使用MVC应用程序中的Kentor Auth服务库将Google作为身份提供者(IDP)实施?

时间:2016-06-08 09:25:47

标签: asp.net-mvc authentication owin saml-2.0 kentor-authservices

您好我正在使用kentor身份验证服务(Kentor身份验证服务是一个向ASP.NET和IIS网站添加SAML2P支持的库,允许该网站充当SAML2服务提供商(SP))。现在我我正在使用Google作为Identity Privider来测试我的应用程序(使用owin midddleware进行身份验证)。我也设置了Google身份识别提供程序。但是当我运行应用程序时它会给我一个错误

“400。这是一个错误。 请求URL中的请求无效,idpId无效,请检查SP端是否正确配置了SSO URL。这就是我们所知道的。“

我使用过SingleSignOnServiceUrl = https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx

DiscoveryServiceUrl = https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx

以上配置是否正确?

我已经在下面添加了App_start配置。来自Kentor auth服务库。

public partial class Startup
{
    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        // Configure the db context, user manager and signin manager to use a single instance per request
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        // Enable the application to use a cookie to store information for the signed in user
        // and to use a cookie to temporarily store information about a user logging in with a third party login provider
        // Configure the sign in cookie
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        app.UseKentorAuthServicesAuthentication(CreateAuthServicesOptions());
    }

    private static KentorAuthServicesAuthenticationOptions CreateAuthServicesOptions()
    {
        var spOptions = CreateSPOptions();
        var authServicesOptions = new KentorAuthServicesAuthenticationOptions(false)
        {
            SPOptions = spOptions
        };

        var idp = new IdentityProvider(new EntityId("~/App_Data/GoogleIDPMetadata.xml"), spOptions)
            {
                AllowUnsolicitedAuthnResponse = true,
                Binding = Saml2BindingType.HttpRedirect,
                SingleSignOnServiceUrl = new Uri("https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx")
            };

        idp.SigningKeys.AddConfiguredKey(
            new X509Certificate2(
                HostingEnvironment.MapPath(
                    "~/App_Data/Kentor.AuthServices.StubIdp.cer")));

        authServicesOptions.IdentityProviders.Add(idp);

        // It's enough to just create the federation and associate it
        // with the options. The federation will load the metadata and
        // update the options with any identity providers found.
        new Federation("http://example.com/Federation", true, authServicesOptions);

        return authServicesOptions;
    }

    private static SPOptions CreateSPOptions()
    {
        var swedish = CultureInfo.GetCultureInfo("sv-se");

        var organization = new Organization();
        organization.Names.Add(new LocalizedName("Kentor", swedish));
        organization.DisplayNames.Add(new LocalizedName("Kentor IT AB", swedish));
        organization.Urls.Add(new LocalizedUri(new Uri("http://www.kentor.se"), swedish));

        var spOptions = new SPOptions
        {
            EntityId = new EntityId("https://example.com/AuthServices"),
            ReturnUrl = new Uri("https://example.com/Account/ExternalLoginCallback"),
            DiscoveryServiceUrl = new Uri(https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"),
            Organization = organization
        };

        var techContact = new ContactPerson
        {
            Type = ContactType.Technical
        };
        techContact.EmailAddresses.Add("authservices@example.com");
        spOptions.Contacts.Add(techContact);

        var supportContact = new ContactPerson
        {
            Type = ContactType.Support
        };
        supportContact.EmailAddresses.Add("support@example.com");
        spOptions.Contacts.Add(supportContact);

        var attributeConsumingService = new AttributeConsumingService("AuthServices")
        {
            IsDefault = true,
        };

        attributeConsumingService.RequestedAttributes.Add(
            new RequestedAttribute("urn:someName")
            {
                FriendlyName = "Some Name",
                IsRequired = true,
                NameFormat = RequestedAttribute.AttributeNameFormatUri
            });

        attributeConsumingService.RequestedAttributes.Add(
            new RequestedAttribute("Minimal"));

        spOptions.AttributeConsumingServices.Add(attributeConsumingService);

        spOptions.ServiceCertificates.Add(new X509Certificate2(
            AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Kentor.AuthServices.Tests.pfx"));

        return spOptions;
    }

为什么我重定向到google saml页面时出现400错误?提前致谢

1 个答案:

答案 0 :(得分:1)

AFAIK Google不提供发现服务。从配置中删除DiscoveryServiceUrl

此外,您应该清理配置,而不是使用示例应用程序的配置。

对于测试,您还可以使用项目中包含的存根idp http://stubidp.kentor.se