火山引擎-SSO-微软AAD

trn:iam::2100138260:user/kazami@kazami.tech,trn:iam::2100138260:saml-provider/AAD-ASTERISM
trn:iam::2100138260:user/kazami139@vtb.link,trn:iam::2100138260:saml-provider/AAD-ASTERISM

https://www.volcengine.com/docs/6257/145128

上方的文档其中的步骤四、d段、ii部分，提到了 身份属性，配置名称为：https://www.volcengine.com/SAML/Attributes/Identity，值为要登录的角色或用户的trn，需要登录几个角色或用户就配置几条身份属性声明。

根据 https://www.volcengine.com/docs/6257/162961#samlresponse%E7%A4%BA%E4%BE%8B 中的描述，多个属性声明的配置是这样的：

          <saml:Attribute Name="https://www.volcengine.com/SAML/Attributes/Identity">
               <saml:AttributeValue>trn:iam::{$AccountID}:role/{$RoleName},trn:iam::{$AccountID}:saml-provider/{$SAMLProviderName}</saml:AttributeValue>
               <saml:AttributeValue>trn:iam::{$AccountID}:user/{$UserName},trn:iam::{$AccountID}:saml-provider/{$SAMLProviderName}</saml:AttributeValue>
           </saml:Attribute>

而微软侧似乎暂时无法将单个属性（例如此处的Identity）赋予多个值，以便于我们分配多个账户登录。

我已经尝试了使用,，;以及其他换行符将多个trn分开，但均无法达成火山文档示例中的效果；实际的结果都是，所有trn被放在了一行（一个属性值内）。这有可能是微软AAD的问题，无法将saml自定义出站响应的单个属性配置多个值。

<samlp:Response ID="_ee757c63-6fc2-45fa-a0d1-b5ce46ea0a6b" Version="2.0" IssueInstant="2023-05-10T15:01:12.175Z" Destination="https://signin.volcengine.com/saml/sso" InResponseTo="volc_ae87af53-a123-47ec-bb1f-71ded06fd90c" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/0c9c8bbb-e1d2-4d8e-bc1c-10fdc1063999/</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion ID="_0094afbe-a0e9-4ee4-81ab-c7cf114a6900" IssueInstant="2023-05-10T15:01:12.169Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>https://sts.windows.net/0c9c8bbb-e1d2-4d8e-bc1c-10fdc1063999/</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_0094afbe-a0e9-4ee4-81ab-c7cf114a6900">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <DigestValue>gyM2LoxNXKb2cPZVO7lVjg9bxsNWWyl6KfPzXq7NtB0=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>fXaf8OvztFo2LNDI//5pp7V1hJbuNOaQ6nkU0FN8b1zCSg/NGlAFWaJh87LfOpaTpVmzUReJTLWBp7L3lrySLHGBfhwlzFoeW5EVo20lK8NOipJlF/ot0XT+zDhVtImEN2wRfyhvqnMd7fKqVHYU5oypr1eacO9bKtkcJ0pYUz6OfAxwEo85C+xnVwkfxeas6Mt9fVhZlWJI+ya/ZajiNtyfDvlvfbXlyA2QdGHHA0D1+J+a0PYekzPGmmzF9/WAJdAWJcQ4P4c3h8uEsGHLeZe3DAu8hdFB83ES5tBdTT5gyKxUStTNfg/zx2s6WmEzfP4WJY12+xzywFVuDbQkvw==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIC8DCCAdigAwIBAgIQEQXwvphQP6BC40/smiY2BDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA1MTAwNzQ2NDhaFw0yNjA1MTAwNzQ2NDhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtAi69S/As65lk2C1+wrcIz3yVSps2j4CIlaRk8RvMuDc3+kZg5EEiWln/MDxYgLlNJdgcv1ec1+GrW8MgZ8OzRSwWMGUH3RLQ1Wnd0Ywql2bLqdzN51288SC4DF9J3Eew2b/F/u88HBRDaUnOFlHK992QEfgsw2Ol1UnhgpjdW1uixdEf4rwMuS4I0eARmRxp5p6HxpXKPXTsDaFYujnevFFIIDxW/HCxPVMFhYHMIKIIFoWALCXRQglqbebPPaHtkE5RtAC1zUrh2hAaARRK8sAOVoNbNdiCkRQkrnI5G1nFFivjVdP/UkDcUXihkNrOlfDmBDKTQGRoz+eiwyCQQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCjVxcWUj3BtYMW7C4wku5kJNdtXVUP9qpx2hf7xz8Ls9wme8s028oN36fSOVrBTNsqdeLc2RVhc6YUvoG4WHUV5FMDEoNblunANZO9gBH27ZIqivRbIcNMOpYjMVz62LQaIoqMJmaLn5gzESk++IvZBRdLgoLQCaQGot4QpvpJ8kHIXfLcrp8+eBMRpI0uIpeYsZ+iM8nmaSjz6yrh8vbBPrfzheE3MyKxwaCArStSv73934Hq5LJVY0ECMEUy7H343czS2TqUsEK8er/6b6S49nC58IbW12hiFQgHntWQhhlbK085BhUWTmRAuWdUUTvqphrh8GYqA3OdsLAC94sk</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">t2p4OxAobbEYp0rp9pD2dith2glMvtX46u1Ugby7G6U=</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="volc_ae87af53-a123-47ec-bb1f-71ded06fd90c" NotOnOrAfter="2023-05-10T16:01:12.061Z" Recipient="https://signin.volcengine.com/saml/sso"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2023-05-10T14:56:12.061Z" NotOnOrAfter="2023-05-10T16:01:12.061Z">
            <AudienceRestriction>
                <Audience>https://signin.volcengine.com/2100138260/saml/sso</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue>0c9c8bbb-e1d2-4d8e-bc1c-10fdc1063999</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue>403b76b1-f755-46be-a2c6-9560878ec036</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
                <AttributeValue>GEORGE KAZAMI</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue>https://sts.windows.net/0c9c8bbb-e1d2-4d8e-bc1c-10fdc1063999/</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
                <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>GEORGE</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>KAZAMI</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>kazami@kazami.tech</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>kazami@kazami.tech</AttributeValue>
            </Attribute>
            <Attribute Name="https://www.volcengine.com/SAML/Attributes/SessionName">
                <AttributeValue>msaad-sso-from-kzmtech-for-asterism-in-volcengine</AttributeValue>
            </Attribute>
            <Attribute Name="https://www.volcengine.com/SAML/Attributes/Identity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <AttributeValue>trn:iam::2100138260:user/kazami@kazami.tech,trn:iam::2100138260:saml-provider/AAD-ASTERISM;trn:iam::2100138260:user/kazami139@vtb.link,trn:iam::2100138260:saml-provider/AAD-ASTERISM</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2023-05-10T15:01:09.712Z" SessionIndex="_0094afbe-a0e9-4ee4-81ab-c7cf114a6900">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

kazami139/VolcEngine-SSO-AAD.md