ASP.NET MVC 5 将 Web SSO 与外部 IDP 结合使用 - WS Fed 元数据未解析
ASP.NET MVC 5 Use Web SSO with external IDP - WS Fed metadata not parsed
我尝试将 Web SSO 与 WS-Federation 一起用于来自 ASP.NET MVC 5 应用程序的外部 IDP。
ASP.NET app 是这种情况下的服务提供者。
对于登录,我想使用 SAML HTTP 重定向绑定。
外部 IDP WS-FED 元数据:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="id-58j8Ew5J8B7hOu51hu5qYyIGsXc-"
cacheDuration="P0Y0M30DT0H0M0.0S" entityID="idp:domain.com"
validUntil="2016-07-24T18:51:12Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
<!-- CERT -->
</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName><!--ISSUER--></dsig:X509IssuerName>
<dsig:X509SerialNumber><!--SN--></dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName><!--CN--></dsig:X509SubjectName>
</dsig:X509Data>
</dsig:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
<!-- CERT -->
</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>
<!--ISSUER-->
</dsig:X509IssuerName>
<dsig:X509SerialNumber>
<!--SN-->
</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>
<!--CN-->
</dsig:X509SubjectName>
</dsig:X509Data>
</dsig:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://domain.com/fed/idp/soap" index="1"
isDefault="true" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://domain.com/fed/idp/samlv20"
ResponseLocation="https://domain.com/fed/idp/samlv20" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://domain.com/fed/idp/samlv20"
ResponseLocation="https://domain.com/fed/idp/samlv20" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://domain.com/fed/idp/samlv20" />
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://domain.com/fed/idp/samlv20" />
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Start.up.cs中的身份验证设置:
public partial class Startup
{
private static readonly string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static readonly string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
public static bool ValidateServerCertificate(object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
return true;
}
public void ConfigureAuth(IAppBuilder app)
{
//only for dev purpose
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
var wsFedOpt = new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata,
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType,
TokenValidationParameters = new TokenValidationParameters
{
SaveSigninToken = true,
},
};
app.UseWsFederationAuthentication(wsFedOpt);
}
}
当我 运行 应用程序出现错误时:
序列不包含任何元素
描述:
An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.InvalidOperationException: Sequence contains no elements
来源错误:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
堆栈跟踪:
[InvalidOperationException: Sequence contains no elements]
System.Linq.Enumerable.First(IEnumerable`1 source) +264
Microsoft.IdentityModel.Protocols.d__1.MoveNext() +576
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) +11532712
Microsoft.IdentityModel.Protocols.d__3.MoveNext() +1236
现在不知道有什么不好的?外部 IDP 联合元数据、ASP.NET MVC 配置或其他。
当我在登录期间尝试使用外部 IDP 的外部 SP 时,它调用 HTTP GET,URI 格式为:
https://domain.com/fed/idp/samlv20?SAMLRequest=
然后我被重定向到外部 IDP 登录页面。
我尝试了与本地 IDP (Identity Server v3) 相同的配置过程,它有效。
当我使用我的本地 SP 时,在登录期间也会根据本地 IDP (Identity Server v3) 元数据配置身份验证,它会调用 HTTP GET:
https://localhost:44333/core/wsfed?wtrealm=urn%3amvc5&wctx=WsFedOwinState%3dqNRmL2H9VZcEDKooeSF5nywV2vAHUDLXRSA77oe8jyVwZtGjpgRquhqYNUPbH28vrhm55zuEBYZnRw_k2nK-a97HHv9tiYLnwt4G19i1-q0&wa=wsignin1.0&wreply=https%3a%2f%2flocalhost%3a44392%2f
然后我被重定向到 IDP 登录页面。
也许我需要实现 ASP.NET 使用 https://domain.com/fed/idp/samlv20?SAMLRequest= 格式的 URI 进行 SAML HTTP 重定向绑定。
感谢您提供任何有用的反馈。
看来您混淆了协议。元数据是针对 SAML2 协议(简称 SAML2P)的,而不是针对 WS-Federation 协议的。
