我尝试使用ADFS和SAML2.0在我们的Web应用程序中实现SSO。我使用Windows Server 2012 r2作为我的adfs环境。 Web应用程序也在同一个环境中。
到目前为止,当我运行应用程序时,我会被定向到主登录页面,在那里我可以选择使用sso登录。点击sso选项后,我被重定向到adfs登录屏幕,当我尝试使用正确的凭据登录时,我收到以下错误:
Encountered error during federation passive request. Additional Data Protocol Name: Saml Relying Party: https://ADFSDomain/adfs/ls/ Exception details: Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.MissingAssertionConsumerServicesPolicyException: MSIS3077: The AssertionConsumerServices property is not configured for relying party trust 'https://ADFSDomain/adfs/ls/'. at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.LookupAssertionConsumerServiceByUrl(Collection`1 assertionConsumerServices, Uri requestedAssertionConsumerServiceUrl, String scopeIdentity) at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.FindSamlResponseEndpointForAuthenticationRequest(Boolean artifactEnabled, AuthenticationRequest request, ScopeDescription scopeDescription) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.GetResponseEndpointFromRequest(SamlRequest request, Boolean isUrlTranslationNeeded, ScopeDescription scope) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
这就是web.config的样子:
<sustainsys.saml2 modulePath="/AuthServices" entityId="https://ADFSDomain/adfs/ls/" returnUrl="http://localhost:2181/">
<identityProviders>
<add entityId="http://ADFSDomain/adfs/services/trust"
signOnUrl="https://ADFSDomain/adfs/ls/"
allowUnsolicitedAuthnResponse="true"
binding="HttpRedirect"
wantAuthnRequestsSigned="false"
loadMetadata="true"
metadataLocation="https://ADFSDomain/federationmetadata/2007-06/federationmetadata.xml">
<signingCertificate fileName="~/App_Data/newCert.cer" />
</add>
</identityProviders>
</sustainsys.saml2>
答案 0 :(得分:0)
配置中使用的entityId应该是特定于服务提供商应用程序的路径,而不是ADFS(身份提供商)。
示例配置:
<?xml version="1.0"?>
<sustainsys.saml2 entityId="https://yourdomain.com/apppath/Saml2" returnUrl="https://yourapp.com/apppath/" authenticateRequestSigningBehavior="Always" outboundSigningAlgorithm="SHA256">
<identityProviders>
<add entityId="http://adfs.yourdomain.com/adfs/services/trust" signOnUrl="https://adfs.yourdomain.com/adfs/ls" logoutUrl="https://adfs.yourdomain.com/adfs/ls" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml" />
</identityProviders>
<serviceCertificates>
<add storeName="My" storeLocation="LocalMachine" findValue="xxx" x509FindType="FindByThumbprint" />
</serviceCertificates>
</sustainsys.saml2>