我正在尝试使用 Sustainsys.saml2 为我的 ASP.NET Core 应用程序实现 ADFS SSO 身份验证。
当我转到登录控制器时,它会重定向到 ADFS 服务器,然后我通过 adfs 登录页面登录并重定向回我的服务器。但我的服务器抛出
"Sustainsys.Saml2.UnsuccessfulSamlOperationException": The Saml2Response must have status success to extract claims.
(
Saml2 Status code: responder
).
我去了 ADFS 服务器并查看了日志,我看到了错误:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSI0037: No signature verification certificate found for issuer "<my-application-url>".
我的维持系统配置是:
options.SPOptions.EntityId = new EntityId("<my-application-url">);
options.SPOptions.PublicOrigin = new Uri("<my-application-url");
options.AuthenticaionRequestSigningBehavior = SigningBehavior.Always;
options.SPOptions.WantAssertionsSigned = true;
var certificate = new X509Certificate(certificatePath, secret);
IdentityProvider identityProvider = new IdentityProvider(
new EntityId("http://<adfs-server>/adfs/services/trust"), options.SPOptions)
{
MetadataLocation = "<adfs-metadata-url>",
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpRedirect,
WantAuthnRequestsSigned = true,
OutboundSigningAlogorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
};
identityProvider.SigningKeys.AddConfiguredKey(certificate);
options.IdentityProviders.Add(identityProvider);
ServicesCertificate serviceCertificate = new ServiceCertificate()
{
Certificate = certificate,
Use = CertificateUse.Signing
}
options.SPOptions.ServiceCertificates.Add(serviceCertificate);
我已经尝试了所有能找到的选项,但错误仍然存在 😭
您需要使用证书的公共部分配置 ADFS 服务器。我想如果您从 .pfx 生成 .cer,ADFS 可以导入它。