ADFS SSO匿名主页MVC 4 ASP.NET

时间:2015-08-27 14:36:10

标签: c# asp.net-mvc asp.net-mvc-4 single-sign-on adfs

我一直在寻找这个问题的答案,但对于谷歌而言,这是一个难以理解的概念。 我有几个MVC站点使用我们的ADFS使用单点登录进行身份验证。它运作良好。但是,我想知道是否有可能有一个主页允许匿名用户访问某些功能而无需登录。我看到人们指的是从依赖方单点注销后将用户重定向到匿名主页。基本上,我可以使用ADFS SSO保护应用程序的一半吗?

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>

    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
     <connectionStrings>
    
  </connectionStrings>
  <appSettings>
    <add key="webpages:Version" value="3.0.0.0" />
    <add key="webpages:Enabled" value="false" />
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
    <add key="ida:FederationMetadataLocation" value="https://sts.testsite.com/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:Realm" value="https://localhost:44301" />
    <add key="ida:AudienceUri" value="https://localhost:44301" />
    <add key="owin:AutomaticAppStartup" value="false" />
  </appSettings>
  <location path="Account">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <authentication mode="None" />
    <authorization>
      <deny users="?" />
    </authorization>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
    <customErrors mode="On" defaultRedirect="~/Error.cshtml">
    </customErrors>
    
  </system.web>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
  </system.webServer>
  <runtime>
    <runtimes here.../>
  </runtime>
  <entityFramework>
    <defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
      <parameters>
        <parameter value="v11.0" />
      </parameters>
    </defaultConnectionFactory>
    <providers>
      <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
    </providers>
  </entityFramework>
  <system.webServer>
    <modules>
      <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
      
      <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
      
    </modules>
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="https://localhost:44301" />
      </audienceUris>
      <securityTokenHandlers>
        <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
      <certificateValidation certificateValidationMode="None" />
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="http://sts.testsite.com/adfs/services/trust">
          <keys>
            <add thumbprint="AA6032061B0E74B3B5B0D495DC7C55B18B0862A4" />
          </keys>
          <validIssuers>
            <add name="http://sts.testsite.com/adfs/services/trust" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <cookieHandler requireSsl="true" />
      <wsFederation passiveRedirectEnabled="true" issuer="https://sts.testsite.com/adfs/ls/" realm="https://localhost:44301" requireHttps="true" />
    </federationConfiguration>
  </system.identityModel.services>
  
</configuration>

这是Global.asax。

 protected void Application_Start()
    {
        AreaRegistration.RegisterAllAreas();
        FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
        RouteConfig.RegisterRoutes(RouteTable.Routes);
        BundleConfig.RegisterBundles(BundleTable.Bundles);
        AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Email;
    }
    protected void Application_BeginRequest()
    {
        if (!Context.Request.IsSecureConnection)
            Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
    }
    protected void Application_Error(object sender, EventArgs e)
    {
        var error = Server.GetLastError();
        var cryptoEx = error as CryptographicException;
        if (cryptoEx != null)
        {
            FederatedAuthentication.WSFederationAuthenticationModule.SignOut();
            Server.ClearError();
            if (Request.Cookies["StoreNumber"] != null)
            {
                HttpCookie storeNumber = Request.Cookies["StoreNumber"];
                storeNumber.Expires = DateTime.Now.AddDays(-1);
            }
        }
    }

1 个答案:

答案 0 :(得分:0)

默认情况下,它应该按照您想要的方式运行。最有可能发生的事情是web.config中的此设置导致它要求每个人都登录,因为这是对匿名用户的明确拒绝。尝试删除它,看看它是否可以按你的意愿工作。

$(".rbs-section").wrap("<div class='world' />")

理论上,如果您将<authorization> <deny users="?" /> </authorization> 放在需要授权/登录的任何控制器上,您也不需要以下几行。删除拒绝后,应该允许匿名用户访问[Authorize]。您应该能够通过AccountController[Authorize]来控制哪些控制器/方法需要授权。

[AllowAnonymous]