我使用以下代码来配置 Saml2
public static void ConfigureSaml2(this IServiceCollection services, IConfiguration configuration)
{
services.Configure<Saml2Configuration>(configuration.GetSection(Saml2Section));
services.Configure<Saml2Configuration>(saml2Configuration =>
{
var signingCertificateName = configuration.GetValue<string>($"{Saml2Section}:{SigningCertificateName}");
var signatureCertificateName = configuration.GetValue<string>($"{Saml2Section}:{SignatureCertificateName}");
Configure(saml2Configuration, signingCertificateName, signatureCertificateName);
});
services.AddSaml2(slidingExpiration: true);
}
private static void Configure(Saml2Configuration saml2Configuration, string signingCertificateName, string signatureCertificateName)
{
saml2Configuration.SignAuthnRequest = true;
saml2Configuration.AllowedIssuer = saml2Configuration.SingleSignOnDestination.ToString();
saml2Configuration.SigningCertificate = CertificateUtil.Load(
StoreName.My, StoreLocation.CurrentUser, X509FindType.FindBySubjectDistinguishedName, signingCertificateName);
saml2Configuration.SignatureValidationCertificates.Add(
CertificateUtil.Load(StoreName.My, StoreLocation.CurrentUser, X509FindType.FindBySubjectDistinguishedName, signatureCertificateName));
saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);
saml2Configuration.CustomCertificateValidator = new Saml2CertificateValidator
{
CertificateValidationMode = saml2Configuration.CertificateValidationMode,
RevocationMode = saml2Configuration.RevocationMode,
TrustedStoreLocation = StoreLocation.CurrentUser
};
saml2Configuration.CertificateValidationMode = X509CertificateValidationMode.Custom;
}
应用程序托管在 Azure 上。虽然此代码在 .NET 6 中运行没有任何问题,但在将我的应用程序升级到 .NET8 后,我收到以下错误:
SecurityTokenValidationException: Invalid X509 certificate chain. Certificate name:'CN=xxx, O=xxx' and thumbprint:'xxx'. Chain Status:'A certificate chain could not be built to a trusted root authority.'..
ITfoxtec.Identity.Saml2.Util.Saml2CertificateValidator.ValidateChainTrust(X509Certificate2 certificate)
ITfoxtec.Identity.Saml2.Util.Saml2CertificateValidator.Validate(X509Certificate2 certificate)
ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(XmlElement xmlElement)
ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult)
ITfoxtec.Identity.Saml2.Saml2Request.Read(string xml, bool validate, bool detectReplayedTokens)
ITfoxtec.Identity.Saml2.Saml2Response.Read(string xml, bool validate, bool detectReplayedTokens)
ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(string xml, bool validate, bool detectReplayedTokens)
ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, string messageName, bool validate, bool detectReplayedTokens)
ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, string messageName)
ITfoxtec.Identity.Saml2.Saml2Binding.Unbind(HttpRequest request, Saml2Response saml2Response)
我发现,Saml2CertificateValidator 默认使用 StoreLocation.LocalMachine,并且无法在配置中更改。所以我尝试添加以下代码来设置自定义验证器:
saml2Configuration.CustomCertificateValidator = new Saml2CertificateValidator
{
CertificateValidationMode = saml2Configuration.CertificateValidationMode,
RevocationMode = saml2Configuration.RevocationMode,
TrustedStoreLocation = StoreLocation.CurrentUser
};
saml2Configuration.CertificateValidationMode = X509CertificateValidationMode.Custom;
一切都没有改变。我仍然遇到同样的错误。
有人可以帮忙吗?为什么相同的代码适用于 .NET6,但不适用于 .NET8?
您是否在 .NET6 和 .NET8 中使用相同的 ITfoxtec Identity SAML 库版本?库中存在一个错误,导致证书更改未得到验证。
很可能根证书在 Azure 中未知。您想要什么根证书?