SSO Sustainsys.Saml2.Owin请求未通过身份验证-access_denied

Question

I have to do SSO authentication with saml2 for my existing asp.net web application. 我必须为现有的asp.net Web应用程序使用saml2进行SSO身份验证。

I am using Sustainsys.Saml2.Owin example to do that. 我正在使用Sustainsys.Saml2.Owin示例来执行此操作。

Identity provider is Azure ADFS ( https://sts.windows.net/TENANTID ) 身份提供者是Azure ADFS（ https://sts.windows.net/TENANTID ）

I have configured the Startup file. 我已经配置了启动文件。 It loads the metadata file and certificate. 它加载元数据文件和证书。

And in my Login page, I am challenging if not authenticated. 在我的登录页面中，如果未经身份验证，我将面临挑战。

It is successfully redirecting to the login page but the Request is never getting authenticated after the login. 它已成功重定向到登录页面，但登录后永远不会对请求进行身份验证。 And in the reply URL we are getting error=access_denied 在回复网址中，我们得到error = access_denied

[neither Request.IsAuthenticated or owinContext.Authentication.User.Identity.IsAuthenticated is set to true] [Request.IsAuthenticated或owinContext.Authentication.User.Identity.IsAuthenticated均未设置为true]

So it keep on challenging for many times and error with bad request. 因此，它会持续挑战许多次，并因错误的请求而出错。

What I am doing wrong? 我做错了什么？ Which module of Owin/Sustainsys is reposnsible to set the IsAuthenticated status? Owin / Sustainsys的哪个模块可以设置IsAuthenticated状态？

*a Saml2. *一个Saml2。 cookie [Saml2.DAeP63c***UTX0h***_***] is passed along with the request after login into Microsoft [ https://login.microsoftonline.com/TENANTID/saml2] 登录到Microsoft [ https://login.microsoftonline.com/TENANTID/saml2]后， cookie随请求一起传递[Saml2.DAeP63c *** UTX0h *** _ ***] Cookie

Startup.cs file Startup.cs文件

    public void ConfigureAuth(IAppBuilder appBuilder)
    {
        try
        {
            appBuilder.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            appBuilder.UseCookieAuthentication(new CookieAuthenticationOptions());

            appBuilder.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            appBuilder.UseSaml2Authentication(CreateSaml2Options());
        }
        catch (Exception exp)
        {

        }
    }


    private Saml2AuthenticationOptions CreateSaml2Options()
    {
        try
        {
            var spOptions = CreateSPOptions();

            var Saml2AuthOptions = new Saml2AuthenticationOptions(false)
            {
                SPOptions = spOptions,
                Notifications = new Saml2Notifications(),
            };

            var idp = new IdentityProvider(new EntityId(authority), spOptions)
            {
                MetadataLocation = metadataLocation,
                Binding = Saml2BindingType.HttpRedirect
            };

            idp.SigningKeys.AddConfiguredKey(
                new X509Certificate2(certificateLocation));

            Saml2AuthOptions.IdentityProviders.Add(idp);

            return Saml2AuthOptions;
        }
        catch (Exception exp)
        {
        }
    }

    private SPOptions CreateSPOptions()
    {
        try
        {
            var engAus = "en-AU";

            var organization = new Organization();

            var spOptions = new SPOptions
            {
                EntityId = new EntityId(ApplicationId),
                ReturnUrl = new Uri(redirectUrl),
                Organization = organization,
            };

            return spOptions;
        }
        catch (Exception exp)
        {
        }
    }

Login.aspx.cs Login.aspx.cs

protected void Page_Load(object sender, EventArgs e)
{
    if (!IsPostBack)
    {
        IOwinContext owinContext = HttpContext.Current.GetOwinContext();

        //if (Request.IsAuthenticated)
        if (owinContext.Authentication.User != null &&
            owinContext.Authentication.User.Identity != null &&
            owinContext.Authentication.User.Identity.IsAuthenticated)
        {
            //Authenticated
            string name = owinContext.Authentication.User.Identity.Name;
        }
        else
        {
            var authenticationTypes = owinContext.Authentication.GetAuthenticationTypes().Select(d => d.AuthenticationType).ToArray();

            owinContext.Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, authenticationTypes);
        }
    }
}

