我正在用ADFS测试IdentityServer4(使用Quickstart.UI)进行登录。我将WSFederation添加到IdentityServer。到目前为止,一切正常,我可以使用其AD帐户登录我的用户,并从IdentityServer获取授权码。这样,我还可以从IdentityServer请求访问和刷新令牌。
我添加了一个自定义验证器,以查看从ADFS得到的响应。在该saml断言中,我可以找到其中带有SAM-帐户名(用户名)的字段Array
(
[0] => Array
(
[comment] => this is my comment
)
[1] => Array
(
[id] => 3
)
)
(在我的示例中,我将用户称为“ bob”)。
我现在要做的是将此名称作为声明添加到“访问和刷新令牌”中。我想在令牌中添加以下内容:
saml:NameIdentifier我尝试使用'name' : 'bob'
添加自定义配置文件服务。这样,我就可以将声明.AddProfileService<MyProfileService>()添加到令牌中,但是似乎找不到'name'的存储位置。
SAML响应中的这些信息保存在哪里?是否可以通过一种简单的方法来访问这些信息,而不必编写保存这些信息的自定义验证程序?
这是我从ADFS收到的SAML响应:
saml:NameIdentifier
这是来自IdentityServer的Startup.cs:
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_322db7c2-08d3-4b9e-9a72-78f9867590bb" Issuer="http://adfs.adfstest.ch/adfs/services/trust" IssueInstant="2018-10-26T07:00:31.277Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2018-10-26T07:00:31.268Z" NotOnOrAfter="2018-10-26T08:00:31.268Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://localhost:44384/
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier>bob</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>bob
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="subject" AttributeNamespace="http://schemas.microsoft.com/2012/12/certificatecontext/field">
<saml:AttributeValue>bob
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2018-10-26T06:19:07.801Z">
<saml:Subject>
<saml:NameIdentifier>bob
</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_322db7c2-08d3-4b9e-9a72-78f9867590bb">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>qVbZ8br3sxDrjJT6e0o7OResejoDXvKJ0u6pQkvuXww=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>oYWxMewu1YuYN9/QtcaYw+hsy6ZsYtv2QIalFkU9qRW/YP0wImYfzxyuFQEHbz8M7ZjdZD8dTUdlSSF9hH1xsApqovJ/4YHNUv0aNiYWsLLM6hEaREcD0Ed6AOLvXEW+iYEu7nFLhUXshiLZMCTPnDFN+ggT0kQce3NA3MZVe2j+q1S3vK4BWoMC7yQGV27mlQ4Bgdgt2fJHRRbd7x6oUUP/EGAv5u9VTfp+F2MIHeltnkh6vTvSawSe/uVVZMAMRiQ5U4JOlxQNKgCoI8yjdC/oDuOCJHywGWXzfbV6OiiI5ODp5I7BfTJNeYoyje019KFBavOODyEj7e+SLkMzQw==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC3DCCAcSgAwIBAgIQYJnK0wTILKND20jkNsv1rzANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9BREZTIFNpZ25pbmcgLSBhZGZzLmFkZnN0ZXN0LmNoMB4XDTE4MDkyNzEzNTMzMFoXDTE5MDkyNzEzNTMzMFowKjEoMCYGA1UEAxMfQURGUyBTaWduaW5nIC0gYWRmcy5hZGZzdGVzdC5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSLwYE30RO5luQpJbuN2E0UvSA8Anci9NTVIdyEkcN9bJ2E6qP+y+oSV7lLy9ReyJBJyZqjVyeqWusSBmkmJVoVPLZWGzqbCvxiOkjwUnBMZm92G1R/0EVxOocm6CAilfXPpMkeBknol/PAGJhWvzKQgon9eEuAyPww6KX8E9fVw3rJJ8V8wLsHjzvLuQvhp8Dy7SoMlm6QPLeUQx/O9HxliIUjNxpARYhPAdL3DLusiPCu3ebmafVjCg0a79VldvZY1n7ZLaRsbbB785MTTjm7RocgLwGITuzSU2DGkg99VWPEZ+2Q1vcS6tS7U0Yl2HilsyFVEUPd1jV28n+7HKcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAk4wGudZyhvi0ciXadUb4Qlb8Utb8o7fjyy4m/VmfYZudGwvtB/ikAeLzdrTjpkOTZ66zTEzBZJ+m31P2D6+AXDTLhI9IEXuILt6CnXVJ6I6NVKzbs1AkedTI+1IusFZ6VeEEKikYU6k92/cXX8/Xd4H7rR8qwoF3PqAcral0t036IH1QbLBYodcTwAgzcfdc0n4vYuR0Q3GDOXeeXxlk6IK+Ec2xjrojn6LDre1soimTqmXvuGHfRCkFclrfVC64cjd1EzYwHYFB/by9rqis8Pq+5H2bOp16SW8yuQ6d99D3dm4OIaSi9VTgJ0w46BQkhxl1QNEZD18d8cIBLxrtKQ==
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
这是自定义个人资料服务:
public class Startup
{
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddIdentityServer()
.AddDeveloperSigningCredential() // AddSigningCredential(cert) for productive environment
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddInMemoryPersistedGrants()
.AddTestUsers(Config.GetUsers())
.AddProfileService<MyProfileService>();
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.Cookie.Name = "aspnetcorewsfed";
})
.AddWsFederation(options =>
{
options.Wtrealm = "https://localhost:44384/";
options.MetadataAddress = "https://adfs.adfstest.ch/FederationMetadata/2007-06/FederationMetadata.xml";
options.RequireHttpsMetadata = false;
options.CallbackPath = "/";
options.SkipUnrecognizedRequests = true;
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseIdentityServer();
app.UseStaticFiles();
app.UseMvcWithDefaultRoute();
}
}
令牌的有效负载现在看起来像这样: