来自 Azure AD 的 LogoutResponse 证书问题
Certificate issue on LogoutResponse from Azure AD
作为服务提供商,我们使用包“ITfoxtec Identity Saml2”来处理 SAML2.0。我们有两个使用 AzureAD 作为 IDP 的集成。两者都存在处理来自 Azure 的 LogoutResponse 的问题。此异常发生:
System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=Microsoft Azure Federated SSO Certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
避免此问题的唯一方法是设置
Saml2Configuration.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
但据我了解,这将停用所有证书验证,在处理 AuthnRequest 时也是如此。
知道如何规避这个问题吗?
停用证书更改验证可能没问题。验证仅检查证书是否具有依赖方已知的链。这意味着必须在依赖方服务/服务器上知道根证书。
作为服务提供商,我们使用包“ITfoxtec Identity Saml2”来处理 SAML2.0。我们有两个使用 AzureAD 作为 IDP 的集成。两者都存在处理来自 Azure 的 LogoutResponse 的问题。此异常发生:
System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=Microsoft Azure Federated SSO Certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
避免此问题的唯一方法是设置
Saml2Configuration.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
但据我了解,这将停用所有证书验证,在处理 AuthnRequest 时也是如此。
知道如何规避这个问题吗?
停用证书更改验证可能没问题。验证仅检查证书是否具有依赖方已知的链。这意味着必须在依赖方服务/服务器上知道根证书。