
PartnerEntityPartnerEntity Yes SAML 身份提供程序的元数据的 URL。URL of the metadata of the SAML identity provider. 复制身份提供程序元数据并将其添加到 CDATA 元素 <![CDATA[Your IDP metadata]]>Copy the identity provider metadata and add it inside the CDATA element <![CDATA[Your IDP metadata]]>
WantsSignedRequestsWantsSignedRequests No 指示技术配置文件是否要求对所有传出身份验证请求进行签名。Indicates whether the technical profile requires all of the outgoing authentication requests to be signed. 可能的值:truefalsePossible values: true or false. 默认值为 trueThe default value is true. 当该值设置为 true 时,需要指定 SamlMessageSigning 加密密钥,并对所有传出的身份验证请求进行签名。When the value is set to true, the SamlMessageSigning cryptographic key needs to be specified and all of the outgoing authentication requests are signed. 如果该值设置为 false,则请求中将省略 SigAlg 和 Signature 参数(查询字符串或 post 参数)。If the value is set to false, the SigAlg and Signature parameters (query string or post parameter) are omitted from the request. 此元数据还控制元数据的 AuthnRequestsSigned 属性,该属性在与身份提供程序共享的 Azure AD B2C 技术配置文件的元数据中输出。This metadata also controls the metadata AuthnRequestsSigned attribute, which is output in the metadata of the Azure AD B2C technical profile that is shared with the identity provider. 如果技术配置文件元数据中的 WantsSignedRequests 的值设置为 false 且标识提供者元数据 WantAuthnRequestsSigned 设置为 false 或未指定,则 Azure AD B2C 不会对请求签名。Azure AD B2C doesn't sign the request if the value of WantsSignedRequests in the technical profile metadata is set to false and the identity provider metadata WantAuthnRequestsSigned is set to false or not specified.
XmlSignatureAlgorithmXmlSignatureAlgorithm No Azure AD B2C 用于对 SAML 请求进行签名的方法。The method that Azure AD B2C uses to sign the SAML request. 此元数据控制 SAML 请求中 SigAlg 参数(查询字符串或 post 参数)的值。This metadata controls the value of the SigAlg parameter (query string or post parameter) in the SAML request. 可能的值:Sha256Sha384Sha512Sha1(默认值)。Possible values: Sha256, Sha384, Sha512, or Sha1 (default). 确保在两端配置具有相同值的签名算法。Make sure you configure the signature algorithm on both sides with same value. 仅使用证书支持的算法。Use only the algorithm that your certificate supports.
WantsSignedAssertionsWantsSignedAssertions No 指示技术配置文件是否要求对所有传入断言进行签名。Indicates whether the technical profile requires all incoming assertions to be signed. 可能的值:truefalsePossible values: true or false. 默认值为 trueThe default value is true. 如果该值设置为 true,则身份提供程序发送到 Azure AD B2C 的所有断言部分 saml:Assertion 必须进行签名。If the value is set to true, all assertions section saml:Assertion sent by the identity provider to Azure AD B2C must be signed. 如果该值设置为 false,则身份提供程序不应对断言进行签名,但即使这样做,Azure AD B2C 也不会验证签名。If the value is set to false, the identity provider shouldn’t sign the assertions, but even if it does, Azure AD B2C won’t validate the signature. 此元数据还控制元数据标记的 WantsAssertionsSigned 属性,该属性在与身份提供程序共享的 Azure AD B2C 技术配置文件的元数据中输出。This metadata also controls the metadata flag WantsAssertionsSigned, which is output in the metadata of the Azure AD B2C technical profile that is shared with the identity provider. 如果禁用断言验证,则还可能想要禁用响应签名验证(有关详细信息,请参阅 ResponsesSigned)。If you disable the assertions validation, you also may want to disable the response signature validation (for more information, see ResponsesSigned).
ResponsesSignedResponsesSigned No 可能的值:truefalsePossible values: true or false. 默认值为 trueThe default value is true. 如果该值设置为 false,则身份提供程序不应对 SAML 响应进行签名,但即使这样做,Azure AD B2C 也不会验证签名。If the value is set to false, the identity provider shouldn’t sign the SAML response, but even if it does, Azure AD B2C won’t validate the signature. 如果该值设置为 true,则身份提供程序发送到 Azure AD B2C 的 SAML 响应已签名,且必须进行验证。If the value is set to true, the SAML response sent by the identity provider to Azure AD B2C is signed and must be validated. 如果禁用 SAML 响应验证,则还可能想要禁用断言签名验证(有关详细信息,请参阅 WantsSignedAssertions)。If you disable the SAML response validation, you also may want to disable the assertion signature validation (for more information, see WantsSignedAssertions).
