我尝试使用WIF和WS-Federation将Identity Server与ASP.NET(.NET 4.5.1,MVC项目)配合使用。 WSO2IS版本是5.0.0
免责声明:我也是WSO2IS和ASP.NET的新手(不是.NET本身)和整个身份的东西,所以也许我省略了一些基本的东西。 < / p>
问题是SAML 2响应中缺少受众限制。否则一切都很好。
在身份服务器管理控制台中 - &gt;服务提供商 - &gt; [我的服务提供商] - &gt;入站身份验证 - &gt; SAML2 Web SSO配置 - &gt; [我的发行人] - &gt;编辑 - &gt;检查启用受众限制并列出我的ASP.NET Web应用程序URL
但这是我的ASP.NET应用程序获得的响应(缺少受众限制):
<wst:RequestSecurityTokenResponseCollection xmlns:wst=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">
<wst:RequestSecurityTokenResponse>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">
<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">_8b7d9425958558c7742bb0cb8e8213e9</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">
<wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\">_8b7d9425958558c7742bb0cb8e8213e9</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:Lifetime>
<wsu:Created xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">2014-12-02T11:55:13.190Z</wsu:Created>
<wsu:Expires xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">2014-12-02T12:00:13.190Z</wsu:Expires>
</wst:Lifetime>
<wst:RequestedSecurityToken>
<Assertion xmlns=\"urn:oasis:names:tc:SAML:1.0:assertion\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" AssertionID=\"_8b7d9425958558c7742bb0cb8e8213e9\" IssueInstant=\"2014-12-02T11:55:13.190Z\" Issuer=\"localhost\" MajorVersion=\"1\" MinorVersion=\"1\">
<Conditions NotBefore=\"2014-12-02T11:55:13.190Z\" NotOnOrAfter=\"2014-12-02T12:00:13.190Z\"></Conditions>
<AuthenticationStatement AuthenticationInstant=\"2014-12-02T11:55:13.190Z\" AuthenticationMethod=\"urn:oasis:names:tc:SAML:1.0:am:password\">
<Subject>
<NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">admin</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
<ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"></ds:SignatureMethod>
<ds:Reference URI=\"#_8b7d9425958558c7742bb0cb8e8213e9\">
<ds:Transforms>
<ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"></ds:Transform>
<ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\">
<ec:InclusiveNamespaces xmlns:ec=\"http://www.w3.org/2001/10/xml-exc-c14n#\" PrefixList=\"code ds kind rw saml samlp typens #default xsd xsi\"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"></ds:DigestMethod>
<ds:DigestValue>cqn2im7M8olMyPuO8BDhQvFlcU8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jO/kPk+APtOc/gBUsBcLaM4VIbBGe/l2zKAkqjWxfHhkAOx0aduAEt6CssAeY9PrDB/93hxghNPJvn/VAkHKaCLD4/Dt7CwotZHz0l3UABZZiYoMzrZJmO5eOPjA5MAO52Q9vQ+gqLk/iLZCBskgubPmMswi7eufH8jSZES2/ZY=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</Assertion>
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
我猜测SAML版本可能是错误的,但我没有看到它的设置。
同样在工具中 - &gt; SAML Response Builder我明白了:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://localhost/SSOTestMVC" ID="cieicenceonlnooiogijcipfohekehdpdhmefpgk" IssueInstant="2014-12-02T12:40:35.411Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="jfmphpmhlnedheigcgefihafkehcjlmpminchpgg" IssueInstant="2014-12-02T12:40:35.438Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2014-12-02T12:45:35.411Z" Recipient="https://localhost/SSOTestMVC"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2014-12-02T12:40:35.438Z" NotOnOrAfter="2014-12-02T12:45:35.411Z">
<saml2:AudienceRestriction>
<saml2:Audience>localhost</saml2:Audience>
<saml2:Audience>https://localhost/SSOTestMVC</saml2:Audience>
<saml2:Audience>https://localhost/SSOTestMVC/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2014-12-02T12:40:35.447Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
观众正确,我已添加到列表中。
这是mey web.config供参考:
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=301880
-->
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</configSections>
<system.diagnostics>
<sources>
<source name="System.IdentityModel" switchValue="Verbose">
<listeners>
<add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="C:\logs\WIF.xml" />
</listeners>
</source>
</sources>
<trace autoflush="true" />
</system.diagnostics>
<appSettings>
<add key="webpages:Version" value="3.0.0.0"/>
<add key="webpages:Enabled" value="false"/>
<add key="ClientValidationEnabled" value="true"/>
<add key="UnobtrusiveJavaScriptEnabled" value="true"/>
<add key="FederationMetadataLocation" value="https://localhost/startersts/FederationMetadata/2007-06/FederationMetadata.xml"/>
</appSettings>
<!--
For a description of web.config changes see http://go.microsoft.com/fwlink/?LinkId=235367.
The following attributes can be set on the <httpRuntime> tag.
<system.Web>
<httpRuntime targetFramework="4.5.1" />
</system.Web>
-->
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.web>
<compilation debug="true" targetFramework="4.5.1"/>
<!--<httpRuntime targetFramework="4.5" requestValidationType="SampleRequestValidator"/>-->
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="None"/>
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed"/>
<bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Optimization" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="1.1.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.5.2.14234" newVersion="1.5.2.14234"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-5.2.0.0" newVersion="5.2.0.0"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/SSOTestMVC"/>
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d" name="localhost"/>
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None"/>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false"/>
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost:9443/passivests" realm="https://localhost/SSOTestMVC" requireHttps="true" reply="https://localhost/SSOTestMVC"/>
</federationConfiguration>
</system.identityModel.services>
</configuration>
我搜索了在web.config中设置SAML版本,怀疑这可能是一个问题,但没有结果。
答案 0 :(得分:0)
首先,我想强调一点,Identity Server支持以下两个配置文件。
通常,ASP.NET默认支持2个配置文件。因此,您正在使用被动STS进行集成。在您的配置中,您似乎已将网址设置为被动STS端点https://localhost:9443/passivests。如果您使用的是SAML2配置文件,通常需要将其设置为https://localhost:9443/samlsso
因此,您在WSO2IS中完成的配置无效。它们与SAML2 SSO配置文件相关。对于被动STS,您可以在WS-Federation (Passive) Configuration
但是,Passive STS中存在bug,Identity Server不会将受众添加到SAML断言中。
但是,您可以通过设置web.config <audienceUris mode="Never" />