您需要 SAML2P owin 中间件而不是 WS-Fed 中间件。除非你能让 Idp 使用 WS-Federation 那就是。
我尝试将 Web SSO 与 WS-Federation 一起用于来自 ASP.NET MVC 5 应用程序的外部 IDP。
ASP.NET app 是这种情况下的服务提供者。
对于登录,我想使用 SAML HTTP 重定向绑定。
外部 IDP WS-FED 元数据:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="id-58j8Ew5J8B7hOu51hu5qYyIGsXc-"
cacheDuration="P0Y0M30DT0H0M0.0S" entityID="idp:domain.com"
validUntil="2016-07-24T18:51:12Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
<!-- CERT -->
</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName><!--ISSUER--></dsig:X509IssuerName>
<dsig:X509SerialNumber><!--SN--></dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName><!--CN--></dsig:X509SubjectName>
</dsig:X509Data>
</dsig:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
<!-- CERT -->
</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>
<!--ISSUER-->
</dsig:X509IssuerName>
<dsig:X509SerialNumber>
<!--SN-->
</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>
<!--CN-->
</dsig:X509SubjectName>
</dsig:X509Data>
</dsig:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://domain.com/fed/idp/soap" index="1"
isDefault="true" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://domain.com/fed/idp/samlv20"
ResponseLocation="https://domain.com/fed/idp/samlv20" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://domain.com/fed/idp/samlv20"
ResponseLocation="https://domain.com/fed/idp/samlv20" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://domain.com/fed/idp/samlv20" />
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://domain.com/fed/idp/samlv20" />
</md:IDPSSODescriptor>
</md:EntityDescriptor>
Start.up.cs中的身份验证设置:
public partial class Startup
{
private static readonly string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static readonly string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
public static bool ValidateServerCertificate(object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
return true;
}
public void ConfigureAuth(IAppBuilder app)
{
//only for dev purpose
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
var wsFedOpt = new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata,
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType,
TokenValidationParameters = new TokenValidationParameters
{
SaveSigninToken = true,
},
};
app.UseWsFederationAuthentication(wsFedOpt);
}
}
当我 运行 应用程序出现错误时:
序列不包含任何元素
描述:
An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.InvalidOperationException: Sequence contains no elements
来源错误:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
堆栈跟踪:
[InvalidOperationException: Sequence contains no elements] System.Linq.Enumerable.First(IEnumerable`1 source) +264 Microsoft.IdentityModel.Protocols.d__1.MoveNext() +576 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) +11532712 Microsoft.IdentityModel.Protocols.d__3.MoveNext() +1236
现在不知道有什么不好的?外部 IDP 联合元数据、ASP.NET MVC 配置或其他。
当我在登录期间尝试使用外部 IDP 的外部 SP 时,它调用 HTTP GET,URI 格式为:
https://domain.com/fed/idp/samlv20?SAMLRequest=
然后我被重定向到外部 IDP 登录页面。
我尝试了与本地 IDP (Identity Server v3) 相同的配置过程,它有效。
当我使用我的本地 SP 时,在登录期间也会根据本地 IDP (Identity Server v3) 元数据配置身份验证,它会调用 HTTP GET:
https://localhost:44333/core/wsfed?wtrealm=urn%3amvc5&wctx=WsFedOwinState%3dqNRmL2H9VZcEDKooeSF5nywV2vAHUDLXRSA77oe8jyVwZtGjpgRquhqYNUPbH28vrhm55zuEBYZnRw_k2nK-a97HHv9tiYLnwt4G19i1-q0&wa=wsignin1.0&wreply=https%3a%2f%2flocalhost%3a44392%2f
然后我被重定向到 IDP 登录页面。
也许我需要实现 ASP.NET 使用 https://domain.com/fed/idp/samlv20?SAMLRequest= 格式的 URI 进行 SAML HTTP 重定向绑定。
感谢您提供任何有用的反馈。
看来您混淆了协议。元数据是针对 SAML2 协议(简称 SAML2P)的,而不是针对 WS-Federation 协议的。
您需要 SAML2P owin 中间件而不是 WS-Fed 中间件。除非你能让 Idp 使用 WS-Federation 那就是。