堆棧內存溢出
  簡體   English   中英

使用ADFS和SAML2.0(Sustainsys)在我們的Web應用程序中實現SSO時出錯

[英]Getting an error while implementing SSO in our web application using ADFS and SAML2.0 (Sustainsys)

 原文  2018-04-03 16:28:50       c#/ asp.net-mvc/ single-sign-on/ saml-2.0/ sustainsys-saml2

問題描述

Im試圖使用ADFS和SAML2.0在我們的Web應用程序中實現SSO。 我使用Windows Server 2012 r2作為我的adfs環境。 該Web應用程序也處於同一環境中。

到目前為止,當我運行該應用程序時,我被定向到主登錄頁面,在該頁面中我可以選擇使用sso登錄。 單擊sso選項后,我將重定向到adfs登錄屏幕,並且當我嘗試使用適當的憑據登錄時,出現以下錯誤: 

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
https://ADFSDomain/adfs/ls/ 

Exception details: 
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.MissingAssertionConsumerServicesPolicyException: MSIS3077: The AssertionConsumerServices property is not configured for relying party trust 'https://ADFSDomain/adfs/ls/'.
   at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.LookupAssertionConsumerServiceByUrl(Collection`1 assertionConsumerServices, Uri requestedAssertionConsumerServiceUrl, String scopeIdentity)
   at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.FindSamlResponseEndpointForAuthenticationRequest(Boolean artifactEnabled, AuthenticationRequest request, ScopeDescription scopeDescription)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.GetResponseEndpointFromRequest(SamlRequest request, Boolean isUrlTranslationNeeded, ScopeDescription scope)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

這是web.config的樣子: 

<sustainsys.saml2 modulePath="/AuthServices" entityId="https://ADFSDomain/adfs/ls/" returnUrl="http://localhost:2181/">
    <identityProviders>
      <add entityId="http://ADFSDomain/adfs/services/trust" 
           signOnUrl="https://ADFSDomain/adfs/ls/" 
           allowUnsolicitedAuthnResponse="true" 
           binding="HttpRedirect" 
           wantAuthnRequestsSigned="false"
           loadMetadata="true" 
           metadataLocation="https://ADFSDomain/federationmetadata/2007-06/federationmetadata.xml">
        <signingCertificate fileName="~/App_Data/newCert.cer" />
      </add>
    </identityProviders>
  </sustainsys.saml2>

1 個解決方案

解決方案1
 0  2018-04-06 17:14:02

配置中使用的entityId應該是特定於服務提供商應用程序的路徑,而不是ADFS(身份提供商)。

配置示例: 

<?xml version="1.0"?>
<sustainsys.saml2 entityId="https://yourdomain.com/apppath/Saml2" returnUrl="https://yourapp.com/apppath/" authenticateRequestSigningBehavior="Always" outboundSigningAlgorithm="SHA256">
   <identityProviders>
         <add entityId="http://adfs.yourdomain.com/adfs/services/trust" signOnUrl="https://adfs.yourdomain.com/adfs/ls" logoutUrl="https://adfs.yourdomain.com/adfs/ls" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml" />
   </identityProviders>
   <serviceCertificates>
        <add storeName="My" storeLocation="LocalMachine" findValue="xxx" x509FindType="FindByThumbprint" />
   </serviceCertificates>
</sustainsys.saml2>

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 SAML2.0入門 在ASP .NET中使用SAML2.0工件 使用帶有Kerberos令牌的SAML 2.0 SSO的.NET桌面(非Web)應用程序 使用asp.net使用Fedlet進行ADFS SSO身份驗證時出錯 .NET wsFederationHttpBinding和SAML2.0 Sustainsys.Saml2 - Saml2/Acs 端點在處理 SSO 時返回錯誤 500 將 ADFS SSO 集成到現有的 .net Web 應用程序中 使用 Sustainsys 和 Azure 的 SAML 單點注銷給出消息無效錯誤 不使用WIF的情況下在WCF服務調用中包括SAML2.0令牌 發送SAML 2.0 AuthnRequest時,ADFS返回錯誤
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM