以编程方式完成ADFS登录

时间:2015-06-30 16:11:58

标签: asp.net authentication sap saml-2.0 adfs2.0

我需要在代码中执行完整的AFDS登录操作。我无法将用户重定向到ADFS登录页面。用户已使用自定义身份验证机制进行身份验证,并使用相同的凭据对ADFS进行身份验证,以便为SAP EP启用SSO。 我可以从ADFS成功检索SAML令牌,但SAP显然只能处理开箱即用的身份验证。所以我需要验证整个会话。

这就是我现在所拥有的:

检索令牌:

            var binding = new WS2007HttpBinding();
            binding.Security.Message.EstablishSecurityContext = false;
            binding.Security.Message.NegotiateServiceCredential = false;
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
            binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
            binding.Security.Mode = SecurityMode.TransportWithMessageCredential;

            var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(AppSettings.AdfsUrl));
            trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
            trustChannelFactory.Credentials.UserName.UserName = user.UserName;
            trustChannelFactory.Credentials.UserName.Password = PasswordService.Decrypt(user.UserPassword, user.UserID.ToString(CultureInfo.InvariantCulture));
            trustChannelFactory.ConfigureChannelFactory();

            // Create issuance issuance and get security token
            var requestToken = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
            requestToken.AppliesTo = new EndpointAddress(AppSettings.ServicePortalUrl);
            requestToken.KeyType = WSTrust13Constants.KeyTypes.Bearer;
            var tokenClient = (WSTrustChannel) trustChannelFactory.CreateChannel();
            var token = tokenClient.Issue(requestToken) as GenericXmlSecurityToken;

            return token;

尝试获取声明,以便我可以在重定向到SAP Portal之前将用户主体放在HttpContext中。 (远射)

        var tokenHandlers = new SecurityTokenHandlerCollection(new SecurityTokenHandler[] { new SamlSecurityTokenHandler() });
        tokenHandlers.First().Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
        tokenHandlers.First().Configuration.CertificateValidationMode = X509CertificateValidationMode.None;
        tokenHandlers.Configuration.CertificateValidationMode = X509CertificateValidationMode.None;

        var trusted = new TrustedIssuerNameRegistry("*.domain.com");
        tokenHandlers.Configuration.IssuerNameRegistry = trusted;

        var samlToken = tokenHandlers.ReadToken(new XmlTextReader(new StringReader(token.TokenXml.OuterXml)));
        var claimsPrincipal = new ClaimsPrincipal(tokenHandlers.ValidateToken(samlToken).First());
        HttpContext.Current.User = claimsPrincipal;

这不起作用,因为我一直在获取X509证书验证错误。

我尝试了什么:

  • 提供SAML签名为MYSAPSSO2令牌(远射,不起作用)
  • 将用户主体置于HTTP上下文中,因为我看到SAP在HTTP上下文中查找IPrincipal。 (无法让它工作)
  • 设置MSISAuthenticated cookie,但不知道如何获取值(认证时刻的base64时间戳?)

我有什么明显的监督方式吗?基本上,我只想执行ADFS登录页面所执行的相同身份验证,但在代码中,用户没有看到第二个登录页面。

0 个答案:

没有答案
相关问题
最新问题