从 SAML2 响应接收到 HTTP 400 BAD REQUEST

Receiving an HTTP 400 BAD REQUEST from SAML2 Response

我有一个 Windows Server 2019 运行 IIS Web 服务器。我的组织使用 ADFS 2016,一个团队代表我在 ADFS 中配置了 IdP 集成。一切(帐户、服务器等)都是 AD 域网络的一部分(都在同一域基础结构中)。

我正在构建一个 .NET 6 应用程序并使用此示例部署到服务器,该示例使用 itfoxtec-identity-saml2:How to Authenticate with SAML in ASP.NET Core and C#

应用程序启动正常。当我单击登录按钮时,在重定向回应用程序时出现错误:“HTTP ERROR 400”。

浏览器控制台: x 加载资源失败:服务器响应状态为400() chrome-error://chromewebdata/:1 crbug/1173575、non-JS 模块文件已弃用。 (匿名)@VM9:2762

Header 来自开发者控制台的数据:
请求 URL:https://oitctxwbdcsp1.deleted/ADFSTest
请求方式:POST
状态码:400
远程地址:10.137.0.7:443
推荐政策:strict-origin-when-cross-origin
日期:2022 年 3 月 29 日,星期二 21:02:57 GMT
服务器:Microsoft-IIS/10.0
strict-transport-security: max-age=0; includeSubDomains
:authority: oitctxwbdcsp1.删除
:方法:POST
:路径:/ADFSTest :方案: https
接受
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
content-length: 3813
content-type: application/x-www-form-urlencoded
来源:https://dev.adfs.federation.已删除
编译指示:no-cache
引荐来源网址:https://dev.adfs.federation.已删除/
sec-ch-ua:“不是 A;品牌”;v="99","Chromium";v="98","Microsoft Edge";v="98"
sec-ch-ua-手机:?0
sec-ch-ua-平台:“Windows”
sec-fetch-dest: 文档
sec-fetch-mode: 导航
sec-fetch-site: same-site
upgrade-insecure-requests: 1
user-agent:Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,如 Gecko)
Chrome/98。 0.4758.119Safari/537.36Edg/98.0.1108.76

SAML 响应(已解码) 

<samlp:Response ID="_df09235a-cd8e-40bf-a5b4-03aa6c1bf55e" Version="2.0" IssueInstant="2022-03-29T21:02:57.580Z" Destination="https://oitctxwbdcsp1.*deleted*/ADFSTest" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_ca71b9ef-4bf8-45b3-930c-a7bbe58a0dc0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://dev.adfs.federation.*deleted*/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_df09235a-cd8e-40bf-a5b4-03aa6c1bf55e"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>3Z+f+F61txOvBDBdtd2TXlt51Gs8mxXgtBJQu4zVXfE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>X2hy*deleted*</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC8*deleted*</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>

中继状态: https://oitctxwbdcsp1.*deleted/ADFSTest/=%2F

附加信息: ADFS IdP 从我提供给他们的 URL 中读取元数据。元数据如下所示:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2032-03-12T19:19:05Z"
                     cacheDuration="PT604800S"
                     entityID="https://oitctxwbdcsp1.*deleted*">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://oitctxwbdcsp1.*deleted*/ADFSTest" index="0" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

appsettings.json如下:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "Saml2": {
    "IdPMetadata": "https://dev.adfs.federation.*deleted*/federationmetadata/2007-06/federationmetadata.xml",
    "Issuer": "https://oitctxwbdcsp1.*deleted*",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },
  "AllowedHosts": "*"
}

我是 SAML2 和身份验证的新手。

您在 AD FS 的 SAML 响应中收到错误。错误状态为 urn:oasis:names:tc:SAML:2.0:status:Responder.

AD FS 停止登录序列时出错。