AD FS 中自訂 ID 發行Custom ID Tokens in AD FS


文章在此顯示如何建置的應用程式的 OpenID 連接登入,請使用 AD FS。The article here shows how to build an app that uses AD FS for OpenID Connect sign on. 不過,預設不會修正的設定 id_token 提供索賠項目。However, by default there are only a fixed set of claims available in the id_token. AD FS 2016 有自訂 id_token OpenID 連接案例中的功能。AD FS 2016 has the capability to customize the id_token in OpenID Connect scenarios.

何時自訂 ID 權杖使用嗎?When are custom ID token used?

在某些案例很可能 client 應用程式不會有嘗試存取資源。In certain scenarios it is possible that the client application does not have a resource that it is trying to access. 因此,就不需要存取預付碼。Therefore, it doesn’t really need an access token. 此時,client 應用程式基本上需要只 ID 權杖,但有一些其他宣告協助功能。In such cases, the client application essentially needs only an ID token but with some additional claims to help in the functionality.

取得 ID 的自訂宣告權杖限制為何?What are the restrictions on getting custom claims in ID token?

案例 1Scenario 1


  1. response_mode 設定為 form_postresponse_mode is set as form_post
  2. 只公開戶端可以取得自訂宣告 ID 權杖Only public clients can get custom claims in ID token
  3. 信賴的派對識別字應相同 client idRelying Party Identifier should be same as client identifier

案例 2Scenario 2


使用KB4019472您 AD FS 伺服器上安裝With KB4019472 installed on your AD FS servers

  1. response_mode 設定為 form_postresponse_mode is set as form_post
  2. 將範圍 allatclaims 指派給 client – 資源點數配對。Assign scope allatclaims to the client – RP pair. 您可以指定範圍使用 Grant-ADFSApplicationPermission cmdlet 以下範例所示:You can assign the scope by using the Grant-ADFSApplicationPermission cmdlet as indicated in the example below:
Grant-AdfsApplicationPermission -ClientRoleIdentifier "https://my/privateclient" -ServerRoleIdentifier "https://rp/fedpassive" -ScopeNames "allatclaims","openid"

建立處理自訂宣告 ID 權杖中的 OAuth 應用程式Creating an OAuth application to handle custom claims in ID token

使用文章在此來建立所使用的應用程式應用程式的 OpenID 連接 AD FS 登入。Use the article here to create an application app that uses AD FS for OpenID Connect sign on. 然後,依照下列步驟來接收 ID 權杖自訂宣告應用程式設定中 AD FS。Then follow the steps below to configure the application in AD FS for receiving ID token with custom claims.

AD FS 2016 中建立應用程式群組Create the Application Group in AD FS 2016

  1. 建立稱為 CustomTokenClient 新範本,如下所示,為基礎的應用程式群組。Create an application group based on the new template, shown below, called CustomTokenClient.


  1. 此範本建立機密 client。This template creates a confidential client. 請注意識別碼,並傳回 URI 指定與專案 SSL url。Note the identifier and specify the return URI as the SSL URL of the VS project.


  1. 在下一個步驟中,選取 [產生共用的密碼來建立 client 認證及複製產生 client 認證。In the next step, select Generate a shared secret to create client credentials and copy the client credentials generated.


  1. 按一下下一步,然後繼續進行完成精靈。Click Next and proceed to complete the wizard.


建立信賴Create the Relying Party

為了將自訂宣告新增 ID 權杖,您需要建立 ID 權杖中會新增其宣告資源點數。In order to add custom claims in ID token, you need to create a RP whose claims will be added in the ID token. 使用 [新增可以廠商信任精靈建立新的信賴,如下所示:Use the Add Relying Party Trust wizard to create a new relying party as shown below:


建立信賴之後,信賴廠商項目上按一下滑鼠右鍵,然後選取編輯宣告 \ [發行原則來新增宣告發行規則。After relying party is created, right click on the relying party entry and select Edit claim issuance policy to add claims issuance rules. 加入權杖 ID 需要自訂宣告如下:Add the required custom claims for ID token as shown below:


將「allatclaims「範圍指派給 client 與信賴的配對Assign “allatclaims” scope to the pair of client and relying party

AD FS 在伺服器上,使用 PowerShell 指派為以下範例中指定新 allatclaims 領域 (變更 clientID 和 server:Using PowerShell on AD FS server, assign the new allatclaims scope as given in the example below (change the clientID and server:

Grant-AdfsApplicationPermission -ClientRoleIdentifier "5db77ce4-cedf-4319-85f7-cc230b7022e0" -ServerRoleIdentifier "https://customidrp1/" -ScopeNames "allatclaims","openid"


根據您的應用程式設定變更 ClientRoleIdentifier 和 ServerRoleIdentifierChange the ClientRoleIdentifier and ServerRoleIdentifier according to your application settings

測試 ID 權杖自訂宣告Test the custom claims in ID token

然後,使用的程式碼,您隨時存取主張使用相同的位元,您就可以看到將會變成 id_token 部分的額外宣告。Then, using the same bit of code you have always used to access claims, you can see the additional claims that will become part of the id_token. 例如,.NET MVC 範例應用程式中打開其中一個控制器檔案,並輸入驗證碼,例如如下:For example, in a .NET MVC sample app, open one of the controller files and enter code like the below:

    public ActionResult About()

        ClaimsPrincipal cp = ClaimsPrincipal.Current;

        string userName = cp.FindFirst(ClaimTypes.GivenName).Value;
        ViewBag.Message = String.Format("Hello {0}!", userName);
        return View();