[英]Getting an error while implementing SSO in our web application using ADFS and SAML2.0 (Sustainsys)
Im試圖使用ADFS和SAML2.0在我們的Web應用程序中實現SSO。 我使用Windows Server 2012 r2作為我的adfs環境。 該Web應用程序也處於同一環境中。
到目前為止,當我運行該應用程序時,我被定向到主登錄頁面,在該頁面中我可以選擇使用sso登錄。 單擊sso選項后,我將重定向到adfs登錄屏幕,並且當我嘗試使用適當的憑據登錄時,出現以下錯誤:
Encountered error during federation passive request. Additional Data Protocol Name: Saml Relying Party: https://ADFSDomain/adfs/ls/ Exception details: Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.MissingAssertionConsumerServicesPolicyException: MSIS3077: The AssertionConsumerServices property is not configured for relying party trust 'https://ADFSDomain/adfs/ls/'. at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.LookupAssertionConsumerServiceByUrl(Collection`1 assertionConsumerServices, Uri requestedAssertionConsumerServiceUrl, String scopeIdentity) at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.FindSamlResponseEndpointForAuthenticationRequest(Boolean artifactEnabled, AuthenticationRequest request, ScopeDescription scopeDescription) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.GetResponseEndpointFromRequest(SamlRequest request, Boolean isUrlTranslationNeeded, ScopeDescription scope) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
這是web.config的樣子:
<sustainsys.saml2 modulePath="/AuthServices" entityId="https://ADFSDomain/adfs/ls/" returnUrl="http://localhost:2181/">
<identityProviders>
<add entityId="http://ADFSDomain/adfs/services/trust"
signOnUrl="https://ADFSDomain/adfs/ls/"
allowUnsolicitedAuthnResponse="true"
binding="HttpRedirect"
wantAuthnRequestsSigned="false"
loadMetadata="true"
metadataLocation="https://ADFSDomain/federationmetadata/2007-06/federationmetadata.xml">
<signingCertificate fileName="~/App_Data/newCert.cer" />
</add>
</identityProviders>
</sustainsys.saml2>
配置中使用的entityId
應該是特定於服務提供商應用程序的路徑,而不是ADFS(身份提供商)。
配置示例:
<?xml version="1.0"?>
<sustainsys.saml2 entityId="https://yourdomain.com/apppath/Saml2" returnUrl="https://yourapp.com/apppath/" authenticateRequestSigningBehavior="Always" outboundSigningAlgorithm="SHA256">
<identityProviders>
<add entityId="http://adfs.yourdomain.com/adfs/services/trust" signOnUrl="https://adfs.yourdomain.com/adfs/ls" logoutUrl="https://adfs.yourdomain.com/adfs/ls" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml" />
</identityProviders>
<serviceCertificates>
<add storeName="My" storeLocation="LocalMachine" findValue="xxx" x509FindType="FindByThumbprint" />
</serviceCertificates>
</sustainsys.saml2>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.