Answer 1

(all code posted here are the same sample from Github) （这里发布的所有代码都是来自Github的相同示例）

You need to understand how SAML works, here's a simple saml implementation class that I used before I dive into SustainsysSAML. 您需要了解SAML的工作原理，这是我进入SustainsysSAML之前使用的一个简单的saml实现类。 AspNetSaml AspNetSaml

This is the basic flow of SAML Implementation: 这是SAML实现的基本流程：

User access your app, if user is not yet authenticated your app should redirect the user to your saml provider. 用户访问您的应用程序，如果尚未通过身份验证，则您的应用程序应将用户重定向到您的saml提供程序。

 //specify the SAML provider url here, aka "Endpoint" var samlEndpoint = "http://saml-provider-that-we-use.com/login/"; var request = new AuthRequest( "http://www.myapp.com", //put your app's "unique ID" here "http://www.myapp.com/SamlConsume" //assertion Consumer Url - the redirect URL where the provider will send authenticated users ); //generate the provider URL string url = request.GetRedirectUrl(samlEndpoint); //then redirect your user to the above "url" var //for example, like this: Response.Redirect(url);

From saml provider, user enters credentials and if valid user, saml provider will authenticate and redirect the user to your app. 用户从saml提供程序输入凭据，如果有效用户，saml提供程序将对用户进行身份验证并将其重定向到您的应用。

SAML provider will post the samlresponse to your app (eg. http://www.myapp.com/SamlConsum ). SAML提供程序将把samlresponse发布到您的应用程序（例如http://www.myapp.com/SamlConsum ）。

 //ASP.NET MVC action method... But you can easily modify the code for Web-forms etc. public ActionResult SamlConsume() { //specify the certificate that your SAML provider has given to you string samlCertificate = @"-----BEGIN CERTIFICATE----- BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH123543== -----END CERTIFICATE-----"; Saml.Response samlResponse = new Response(samlCertificate); samlResponse.LoadXmlFromBase64(Request.Form["SAMLResponse"]); //SAML providers usually POST the data into this var if (samlResponse.IsValid()) { //WOOHOO!!! user is logged in //YAY! //Some more optional stuff for you //lets extract username/firstname etc string username, email, firstname, lastname; try { username = samlResponse.GetNameID(); email = samlResponse.GetEmail(); firstname = samlResponse.GetFirstName(); lastname = samlResponse.GetLastName(); } catch(Exception ex) { //insert error handling code //no, really, please do return null; } //user has been authenticated, put your code here, like set a cookie or something... //or call FormsAuthentication.SetAuthCookie() or something } }

Your app will read the samlresponse and if valid will let the user use your app, your app will now handle the roles of the user depending on your policies. 您的应用程序将读取samlresponse，并且如果有效，将允许用户使用您的应用程序，您的应用程序现在将根据您的策略处理用户的角色。

Some tips: 一些技巧：

Make sure your app is identifiable by your saml provider. 确保您的应用可以被saml提供商识别。
Use Firebug to trace your http requests (or any http tracing tool) 使用Firebug跟踪您的http请求（或任何http跟踪工具）
Understand the difference between samlresponse and samlrequest 了解samlresponse和samlrequest之间的区别
Using Firebug you should be able to see the samlresponse. 使用Firebug，您应该能够看到samlresponse。
If you have multiple web apps that you want to have SSO using your saml provider. 如果您有多个Web应用程序，则希望使用saml提供程序进行SSO。 I suggest you create an httprequest/httphandler to handle the samlresponse from your provider. 建议您创建一个httprequest / httphandler来处理提供者的samlresponse。 You can then install this dll to your server and just add the handler to each web app's config. 然后，您可以将此dll安装到您的服务器，然后将处理程序添加到每个Web应用程序的配置中。 No code change require to your web apps :). 无需更改您的网络应用程序的代码即可：）。

I hope this helps. 我希望这有帮助。

SSO Sustainsys.Saml2.Owin请求未通过身份验证-access_denied

问题描述

1 个解决方案

解决方案1
2 2019-06-07 00:45:46

SSO Sustainsys.Saml2.Owin请求未通过身份验证-access_denied

问题描述

1 个解决方案

解决方案1 2 2019-06-07 00:45:46

解决方案1
2 2019-06-07 00:45:46