如何避免'SamlAssertion.NotOnOrAfter条件不满意'错误

时间:2013-04-09 14:19:12

标签: c# jquery saml claims-based-identity ws-federation

最近,我开始在现有的Web应用程序上使用基于声明的身份验证。因为该应用程序使用jQuery&更值得注意的是,AJAX函数,我不得不改变处理程序,不要试图重定向XmlHTTPRequests,而是返回403状态,这更容易处理。

以下是FederatedAuthentication.WSFederationAuthenticationModule.AuthorizationFailed事件hanlder:

    protected void WSFederationAuthenticationModule_AuthorizationFailed(object sender, AuthorizationFailedEventArgs e)
    {
        //WSFederationAuthenticationModule sam = (WSFederationAuthenticationModule)sender;

        HttpContext context = HttpContext.Current;
        HttpRequest req = context.Request;
        HttpResponse resp = context.Response;

        if (req == null || resp == null) return;

        if ((resp.StatusCode == 302 || resp.StatusCode == 401) && req.Headers["X-Requested-With"] == "XMLHttpRequest")
        {
            resp.StatusCode = 403;
            e.RedirectToIdentityProvider = false;
        }

    }

我有以下模式来实现AJAX调用并处理响应:

$.ajax({
cache: false,
data: $.param(o),
dataType: "xml",
url: "AJAXCall.ashx",
success: function (data)
{
    // Success handler
},
error: function (XMLHttpRequest, textStatus, responseText)
{
    if (XMLHttpRequest.status == 403)
    {
        var retVal = window.showModalDialog("Session.aspx", "", "dialogHeight: 250px; dialogWidth: 250px; edge: Raised; center: Yes; resizable: Yes; status: Yes;");
        if (retVal)
        {
            // Succesful session renewal handler
        }
        else
        {
            // Session renewal failure handler
        }
    }
    else
    {
        // Other errors handler
    }
}
});

如果成功重定向到身份提供程序并返回,则“Session.aspx”基本上会关闭模式对话框,返回值为true。

但我的问题是我收到以下错误:

  

“ID4223:SamlSecurityToken被拒绝,因为   SamlAssertion.NotOnOr条件不满意。“

这是在模拟当前应用程序用户的子系统上调用的,显然前一个会话的标记仍然存在。我在我的应用程序的web.config中有以下设置:

<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" persistentCookiesOnPassiveRedirects="true" issuer="https://adfs.example.com/adfs/ls/" realm="https://www.example.com:449/" requireHttps="true" />
<cookieHandler requireSsl="true" />

如何避免此错误?任何帮助将不胜感激。

1 个答案:

答案 0 :(得分:2)

以下FederatedAuthentication.WSFederationAuthenticationModule.SignInError事件处理程序方法解决了问题:

    protected void WSFederationAuthenticationModule_SignInError(object sender, ErrorEventArgs e)
    {
        // handle an intermittent error that most often occurs if you are redirected to the STS after a session expired,
        // and the user clicks back on the browser - second error very uncommon but this should fix
        if (e.Exception.Message.StartsWith("ID4148") ||
            e.Exception.Message.StartsWith("ID4243") ||
            e.Exception.Message.StartsWith("ID4223"))
        {
            FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
            e.Cancel = true;
        }
    }

即使用户在会话过期后被重定向到STS服务,它也会删除持久存在的会话令牌Cookie。

相关问题
最新问题