WantsEncryptedAssertionsWantsEncryptedAssertions No 指示技术配置文件是否要求对所有传入断言进行加密。Indicates whether the technical profile requires all incoming assertions to be encrypted. 可能的值:truefalsePossible values: true or false. 默认值为 falseThe default value is false. 如果该值设置为 true,则身份提供程序发送到 Azure AD B2C 的断言必须进行签名,并且需要指定 SamlAssertionDecryption 加密密钥。If the value is set to true, assertions sent by the identity provider to Azure AD B2C must be signed and the SamlAssertionDecryption cryptographic key needs to be specified. 如果该值设置为 true,则 Azure AD B2C 技术配置文件的元数据要包括“加密”部分。If the value is set to true, the metadata of the Azure AD B2C technical profile includes the encryption section. 身份提供程序读取元数据并使用 Azure AD B2C 技术配置文件的元数据中提供的公钥加密 SAML 响应断言。The identity provider reads the metadata and encrypts the SAML response assertion with the public key that is provided in the metadata of the Azure AD B2C technical profile. 如果启用断言加密,则还可能需要禁用响应签名验证(有关详细信息,请参阅 ResponsesSigned)。If you enable the assertions encryption, you also may need to disable the response signature validation (for more information, see ResponsesSigned).
NameIdPolicyFormatNameIdPolicyFormat No 指定要使用的名称标识符上的约束,使之代表请求的主题。Specifies constraints on the name identifier to be used to represent the requested subject. 如果省略此项,则可使用请求的主题对应的标识提供者支持的任何类型的标识符。If omitted, any type of identifier supported by the identity provider for the requested subject can be used. 例如,urn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedFor example, urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. NameIdPolicyFormat 可以与 NameIdPolicyAllowCreate 配合使用。NameIdPolicyFormat can be used with NameIdPolicyAllowCreate. 查看标识提供者的文档,了解哪些名称 ID 策略受支持。Look at your identity provider’s documentation for guidance about which name ID policies are supported.
NameIdPolicyAllowCreateNameIdPolicyAllowCreate No 使用 NameIdPolicyFormat 时,也可指定 NameIDPolicyAllowCreate 属性。When using NameIdPolicyFormat, you can also specify the AllowCreate property of NameIDPolicy. 此元数据的值为 truefalse,表示是否允许标识提供者在登录流程中创建新帐户。The value of this metadata is true or false to indicate whether the identity provider is allowed to create a new account during the sign-in flow. 请查看你的身份提供程序的文档,以获取有关如何执行此操作的指导。Look at your identity provider’s documentation for guidance on how to do so.
AuthenticationRequestExtensionsAuthenticationRequestExtensions No Azure AD BC 和标识提供者认可的可选协议消息扩展元素。Optional protocol message extension elements that are agreed on between Azure AD BC and the identity provider. 此扩展以 XML 格式呈现。The extension is presented in XML format. 将 XML 数据添加到 CDATA 元素 <![CDATA[Your IDP metadata]]> 中。You add the XML data inside the CDATA element <![CDATA[Your IDP metadata]]>. 检查标识提供者的文档,看扩展元素是否受支持。Check your identity provider’s documentation to see if the extensions element is supported.
IncludeAuthnContextClassReferencesIncludeAuthnContextClassReferences No 指定一个或多个可标识身份验证上下文类的 URI 引用。Specifies one or more URI references identifying authentication context classes. 例如,如果只允许用户使用用户名和密码登录,请将值设置为 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordFor example, to allow a user to sign in with username and password only, set the value to urn:oasis:names:tc:SAML:2.0:ac:classes:Password. 若要允许用户在受保护会话 (SSL/TLS) 期间通过用户名和密码登录,请指定 PasswordProtectedTransportTo allow sign-in through username and password over a protected session (SSL/TLS), specify PasswordProtectedTransport. 查看标识提供者的文档,了解受支持的 AuthnContextClassRef URI。Look at your identity provider’s documentation for guidance about the AuthnContextClassRef URIs that are supported. 以逗号分隔列表的形式指定多个 URI。Specify multiple URIs as a comma-delimited list.
IncludeKeyInfoIncludeKeyInfo No 指定在将绑定设置为 HTTP-POST 时,SAML 身份验证请求是否包含证书的公钥。Indicates whether the SAML authentication request contains the public key of the certificate when the binding is set to HTTP-POST. 可能的值:truefalsePossible values: true or false.
IncludeClaimResolvingInClaimsHandlingIncludeClaimResolvingInClaimsHandling No 对于输入和输出声明,指定声明解析是否包含在技术配置文件中。For input and output claims, specifies whether claims resolution is included in the technical profile. 可能的值:truefalse(默认值)。Possible values: true, or false (default). 若要使用技术配置文件中的声明解析程序,请将此项设为 trueIf you want to use a claims resolver in the technical profile, set this to true.

