将Thinktecture IdentityServer3与SessionAuthenticationModule / WSFederationAuthenticationModule一起使用会引发ID4175错误

Question

I am trying to connect my app IdentityServer3. 我正在尝试连接我的应用程序IdentityServer3。 I am using the SelfHost (InMem with WS-Fed) example. 我正在使用SelfHost（带有WS-Fed的InMem）示例。 Login works fine. 登录正常。 I get a nice saml token: 我得到一个不错的saml令牌：

<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
  <trust:RequestSecurityTokenResponse Context="rm=1&amp;id=passive&amp;ru=%2f">
    <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
      <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
        <wsa:Address>http://localhost:47483/</wsa:Address>
      </wsa:EndpointReference>
    </wsp:AppliesTo>
    <trust:RequestedSecurityToken>
      <Assertion ID="_3652b65f-1ec9-46bc-b441-0bbe58fac918" IssueInstant="2015-10-21T09:39:52.079Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>https://localhost:44333/core</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
          <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <Reference URI="#_3652b65f-1ec9-46bc-b441-0bbe58fac918">
              <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
              </Transforms>
              <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
              <DigestValue>CKB75sO/t4yKTxvWiexH07OxXF9MyfCiCHL/etC5FqY=</DigestValue>
            </Reference>
          </SignedInfo>
          <SignatureValue>Lrc3LECkvgPMjI...ZdvN0UaWPg==</SignatureValue>
          <KeyInfo>
            <X509Data>
                <X509Certificate>MIIDBTCCAfGgA...0CfXoW6iz1</X509Certificate>
            </X509Data>
          </KeyInfo>
        </Signature>
        <Subject>
          <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
        </Subject>
        <Conditions NotBefore="2015-10-21T09:39:52.029Z" NotOnOrAfter="2015-10-21T09:40:52.029Z">
          <AudienceRestriction>
            <Audience>http://localhost:47483/</Audience>
          </AudienceRestriction>
        </Conditions>
        <AuthnStatement AuthnInstant="2015-10-21T09:39:52.026Z">
          <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
          </AuthnContext>
        </AuthnStatement>
      </Assertion>
    </trust:RequestedSecurityToken>
  </trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>

That's great, but the my app shows a yellow screen of death: 很好，但是我的应用显示了黄色的死亡屏幕：

My Web.config (extract) looks like this: 我的Web.config（摘录）如下所示：

 <system.identityModel.services>
    <federationConfiguration>
      <wsFederation passiveRedirectEnabled="true" homeRealm=""  issuer="https://localhost:44333/core/wsfed" realm="http://localhost:47483/" requireHttps="false" persistentCookiesOnPassiveRedirects="true" />
      <cookieHandler requireSsl="false" persistentSessionLifetime="0.10:00:00" />
    </federationConfiguration>
  </system.identityModel.services>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="http://localhost:47483/" />
      </audienceUris>
      <certificateValidation certificateValidationMode="None" />
      <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089">
        <trustedIssuers>
          <add thumbprint="‎6b7acc520305bfdb4f7252daeb2177cc091faae1" name="https://localhost:44333/core" />
        </trustedIssuers>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>

What am I doing wrong? 我究竟做错了什么？ Is there a way to get this working? 有没有办法让这个工作？

Answer 1

Sure. 当然。 Look at the SAML assertions. 查看SAML断言。 The issuer in the token is here: 令牌中的发行者在这里：

<Issuer>https://localhost:44333/core</Issuer>

The validation parameter for the issuer in your WSFed configuration is here: 您的WSFed配置中发行者的验证参数在这里：

<wsFederation passiveRedirectEnabled="true" homeRealm=""  issuer="https://localhost:44333/core/wsfed" realm="http://localhost:47483/" requireHttps="false" persistentCookiesOnPassiveRedirects="true" />

Looks like you have an extra /wsfed in your web config's issuer property for the wsFederation element. 看起来您的Web配置的issuer属性中有一个额外的/wsfed ，用于wsFederation元素。 If you remove it, I expect the token will then validate. 如果将其删除，我希望令牌随后将生效。

Answer 2

The issue seems to be the System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry . 问题似乎是System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry 。 I have replaced it with my own one. 我已经用我自己的替换了。 now everything works fine. 现在一切正常。

将Thinktecture IdentityServer3与SessionAuthenticationModule / WSFederationAuthenticationModule一起使用会引发ID4175错误

问题描述

2 个解决方案

解决方案1
1 2015-10-21 22:30:42

解决方案2
0 已采纳 2015-10-22 12:14:58

将Thinktecture IdentityServer3与SessionAuthenticationModule / WSFederationAuthenticationModule一起使用会引发ID4175错误

问题描述

2 个解决方案

解决方案1 1 2015-10-21 22:30:42

解决方案2 0 已采纳 2015-10-22 12:14:58

解决方案1
1 2015-10-21 22:30:42

解决方案2
0 已采纳 2015-10-22 12:14:58