如何在ASP.NET MVC中实现单点登录(ADFS)

问题描述 投票:1回答:2

仅供参考:见更新12-FEB-2019

我创建了一个ASP.NET MVC应用程序(使用Visual Studio)并尝试使用Active Directory联合服务器来处理SSO。请注意,这不是使用Azure。

所以,第一步工作 - 我导航到我的登录页面,并有一个按钮,允许我登录到另一个服务[“联邦”]。这将启动ADFS网页,我在其中输入我的凭据,但在返回我的网站时,我收到以下错误:

IDX10214:受众验证失败。观众:'[PII隐藏]'。不匹配:validationParameters.ValidAudience:'[PII is hidden]'或validationParameters.ValidAudiences:'[PII is hidden]'。

异常详细信息:Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException:IDX10214:受众验证失败。观众:'[PII隐藏]'。不匹配:validationParameters.ValidAudience:'[PII is hidden]'或validationParameters.ValidAudiences:'[PII is hidden]'。

显然,我没有把这个设置正确......所以需要知道我错过了什么......

这是我的(减少)代码:

Startup.Auth.cs

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        // Configure the db context, user manager and signin manager to use a single instance per request
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);    

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
        });

        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);

        app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
        {
            MetadataAddress = "https://adfs.Mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml",
            Wtrealm = "https://myWebServer/myWebApplication"
        });
    }

    private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
    {
        return true; // Our "TEST" ADFS has a fake certficate, so we don't want to validate it.
    }
}

Web.Config中的部分

  <appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />

    <add key="ClaimsNameIdentifier" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" />
    <add key="ClaimsUPNIdentifier" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" />
    <add key="ClaimsEmailIdentifier" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
  </appSettings>

  <system.web>
    <authentication mode="None" />
    <compilation debug="true" targetFramework="4.7.1" />
    <httpRuntime targetFramework="4.7.1" />
  </system.web>

(注意:在上面的身份验证元素中,intellisense给了我“Federated”作为选项,但这会导致编译错误)。

一个有用的资源是alligatortek,但这并没有真正填补所有的部分。还有其他资源似乎很接近,但不够具体。

更新12-FEB-2019

根据下面的评论,我被建议改为使用Vittorio Bertocci's post,它使用“On-Premesis”选项(这与Rober Finch's post非常相似)。结果代码有点不同(见下文)但结果仍然相同。

Startup.Auth.cs

public partial class Startup
{
    private static readonly string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
    private static readonly string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

    /// <summary>
    ///     Configures the authentication.
    /// </summary>
    /// <param name="app">The current application.</param>
    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        ServicePointManager.ServerCertificateValidationCallback = this.ValidateServerCertificate;
        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = Startup.realm,
                MetadataAddress = Startup.adfsMetadata
            });
    }

    private bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
    {
        return true; // Skips certificate validation as using a temp certificate.
    }
}

Web.Config中的部分

<appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
    <add key="ida:ADFSMetadata" value="https://adfs.Mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:Wtrealm" value="https://myWebServer/myWebApplication" />
</appSettings>
asp.net-mvc single-sign-on adfs ws-federation
2个回答
3
投票

终于解决了这个。

在Startup.Auth.cs文件中,我暂时将以下行添加到ConfigAuth(...)方法:

Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;

这然后告诉我,我必须在web.config条目的“Wtrealm”值中添加一个尾部斜杠

所以来自:

<add key="ida:Wtrealm" value="https://myWebServer/myWebApplication" />

至 :

<add key="ida:Wtrealm" value="https://myWebServer/myWebApplication/" />
2
投票

到目前为止,最简单的方法是通过VS中的“On-Premises”选项。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.