我使用Azure B2C作为SAML令牌发行者,使用ADFS作为SAML IdP进行设置。
Application (service provider) -(SAML2)-> B2C (security token service relying party) -(SAML2)-> ADFS (identity provider)
每次我尝试从B2C登录时都会收到以下错误消息(不会进一步进入ADFS):
FatalException
类型'Microsoft.Cpim.StateMachine.EventInstance'的while限制已达到'20'。
在B2C中是什么意思?我在Azure B2C SAML颁发者配置中缺少什么吗?这是我的登录政策
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignInFmdClient" />
<UserJourneyBehaviors>
<SingleSignOn Scope="Application" />
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>900</SessionExpiryInSeconds>
<JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="4f5ac312-eb9d-4395-b89d-ec6a6095b23e" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="SAML2" />
<Metadata>
<Item Key="PartnerEntity"><![CDATA[
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:itfoxtec:identity:saml2:testwebapp" validUntil="2026-12-27T23:42:22.079Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<md:SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=https://localhost:8080" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor>
]]>
</Item>
<Item Key="KeyEncryptionMethod">Rsa15</Item>
<Item Key="DataEncryptionMethod">Aes256</Item>
<Item Key="XmlSignatureAlgorithm">Sha256</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" />
<OutputClaim ClaimTypeReferenceId="IdpUserGroups" />
<OutputClaim ClaimTypeReferenceId="IdpUserName"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />
<OutputClaim ClaimTypeReferenceId="objectId"/>
</OutputClaims>
<!-- <SubjectNamingInfo ClaimType="userPrincipalName" /> -->
<!-- <SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/> -->
<SubjectNamingInfo ClaimType="userPrincipalName" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="false"/>
</TechnicalProfile>
这是我发送的Saml Auth请求:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_b2d1a96864951d1d555e"
Version="2.0"
IssueInstant="2018-09-25T13:13:35.125Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://localhost:5000/auth/login"
Destination="https://login.microsoftonline.com /te/fmdclientsandbox.onmicrosoft.com/B2C_1A_SignUpOrSignInFmdClient/samlp/sso/login">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">21d60a4b-6e33-4e22-b618-586882744560</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" AllowCreate="true"/>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
`
这是App Insights捕获的来自B2C的更详细的错误消息{
""Kind"": ""Action"",
""Content"": ""Web.TPEngine.StateMachineHandlers.WarningExceptionTraceHandler""
},
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true
}
},
{
""Kind"": ""Action"",
""Content"": ""Web.TPEngine.SSO.SSOSessionEndHandler""
},
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true
}
},
{
""Kind"": ""Action"",
""Content"": ""Web.TPEngine.StateMachineHandlers.SendErrorHandler""
},
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true,
""PredicateResult"": ""True""
}
},
{
""Kind"": ""Transition"",
""Content"": {
""EventName"": ""Global"",
""StateName"": ""Microsoft.Cpim.Common.PolicyException""
}
},
{
""Kind"": ""Predicate"",
""Content"": ""Web.TPEngine.StateMachineHandlers.NoOpHandler""
},
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true,
""PredicateResult"": ""True""
}
},
{
""Kind"": ""Action"",
""Content"": ""Web.TPEngine.StateMachineHandlers.WarningExceptionTraceHandler""
},
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true
}
},
{
""Kind"": ""Action"",
""Content"": ""Web.TPEngine.SSO.SSOSessionEndHandler""
},
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true
}
},
{
""Kind"": ""Action"",
""Content"": ""Web.TPEngine.StateMachineHandlers.SendErrorHandler""
},
{
""Kind"": ""HandlerResult"",
""Content"": {
""Result"": true,
""PredicateResult"": ""True""
}
},
{
""Kind"": ""FatalException"",
""Content"": {
""Time"": ""1:50 PM"",
""Exception"": {
""Kind"": ""Handled"",
""HResult"": ""80131500"",
""Message"": ""The while limit of '20' has been reached for type 'Microsoft.Cpim.StateMachine.EventInstance'. ; Diagnostics="",
""Data"": {
""Event"": ""Global"",
""MachineDefinition"": """",
""StateTable"": """",
""Limit"": ""20"",
""ProcessingHistory"": ""Event:AUTH->Event:PreStep->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global->Event:Global""
}
}
}
}