Idp 启动 SAML sustainsys
Idp initiated SAML sustainsys
我正在尝试设置 IDP 启动的客户端,我们的应用程序正在使用 Sustainsys framework for all the SAML setup in our IdentityServer3. I'm using this article as reference Idp initiated using Sustainsys
这里有一些代码片段,说明我目前的实现情况如何:
var samlIdp = new Sustainsys.Saml2.IdentityProvider(new EntityId("https://<Client's IDP>"), saml2Options())
{
MetadataLocation = "https://<client metadata>",
LoadMetadata = true,
AllowUnsolicitedAuthnResponse = true
};
private Saml2AuthenticationOptions saml2Options()
{
// My clientId is for example if I'm setting up Okta, then ClientId = okta
var spOptions = new SPOptions
{
ModulePath = "/<ClientId>",
EntityId = new EntityId("https://<My identity app>/<Client Id>"),
ReturnUrl = new Uri("https://<my Identity app>/idpinitiated?idp=<ClientId>")
};
return new Saml2AuthenticationOptions(false)
{
SPOptions = spOptions,
AuthenticationType = "<ClientId>",
Caption = "<ClientId>"
};
}
我遇到的问题是:
- 客户已经向我们发送了 saml 包,但我们当前的实施正在尝试通过发送 SAML 请求的 IDP entityID 进行通信(他们不希望这样)。所以我需要停止向他们发送内容,直接进行验证
- 需要根据他们发送给我们的 saml 包执行一些验证(不太确定如何执行此操作)
我非常非常新,因此非常感谢任何帮助。谢谢
IdentityServer3,不支持IDP 发起。有一个解决方法可以让 Idsrv3 支持它,可以通过处理 AcsCommandResultCreated 事件(使用 Sustainsys saml 框架)
private void AcsCommandResultCreated(CommandResult commandResult, Saml2Response saml2Response)
{
var httpContext = _httpContextAccessor.HttpContext;
var target = httpContext.Request.Query["target"].SingleOrDefault();
if(!string.IsNullOrEmpty(target))
{
// Avoid an open redirect. Note that on a shared host with multiple applications running
// in different subdirectories this check is not enough.
var targetUri = new Uri(target, UriKind.Relative);
// A protocol relative url is relative, but can still redirect to another host. Block it.
if(target.StartsWith("//"))
{
throw new InvalidOperationException("Protocol relative URLs are not allowed.");
}
commandResult.Location = targetUri;
}
}
我正在尝试设置 IDP 启动的客户端,我们的应用程序正在使用 Sustainsys framework for all the SAML setup in our IdentityServer3. I'm using this article as reference Idp initiated using Sustainsys
这里有一些代码片段,说明我目前的实现情况如何:
var samlIdp = new Sustainsys.Saml2.IdentityProvider(new EntityId("https://<Client's IDP>"), saml2Options())
{
MetadataLocation = "https://<client metadata>",
LoadMetadata = true,
AllowUnsolicitedAuthnResponse = true
};
private Saml2AuthenticationOptions saml2Options()
{
// My clientId is for example if I'm setting up Okta, then ClientId = okta
var spOptions = new SPOptions
{
ModulePath = "/<ClientId>",
EntityId = new EntityId("https://<My identity app>/<Client Id>"),
ReturnUrl = new Uri("https://<my Identity app>/idpinitiated?idp=<ClientId>")
};
return new Saml2AuthenticationOptions(false)
{
SPOptions = spOptions,
AuthenticationType = "<ClientId>",
Caption = "<ClientId>"
};
}
我遇到的问题是:
- 客户已经向我们发送了 saml 包,但我们当前的实施正在尝试通过发送 SAML 请求的 IDP entityID 进行通信(他们不希望这样)。所以我需要停止向他们发送内容,直接进行验证
- 需要根据他们发送给我们的 saml 包执行一些验证(不太确定如何执行此操作)
我非常非常新,因此非常感谢任何帮助。谢谢
IdentityServer3,不支持IDP 发起。有一个解决方法可以让 Idsrv3 支持它,可以通过处理 AcsCommandResultCreated 事件(使用 Sustainsys saml 框架)
private void AcsCommandResultCreated(CommandResult commandResult, Saml2Response saml2Response)
{
var httpContext = _httpContextAccessor.HttpContext;
var target = httpContext.Request.Query["target"].SingleOrDefault();
if(!string.IsNullOrEmpty(target))
{
// Avoid an open redirect. Note that on a shared host with multiple applications running
// in different subdirectories this check is not enough.
var targetUri = new Uri(target, UriKind.Relative);
// A protocol relative url is relative, but can still redirect to another host. Block it.
if(target.StartsWith("//"))
{
throw new InvalidOperationException("Protocol relative URLs are not allowed.");
}
commandResult.Location = targetUri;
}
}