如何從應用程序池標識中獲取SAML令牌(針對已配置的用戶)?
[英]How to get SAML token from Application Pool Identity (for the configured user)?
問題描述
有沒有辦法為應用程序池標識用戶(已配置的用戶)獲取SAML令牌?
當我們配置應用程序池時,在%systemroot%\\ System32 \\ Inetsrv \\ config路徑下的applicationHost.config中存儲配置條目(用戶名和密碼)。
應用程序啟動時,會選擇用戶名和加密密碼進行身份驗證。 身份驗證成功后,是否會遵循基於令牌的身份驗證進行后續呼叫,還是始終遵循基本身份驗
如果基於令牌,那么在第一次響應之后,如何獲取應用程序池標識用戶的SAML令牌?
如有任何鏈接,請告訴我。
提前致謝。
3 個解決方案
解決方案1
0 2017-03-13 11:51:42
回答1:通過使用Adal流為登錄用戶獲取Jwt令牌,
if (!AdfsConfiguration.IsInitialized) throw new SecurityException(Constants.AdfsConfigurationInitilizationExceptionMessage);
if (string.IsNullOrEmpty(AdfsConfiguration.AdfsAuthorityUrl)) throw new SecurityException(Constants.AdfsConfigurationAdfsAuthorityUrlInitilizationExceptionMessage);
try
{
var authenticationContext = new AuthenticationContext(string.Format(AdfsConfiguration.AdfsAuthorityUrl, AdfsConfiguration.AdfsInstance, AdfsConfiguration.Resource), false);
var asyncRequest = authenticationContext.AcquireTokenAsync(AdfsConfiguration.Resource, AdfsConfiguration.ClientId, new Uri(AdfsConfiguration.RedirectUri), new PlatformParameters(PromptBehavior.Auto));
var accessToken = asyncRequest.Result.AccessToken;
return accessToken;
}
catch (Exception exp)
{
var additionalInfo = $" additionalInfo : [authenticationContext : {string.Format(AdfsConfiguration.AdfsAuthorityUrl, AdfsConfiguration.AdfsInstance, AdfsConfiguration.Resource)}]";
throw new SecurityException($"AdfsAuthorization.GetAdfsOAuthJwtAccessTokenForWinAppUserUsingAdal is failed, {additionalInfo}", exp);
}
解決方案2
0 2017-03-13 13:27:45
回答2:通過Auth代碼流為登錄用戶或應用程序池標識用戶獲取Jwt令牌。
第1步:從Adfs服務器獲取Auth代碼
var authUrl = string.Format(AdfsConfiguration.AdfsAuthUrl, AdfsConfiguration.AdfsInstance, AdfsConfiguration.ClientId, AdfsConfiguration.Resource, AdfsConfiguration.UrlEncodedRedirectUri);
var authCode = "";
try
{
do
{
var result = await Client.GetAsync(authUrl);
await result.Content.ReadAsStringAsync();
IEnumerable<string> values;
if (result.Headers.TryGetValues("location", out values))
{
foreach (string s in values)
{
if (s.Contains("code="))
{
authUrl = "";
authCode = s.Substring(s.IndexOf("code=", StringComparison.Ordinal) + 5);
}
else
{
authUrl = s;
}
}
}
else
{
authUrl = "";
}
} while (!string.IsNullOrEmpty(authUrl));
return authCode;
}
catch (Exception exp)
{
var additionalInfo = $"additionalInfo : [authUrl: {authUrl}]";
throw new SecurityException($"AdfsAuthorization.GetAuthCodeForWinAppUserAsync is failed, {additionalInfo}", exp);
}
步驟2:傳遞Auth代碼以從Adfs服務器獲取jwt令牌
if (!AdfsConfiguration.IsInitialized) throw new SecurityException(Constants.AdfsConfigurationInitilizationExceptionMessage);
var client = new WebClient();
try
{
if (AdfsConfiguration.UseProxy == "Y")
{
var proxyObject = new WebProxy("Proxy", 80) { Credentials = CredentialCache.DefaultNetworkCredentials };
client.Proxy = proxyObject;
}
//Uri address = new Uri(String.Format("https://{0}/adfs/oauth2/token/", AdfsInstance));
Uri address = new Uri(string.Format(AdfsConfiguration.AdfsTokenServiceUrl, AdfsConfiguration.AdfsInstance));
Uri redirectAddress = new Uri(AdfsConfiguration.RedirectUri);
NameValueCollection values = new NameValueCollection
{
{"client_id", AdfsConfiguration.ClientId},
{"grant_type", "authorization_code"},
{"code", code},
{"redirect_uri", redirectAddress.ToString()}
};
byte[] responseBytes = client.UploadValues(address, "POST", values);
string response = System.Text.Encoding.UTF8.GetString(responseBytes);
return response;
}
catch (Exception exp)
{
var additionalInfo = $" additionalInfo : [address: {string.Format(AdfsConfiguration.AdfsTokenServiceUrl, AdfsConfiguration.AdfsInstance) }, redirect Uri :{AdfsConfiguration.RedirectUri}]";
throw new SecurityException($"AdfsAuthorization.GetAdfsOAuthTokenByAuthCode is failed, {additionalInfo}", exp);
}
finally
{
client.Dispose();
}
解決方案3
0 2017-03-13 13:38:42
獲取應用程序池標識的SAML斷言或登錄用戶:
string rpLoginUrl = string.Format(SapConfiguration.AdfsSignInUrl, SapConfiguration.AdfsInstance, HttpUtility.UrlEncode(GetSapTokenServiceUrl));
string htmlContent;
try
{
do
{
var result = await Client.GetAsync(rpLoginUrl);
htmlContent = await result.Content.ReadAsStringAsync();
IEnumerable<string> values;
if (result.Headers.TryGetValues("location", out values))
{
foreach (string s in values)
{
if (s.StartsWith("/"))
{
rpLoginUrl = rpLoginUrl.Substring(0, rpLoginUrl.IndexOf("/adfs/ls", StringComparison.Ordinal)) + s;
}
else
{
rpLoginUrl = s;
}
}
}
else
{
rpLoginUrl = "";
}
} while (!string.IsNullOrEmpty(rpLoginUrl));
}
catch (Exception exp)
{
var additionalInfo = $" additionalInfo : [rpLoginUrl: {rpLoginUrl}]";
throw new SecurityException($"SapAuthorization.GetSamlResponseForProcessIdentityAsync is failed, {additionalInfo}", exp);
}
var reg = new Regex("SAMLResponse\\W+value\\=\\\"([^\\\"]+)\\\"");
var matches = reg.Matches(htmlContent);
string lastMatch = null;
foreach (Match m in matches)
{
lastMatch = m.Groups[1].Value;
}
return lastMatch;
如何通過SAML斷言從ACS獲取訪問令牌?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.