使用ADFS和SAML2.0(Sustainsys)在我们的Web应用程序中实现SSO时出错
[英]Getting an error while implementing SSO in our web application using ADFS and SAML2.0 (Sustainsys)
问题描述
Im Trying to implement SSO in our web application using ADFS and SAML2.0. 
Im试图使用ADFS和SAML2.0在我们的Web应用程序中实现SSO。 I am using Windows Server 2012 r2 as my adfs environment. 我使用Windows Server 2012 r2作为我的adfs环境。 the web application is also in the same environment. 该Web应用程序也处于同一环境中。
So far when i run the application, I get directed to the main sign in page where i can choose to login using sso. 到目前为止,当我运行该应用程序时,我被定向到主登录页面,在该页面中我可以选择使用sso登录。 after clicking the sso option, i get redirected to the adfs signon screen and when i try to login with the proper credentials, I get the following error: 单击sso选项后,我将重定向到adfs登录屏幕,并且当我尝试使用适当的凭据登录时,出现以下错误:
Encountered error during federation passive request. Additional Data Protocol Name: Saml Relying Party: https://ADFSDomain/adfs/ls/ Exception details: Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.MissingAssertionConsumerServicesPolicyException: MSIS3077: The AssertionConsumerServices property is not configured for relying party trust 'https://ADFSDomain/adfs/ls/'. at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.LookupAssertionConsumerServiceByUrl(Collection`1 assertionConsumerServices, Uri requestedAssertionConsumerServiceUrl, String scopeIdentity) at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.FindSamlResponseEndpointForAuthenticationRequest(Boolean artifactEnabled, AuthenticationRequest request, ScopeDescription scopeDescription) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.GetResponseEndpointFromRequest(SamlRequest request, Boolean isUrlTranslationNeeded, ScopeDescription scope) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
This is how the web.config looks like: 这是web.config的样子:
<sustainsys.saml2 modulePath="/AuthServices" entityId="https://ADFSDomain/adfs/ls/" returnUrl="http://localhost:2181/">
<identityProviders>
<add entityId="http://ADFSDomain/adfs/services/trust"
signOnUrl="https://ADFSDomain/adfs/ls/"
allowUnsolicitedAuthnResponse="true"
binding="HttpRedirect"
wantAuthnRequestsSigned="false"
loadMetadata="true"
metadataLocation="https://ADFSDomain/federationmetadata/2007-06/federationmetadata.xml">
<signingCertificate fileName="~/App_Data/newCert.cer" />
</add>
</identityProviders>
</sustainsys.saml2>
1 个解决方案
解决方案1
0 2018-04-06 17:14:02
The entityId used in your config should be a path specific to your service provider application, not ADFS (the identity provider). 配置中使用的entityId应该是特定于服务提供商应用程序的路径,而不是ADFS(身份提供商)。
An example config: 配置示例:
<?xml version="1.0"?>
<sustainsys.saml2 entityId="https://yourdomain.com/apppath/Saml2" returnUrl="https://yourapp.com/apppath/" authenticateRequestSigningBehavior="Always" outboundSigningAlgorithm="SHA256">
<identityProviders>
<add entityId="http://adfs.yourdomain.com/adfs/services/trust" signOnUrl="https://adfs.yourdomain.com/adfs/ls" logoutUrl="https://adfs.yourdomain.com/adfs/ls" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml" />
</identityProviders>
<serviceCertificates>
<add storeName="My" storeLocation="LocalMachine" findValue="xxx" x509FindType="FindByThumbprint" />
</serviceCertificates>
</sustainsys.saml2>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
SAML2.0入门 - Getting started with SAML2.0
在ASP .NET中使用SAML2.0工件 - Using SAML2.0 artifacts in ASP .NET
使用带有Kerberos令牌的SAML 2.0 SSO的.NET桌面(非Web)应用程序 - .NET Desktop (Non-web) application using SAML 2.0 SSO with a Kerberos Token
使用asp.net使用Fedlet进行ADFS SSO身份验证时出错 - Getting error while ADFS SSO authentication using Fedlet using asp.net
.NET wsFederationHttpBinding和SAML2.0 - .Net wsFederationHttpBinding and SAML2.0
Sustainsys.Saml2 - Saml2/Acs 端点在处理 SSO 时返回错误 500 - Sustainsys.Saml2 - Saml2/Acs endpoint returns Error 500 when processing SSO
将 ADFS SSO 集成到现有的 .net Web 应用程序中 - Integrating ADFS SSO into existing .net web application
使用 Sustainsys 和 Azure 的 SAML 单点注销给出消息无效错误 - SAML Single Logout using Sustainsys and Azure giving Message is invalid error
不使用WIF的情况下在WCF服务调用中包括SAML2.0令牌 - Including SAML2.0 token in WCF service call without using WIF
发送SAML 2.0 AuthnRequest时,ADFS返回错误 - ADFS returns an error when sending SAML 2.0 AuthnRequest
相关标签