将 Thinktecture IdentityServer3 与 SessionAuthenticationModule/WSFederationAuthenticationModule 一起使用会引发 ID4175 错误
Using Thinktecture IdentityServer3 with SessionAuthenticationModule/WSFederationAuthenticationModule throws ID4175 error
我正在尝试连接我的应用程序 IdentityServer3。我正在使用 SelfHost (InMem with WS-Fed) 示例。
登录工作正常。我得到了一个不错的 saml 令牌:
<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse Context="rm=1&id=passive&ru=%2f">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://localhost:47483/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<Assertion ID="_3652b65f-1ec9-46bc-b441-0bbe58fac918" IssueInstant="2015-10-21T09:39:52.079Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://localhost:44333/core</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_3652b65f-1ec9-46bc-b441-0bbe58fac918">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>CKB75sO/t4yKTxvWiexH07OxXF9MyfCiCHL/etC5FqY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Lrc3LECkvgPMjI...ZdvN0UaWPg==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDBTCCAfGgA...0CfXoW6iz1</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2015-10-21T09:39:52.029Z" NotOnOrAfter="2015-10-21T09:40:52.029Z">
<AudienceRestriction>
<Audience>http://localhost:47483/</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2015-10-21T09:39:52.026Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</trust:RequestedSecurityToken>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>
太好了,但是我的应用程序显示黄屏死机:
我的 Web.config(摘录)如下所示:
<system.identityModel.services>
<federationConfiguration>
<wsFederation passiveRedirectEnabled="true" homeRealm="" issuer="https://localhost:44333/core/wsfed" realm="http://localhost:47483/" requireHttps="false" persistentCookiesOnPassiveRedirects="true" />
<cookieHandler requireSsl="false" persistentSessionLifetime="0.10:00:00" />
</federationConfiguration>
</system.identityModel.services>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="http://localhost:47483/" />
</audienceUris>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
<trustedIssuers>
<add thumbprint="6b7acc520305bfdb4f7252daeb2177cc091faae1" name="https://localhost:44333/core" />
</trustedIssuers>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
我做错了什么?有没有办法让这个工作?
当然可以。查看 SAML 断言。令牌中的发行人在这里:
<Issuer>https://localhost:44333/core</Issuer>
您的 WSFed 配置中发行者的验证参数在这里:
<wsFederation passiveRedirectEnabled="true" homeRealm="" issuer="https://localhost:44333/core/wsfed" realm="http://localhost:47483/" requireHttps="false" persistentCookiesOnPassiveRedirects="true" />
看起来您在网络配置的发布者 属性 中有一个额外的 /wsfed 用于 wsFederation 元素。如果您删除它,我希望令牌随后会生效。
问题似乎是 System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry。我已经用我自己的替换了它。现在一切正常。
我正在尝试连接我的应用程序 IdentityServer3。我正在使用 SelfHost (InMem with WS-Fed) 示例。 登录工作正常。我得到了一个不错的 saml 令牌:
<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse Context="rm=1&id=passive&ru=%2f">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://localhost:47483/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<Assertion ID="_3652b65f-1ec9-46bc-b441-0bbe58fac918" IssueInstant="2015-10-21T09:39:52.079Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://localhost:44333/core</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_3652b65f-1ec9-46bc-b441-0bbe58fac918">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>CKB75sO/t4yKTxvWiexH07OxXF9MyfCiCHL/etC5FqY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Lrc3LECkvgPMjI...ZdvN0UaWPg==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDBTCCAfGgA...0CfXoW6iz1</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2015-10-21T09:39:52.029Z" NotOnOrAfter="2015-10-21T09:40:52.029Z">
<AudienceRestriction>
<Audience>http://localhost:47483/</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2015-10-21T09:39:52.026Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</trust:RequestedSecurityToken>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>
太好了,但是我的应用程序显示黄屏死机:
我的 Web.config(摘录)如下所示:
<system.identityModel.services>
<federationConfiguration>
<wsFederation passiveRedirectEnabled="true" homeRealm="" issuer="https://localhost:44333/core/wsfed" realm="http://localhost:47483/" requireHttps="false" persistentCookiesOnPassiveRedirects="true" />
<cookieHandler requireSsl="false" persistentSessionLifetime="0.10:00:00" />
</federationConfiguration>
</system.identityModel.services>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="http://localhost:47483/" />
</audienceUris>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
<trustedIssuers>
<add thumbprint="6b7acc520305bfdb4f7252daeb2177cc091faae1" name="https://localhost:44333/core" />
</trustedIssuers>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
我做错了什么?有没有办法让这个工作?
当然可以。查看 SAML 断言。令牌中的发行人在这里:
<Issuer>https://localhost:44333/core</Issuer>
您的 WSFed 配置中发行者的验证参数在这里:
<wsFederation passiveRedirectEnabled="true" homeRealm="" issuer="https://localhost:44333/core/wsfed" realm="http://localhost:47483/" requireHttps="false" persistentCookiesOnPassiveRedirects="true" />
看起来您在网络配置的发布者 属性 中有一个额外的 /wsfed 用于 wsFederation 元素。如果您删除它,我希望令牌随后会生效。
问题似乎是 System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry。我已经用我自己的替换了它。现在一切正常。