我正在开发基于声明的身份验证应用,并希望将Microsoft.IdentityModel配置从web.config文件移动到我的代码以动态管理配置。
这是web.config中包含的federatedAuthentication部分:
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="trust" realm="real" requireHttps="false" />
<cookieHandler requireSsl="true" />
</federatedAuthentication>
我尝试在Application_Start()方法中附加一个EventHandler来实现代码中的配置而不是web.config文件:
protected void Application_Start()
{
FederatedAuthentication.ServiceConfigurationCreated += new EventHandler<ServiceConfigurationCreatedEventArgs>(FederatedAuthentication_ServiceConfigurationCreated);
}
private static void FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
{
const string rpRealm = "realm";
const bool requireSsl = false;
const bool requireHttps = false;
const bool passRedirect = true;
const string issuer = "trust";
...
FederatedAuthentication.WSFederationAuthenticationModule.PassiveRedirectEnabled = passRedirect;
FederatedAuthentication.WSFederationAuthenticationModule.Issuer = issuer;
FederatedAuthentication.WSFederationAuthenticationModule.Realm = rpRealm;
FederatedAuthentication.WSFederationAuthenticationModule.RequireHttps = requireHttps;
...
}
当我删除web.config文件中的配置并构建代码时,即使PassiveRedirectEnabled属性已设置为true,问题也发生在应用程序未重定向到Issuer URL的问题。
通过提交断点,我确认上面的代码确实运行并且没有产生异常;然而,被动重定向从未奏效。
P.S。我使用的是WIF 3.5;导入的程序集是Microsoft.IdentityModel.dll
答案 0 :(得分:4)
感谢@jonho的亲切帮助!但是你的代码在 WIF 4.5 中工作,而我正在使用 WIF 3.5 ,这里的情况有点不同......
在对互联网进行研究并使用我的代码进行测试后,我在http://social.msdn.microsoft.com/forums/vstudio/en-US/41b9a137-faca-43c6-b965-01d5322df5f0/change-microsoftidentitymodel-configuration的帮助下找到了一个可行的解决方案。
万一人们可能会像我一样陷入困境,这就是我所做的:
创建ServiceConfiguration时添加事件处理程序,并在事件处理程序中添加允许的受众和证书信息:
protected void Application_Start()
{
FederatedAuthentication.ServiceConfigurationCreated +=
new EventHandler<ServiceConfigurationCreatedEventArgs>(FederatedAuthentication_ServiceConfigurationCreated);
}
private static void FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
{
const string allowedAudience = "allowed_aud";
const string certThumbprint = "thumb";
const string certName = "name";
var serviceConfiguration = new ServiceConfiguration();
serviceConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerNameRegistry.AddTrustedIssuer(certThumbprint, certName);
serviceConfiguration.IssuerNameRegistry = issuerNameRegistry;
serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
e.ServiceConfiguration = serviceConfiguration;
}
为ASP.NET应用程序实现Application_AuthenticateRequest()方法。在那里提供发行人信息:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl = requireSsl;
FederatedAuthentication.WSFederationAuthenticationModule.Issuer = issuer;
FederatedAuthentication.WSFederationAuthenticationModule.Realm = rpRealm;
FederatedAuthentication.WSFederationAuthenticationModule.PassiveRedirectEnabled = passRedirect;
FederatedAuthentication.WSFederationAuthenticationModule.RequireHttps = requireHttps;
}
这应该足以使被动重定向与WIF 3.5中的ASP.NET应用程序一起使用
答案 1 :(得分:2)
这是我的工作方式 - 创建一个FederationConfiguration对象,然后添加到它的WsFederationConfiguration属性,然后将整个事件设置为事件args。
private static void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
//from appsettings...
const string allowedAudience = "http://audience1/user/get";
const string rpRealm = "http://audience1/";
const string domain = "";
const bool requireSsl = false;
const string issuer = "http://sts/token/create;
const string certThumbprint = "mythumbprint";
const string authCookieName = "StsAuth";
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));
var issuingAuthority = new IssuingAuthority(internalSts);
issuingAuthority.Thumbprints.Add(certThumbprint);
issuingAuthority.Issuers.Add(internalSts);
var issuingAuthorities = new List<IssuingAuthority> {issuingAuthority};
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry {IssuingAuthorities = issuingAuthorities};
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler {RequireSsl = false, Name = authCookieName, Domain = domain, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)};
federationConfiguration.CookieHandler = chunkedCookieHandler;
federationConfiguration.WsFederationConfiguration.Issuer = issuer;
federationConfiguration.WsFederationConfiguration.Realm = rpRealm;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
e.FederationConfiguration = federationConfiguration;