仅供参考:见更新12-FEB-2019
我创建了一个ASP.NET MVC应用程序(使用Visual Studio)并尝试使用Active Directory联合服务器来处理SSO。请注意,这不是使用Azure。
所以,第一步工作 - 我导航到我的登录页面,并有一个按钮,允许我登录到另一个服务[“联邦”]。这将启动ADFS网页,我在其中输入我的凭据,但在返回我的网站时,我收到以下错误:
IDX10214:受众验证失败。观众:'[PII隐藏]'。不匹配:validationParameters.ValidAudience:'[PII is hidden]'或validationParameters.ValidAudiences:'[PII is hidden]'。
异常详细信息:Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException:IDX10214:受众验证失败。观众:'[PII隐藏]'。不匹配:validationParameters.ValidAudience:'[PII is hidden]'或validationParameters.ValidAudiences:'[PII is hidden]'。
显然,我没有把这个设置正确......所以需要知道我错过了什么......
这是我的(减少)代码:
Startup.Auth.cs
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
MetadataAddress = "https://adfs.Mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml",
Wtrealm = "https://myWebServer/myWebApplication"
});
}
private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
{
return true; // Our "TEST" ADFS has a fake certficate, so we don't want to validate it.
}
}
Web.Config中的部分
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ClaimsNameIdentifier" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" />
<add key="ClaimsUPNIdentifier" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" />
<add key="ClaimsEmailIdentifier" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</appSettings>
<system.web>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.7.1" />
<httpRuntime targetFramework="4.7.1" />
</system.web>
(注意:在上面的身份验证元素中,intellisense给了我“Federated”作为选项,但这会导致编译错误)。
一个有用的资源是alligatortek,但这并没有真正填补所有的部分。还有其他资源似乎很接近,但不够具体。
更新12-FEB-2019
根据下面的评论,我被建议改为使用Vittorio Bertocci's post,它使用“On-Premesis”选项(这与Rober Finch's post非常相似)。结果代码有点不同(见下文)但结果仍然相同。
Startup.Auth.cs
public partial class Startup
{
private static readonly string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static readonly string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
/// <summary>
/// Configures the authentication.
/// </summary>
/// <param name="app">The current application.</param>
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
ServicePointManager.ServerCertificateValidationCallback = this.ValidateServerCertificate;
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = Startup.realm,
MetadataAddress = Startup.adfsMetadata
});
}
private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
{
return true; // Skips certificate validation as using a temp certificate.
}
}
Web.Config中的部分
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:ADFSMetadata" value="https://adfs.Mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Wtrealm" value="https://myWebServer/myWebApplication" />
</appSettings>
终于解决了这个。
在Startup.Auth.cs文件中,我暂时将以下行添加到ConfigAuth(...)方法:
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
这然后告诉我,我必须在web.config条目的“Wtrealm”值中添加一个尾部斜杠
所以来自:
<add key="ida:Wtrealm" value="https://myWebServer/myWebApplication" />
至 :
<add key="ida:Wtrealm" value="https://myWebServer/myWebApplication/" />
到目前为止,最简单的方法是通过VS中的“On-Premises”选项。