加密密钥Cryptographic keys

<CryptographicKeys> 元素包含以下属性:The CryptographicKeys element contains the following attributes:

属性Attribute 必需Required 说明Description
SamlMessageSigningSamlMessageSigning Yes X509 证书(RSA 密钥集),用于对 SAML 消息进行签名。The X509 certificate (RSA key set) to use to sign SAML messages. Azure AD B2C 使用此密钥对请求进行签名并将其发送给身份提供程序。Azure AD B2C uses this key to sign the requests and send them to the identity provider.
SamlAssertionDecryptionSamlAssertionDecryption No X509 证书(RSA 密钥集)。The X509 certificate (RSA key set). SAML 标识提供程序使用证书的公共部分来加密 SAML 响应的断言。A SAML identity provider uses the public portion of the certificate to encrypt the assertion of the SAML response. Azure AD B2C 使用证书的专用部分来解密断言。Azure AD B2C uses the private portion of the certificate to decrypt the assertion.
MetadataSigningMetadataSigning No X509 证书(RSA 密钥集),用于对 SAML 元数据进行签名。The X509 certificate (RSA key set) to use to sign SAML metadata. Azure AD B2C 使用此密钥对元数据进行签名。Azure AD B2C uses this key to sign the metadata.

SAML entityID 自定义SAML entityID customization

如果有多个依赖于不同 entityID 值的 SAML 应用程序,可以重写信赖方文件中的 issueruri 值。If you have multiple SAML applications that depend on different entityID values, you can override the issueruri value in your relying party file. 为此,请从基础文件复制 ID 为“Saml2AssertionIssuer”的技术配置文件,重写 issueruri 值。To do this, copy the technical profile with the "Saml2AssertionIssuer" ID from the base file and override the issueruri value.

提示

从基础文件中复制 <ClaimsProviders> 节,并在声明提供程序中保留这些元素:<DisplayName>Token Issuer</DisplayName><TechnicalProfile Id="Saml2AssertionIssuer"><DisplayName>Token Issuer</DisplayName>Copy the <ClaimsProviders> section from the base and preserve these elements within the claims provider: <DisplayName>Token Issuer</DisplayName>, <TechnicalProfile Id="Saml2AssertionIssuer">, and <DisplayName>Token Issuer</DisplayName>.

示例:Example:

   <ClaimsProviders>   
    <ClaimsProvider>
      <DisplayName>Token Issuer</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="Saml2AssertionIssuer">
          <DisplayName>Token Issuer</DisplayName>
          <Metadata>
            <Item Key="IssuerUri">customURI</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpInSAML" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2" />
      <Metadata>
     …