根据主题,我将Owin.Security.WsFederation和依赖包更新到版本4.0,我收到了错误。
除了更改
之外,我没有进行任何代码更改using Microsoft.IdentityModel.Protocols;
到
using Microsoft.IdentityModel.Protocols.WsFederation;
现在WsFederationConfiguration类似乎在哪里。
这是我的 StartupAuth :
public void ConfigureAuth(IAppBuilder app)
{
app.UseCookieAuthentication(
new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
});
// Create WsFed configuration from web.config wsfed: values
var wsconfig = new WsFederationConfiguration()
{
Issuer = ConfigurationManager.AppSettings["wsfed:Issuer"],
TokenEndpoint = ConfigurationManager.AppSettings["wsfed:TokenEndPoint"],
};
/*
* Add x509 certificates to configuration
*
*/
// certificate.1 must always exist
byte[] x509Certificate;
x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.1"]);
wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
// certificate 2 may exist
if (ConfigurationManager.AppSettings["wsfed:certificate.2"] != null)
{
x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.2"]);
wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
}
// certificate 3 may exist
if (ConfigurationManager.AppSettings["wsfed:certificate.3"] != null)
{
x509Certificate = Convert.FromBase64String(ConfigurationManager.AppSettings["wsfed:certificate.3"]);
wsconfig.SigningKeys.Add(new X509SecurityKey(new X509Certificate2(x509Certificate)));
}
// Apply configuration to wsfed Auth Options
var wsoptions = new WsFederationAuthenticationOptions
{
SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
Configuration = wsconfig,
Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"],
Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"],
};
wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";
// Add WdFederation middleware to Owin pipeline
app.UseWsFederationAuthentication(wsoptions);
}
还有其他东西4.0需要验证签名吗?我假设它正在讨论发行人的令牌签名。我没有看到如何启用ShowPII来查看它正在查看的键。
我正在使用MVC5和完整的框架。不是核心。
更新:
我尝试修改代码以使用属性文件中的身份提供程序提供的元数据来创建WsFederationConfiguration,但仍然会收到相同的错误。我不确定签名是什么,或者如果它不在idp元数据中我从哪里得到它。
UPDATE2 :
以下是我在属性文件中使用sts提供的wsfed元数据所做的更改。 (我已经删除了实际的base64编码元数据,但不用说,当你从STS发布元数据和端点时,你得到的是同样的XML。正如我上面所说,我得到了同样的错误:
public void ConfigureAuth(IAppBuilder app)
{
WsFederationConfiguration wsconfig;
app.UseCookieAuthentication(
new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
});
var metaDataDocument = System.Text.Encoding.UTF8.GetString(
Convert.FromBase64String("...c2NyaXB0b3I+"));
using (var metaDataReader = XmlReader.Create(new StringReader(metaDataDocument), SafeSettings))
{
wsconfig = (new WsFederationMetadataSerializer()).ReadMetadata(metaDataReader);
}
// Apply configuration to wsfed Auth Options
var wsoptions = new WsFederationAuthenticationOptions
{
SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
Configuration = wsconfig,
Wreply = ConfigurationManager.AppSettings["wsfed:Wreply"],
Wtrealm = ConfigurationManager.AppSettings["wsfed:Wtrealm"],
};
wsoptions.TokenValidationParameters.NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";
// Add WdFederation middleware to Owin pipeline
app.UseWsFederationAuthentication(wsoptions);
}
答案 0 :(得分:2)
我和MS团队的一些人一起工作。这里的问题是我们的STS使用SHA1签署令牌,新版本的weFederation不支持SHA1,因为它不安全且不推荐使用。
答案 1 :(得分:1)
使用带有owin的WIF的最简单方法是使用联合元数据(它位于 FederationMetadata / 2007-06 / FederationMetadata.xml )。 然后您根本不需要设置任何内容,Configure claims based web applications using OWIN WsFederation middleware中对此进行了解释。前提条件当然是您的STS发布了有意义的FederationMetaData文档。优点是您的应用程序会自动获取验证所需的公钥(并且可以无缝地更新它们)。
这是恕我直言,比你正在采取的方法容易得多。
您可以关注Manual configuration of OWIN WS-Federation Identity provider,因为它描述了一种比您更简单的方式。