MVC 中的 Ws-Federation 身份验证在 SAML2.0 验证后不保留声明信息
Ws-Federation Authentication in MVC not keeping Claims information after SAML2.0 verification
我正在尝试使用 Azure ACS 添加新的身份验证方法以支持来自 ADFS 的用户,但我遇到了一个非常具体的问题。
我可以使用以下配置验证 SAML2.0:
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Never);
var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerRegistry.AddTrustedIssuer("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "https://XXXX.accesscontrol.windows.net/");
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
MetadataAddress = "https://XXXXX.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml",
Wtrealm = "http://someurl/",
SecurityTokenHandlers = new SecurityTokenHandlerCollection
{
new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My,StoreLocation.LocalMachine)),
new SamlSecurityTokenHandlerEx
{
CertificateValidator = X509CertificateValidator.None,
Configuration = new SecurityTokenHandlerConfiguration()
{
IssuerNameRegistry = issuerRegistry,
AudienceRestriction = audienceRestriction
}
}
},
});
处理程序是这样实现的:
public class SamlSecurityTokenHandlerEx : Saml2SecurityTokenHandler, ISecurityTokenValidator
{
public override bool CanReadToken(string securityToken)
{
return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
out SecurityToken validatedToken)
{
validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
var claims = new ClaimsPrincipal(ValidateToken(validatedToken));
return claims;
}
public int MaximumTokenSizeInBytes { get; set; }
}
如果我检查 ValidateToken 中的声明,它已通过身份验证并包含我想要的声明,但在它调用回调页面后(我想为 webapp 创建一个新的正确登录)它不再有任何关于联邦授权。
已解决!
我从与其他外部身份验证提供商相同的机制启动 ACS 页面,但由于某种原因它失败了。调用ACS登录页面(https://someacs.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=https%3a%2f%2fsomeappsite%2f)直接解决了我的问题
我正在尝试使用 Azure ACS 添加新的身份验证方法以支持来自 ADFS 的用户,但我遇到了一个非常具体的问题。
我可以使用以下配置验证 SAML2.0:
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Never);
var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerRegistry.AddTrustedIssuer("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "https://XXXX.accesscontrol.windows.net/");
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
MetadataAddress = "https://XXXXX.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml",
Wtrealm = "http://someurl/",
SecurityTokenHandlers = new SecurityTokenHandlerCollection
{
new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My,StoreLocation.LocalMachine)),
new SamlSecurityTokenHandlerEx
{
CertificateValidator = X509CertificateValidator.None,
Configuration = new SecurityTokenHandlerConfiguration()
{
IssuerNameRegistry = issuerRegistry,
AudienceRestriction = audienceRestriction
}
}
},
});
处理程序是这样实现的:
public class SamlSecurityTokenHandlerEx : Saml2SecurityTokenHandler, ISecurityTokenValidator
{
public override bool CanReadToken(string securityToken)
{
return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
out SecurityToken validatedToken)
{
validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
var claims = new ClaimsPrincipal(ValidateToken(validatedToken));
return claims;
}
public int MaximumTokenSizeInBytes { get; set; }
}
如果我检查 ValidateToken 中的声明,它已通过身份验证并包含我想要的声明,但在它调用回调页面后(我想为 webapp 创建一个新的正确登录)它不再有任何关于联邦授权。
已解决!
我从与其他外部身份验证提供商相同的机制启动 ACS 页面,但由于某种原因它失败了。调用ACS登录页面(https://someacs.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=https%3a%2f%2fsomeappsite%2f)直接解决了我的问题