[英]Getting an error while implementing SSO in our web application using ADFS and SAML2.0 (Sustainsys)
Im Trying to implement SSO in our web application using ADFS and SAML2.0. Im试图使用ADFS和SAML2.0在我们的Web应用程序中实现SSO。 I am using Windows Server 2012 r2 as my adfs environment. 我使用Windows Server 2012 r2作为我的adfs环境。 the web application is also in the same environment. 该Web应用程序也处于同一环境中。
So far when i run the application, I get directed to the main sign in page where i can choose to login using sso. 到目前为止,当我运行该应用程序时,我被定向到主登录页面,在该页面中我可以选择使用sso登录。 after clicking the sso option, i get redirected to the adfs signon screen and when i try to login with the proper credentials, I get the following error: 单击sso选项后,我将重定向到adfs登录屏幕,并且当我尝试使用适当的凭据登录时,出现以下错误:
Encountered error during federation passive request. Additional Data Protocol Name: Saml Relying Party: https://ADFSDomain/adfs/ls/ Exception details: Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.MissingAssertionConsumerServicesPolicyException: MSIS3077: The AssertionConsumerServices property is not configured for relying party trust 'https://ADFSDomain/adfs/ls/'. at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.LookupAssertionConsumerServiceByUrl(Collection`1 assertionConsumerServices, Uri requestedAssertionConsumerServiceUrl, String scopeIdentity) at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.FindSamlResponseEndpointForAuthenticationRequest(Boolean artifactEnabled, AuthenticationRequest request, ScopeDescription scopeDescription) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.GetResponseEndpointFromRequest(SamlRequest request, Boolean isUrlTranslationNeeded, ScopeDescription scope) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
This is how the web.config looks like: 这是web.config的样子:
<sustainsys.saml2 modulePath="/AuthServices" entityId="https://ADFSDomain/adfs/ls/" returnUrl="http://localhost:2181/">
<identityProviders>
<add entityId="http://ADFSDomain/adfs/services/trust"
signOnUrl="https://ADFSDomain/adfs/ls/"
allowUnsolicitedAuthnResponse="true"
binding="HttpRedirect"
wantAuthnRequestsSigned="false"
loadMetadata="true"
metadataLocation="https://ADFSDomain/federationmetadata/2007-06/federationmetadata.xml">
<signingCertificate fileName="~/App_Data/newCert.cer" />
</add>
</identityProviders>
</sustainsys.saml2>
The entityId
used in your config should be a path specific to your service provider application, not ADFS (the identity provider). 配置中使用的entityId
应该是特定于服务提供商应用程序的路径,而不是ADFS(身份提供商)。
An example config: 配置示例:
<?xml version="1.0"?>
<sustainsys.saml2 entityId="https://yourdomain.com/apppath/Saml2" returnUrl="https://yourapp.com/apppath/" authenticateRequestSigningBehavior="Always" outboundSigningAlgorithm="SHA256">
<identityProviders>
<add entityId="http://adfs.yourdomain.com/adfs/services/trust" signOnUrl="https://adfs.yourdomain.com/adfs/ls" logoutUrl="https://adfs.yourdomain.com/adfs/ls" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml" />
</identityProviders>
<serviceCertificates>
<add storeName="My" storeLocation="LocalMachine" findValue="xxx" x509FindType="FindByThumbprint" />
</serviceCertificates>
</sustainsys.saml2>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.