成功处理SAML后，用户未获得身份验证（未设置Cookie）

Question

我正在使用由idp发起的SSO流。我正在使用OWIN中间件使用Kentor.AuthServices。

大多数流程都能正常工作，除了当控件在成功处理SAML响应后到达我的回调方法时，用户身份没有得到 SET 。

在web.config中设置：

<kentor.authServices entityId="https://one-staging.com/MVSAMLServiceProvider" 
                     returnUrl="https://5814a15e.ngrok.io/api/Account/UnsolicitedExternalLogin">
    <identityProviders>
      <add entityId="https://shibidp.edu/idp/shibboleth"
          metadataLocation = "~/Providers/SAML2/Metadata/shibidp.edu.xml"
          allowUnsolicitedAuthnResponse="false" 
          disableOutboundLogoutRequests="false"
          binding="HttpRedirect">
      </add>
      <add entityId="abb:one:saml20:idp"
           metadataLocation="~/Providers/SAML2/Metadata/abb.xml"
           allowUnsolicitedAuthnResponse="true"
           disableOutboundLogoutRequests="false"
           binding="HttpRedirect">
      </add>
    </identityProviders>
</kentor.authServices>

这是我的Startup.cs：

public void ConfigureOAuth(IAppBuilder app)
{
    app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);

    OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
    OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
    {
        //For Dev enviroment only (on production should be AllowInsecureHttp = false)
        AllowInsecureHttp = true,
        TokenEndpointPath = new PathString("/oauth2/token"),
        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
        Provider = new CustomOAuthProvider(),
        AccessTokenFormat = new CustomJwtFormat()
    };

    // OAuth 2.0 Bearer Access Token Generation
    app.UseOAuthAuthorizationServer(OAuthServerOptions);
    app.UseOAuthBearerAuthentication(OAuthBearerOptions);

    googleAuthOptions = new GoogleOAuth2AuthenticationOptions()
    {
        ClientId = System.Configuration.ConfigurationManager.AppSettings["GoogleClientId"],
        ClientSecret = System.Configuration.ConfigurationManager.AppSettings["GoogleClientSecret"],
        Provider = new GoogleAuthProvider()
    };
    app.UseGoogleAuthentication(googleAuthOptions);


    app.Use(async (Context, next) =>{await next.Invoke();});    
    app.UseKentorAuthServicesAuthentication(CreateSAMLAuthServicesOptions());
    app.Use(async (Context, next) =>{await next.Invoke();});
}

以下是Kentor日志（日志中没有错误）：

DEBUG 2018-12-28 14:02:32,682  8859ms emv-authService-logger MoveNext           - Received unsolicited Saml Response _t0r6DHtsGygxkYcfNzdkEs72.M which is allowed for idp abb:one:saml20:idp
DEBUG 2018-12-28 14:02:32,729  8906ms emv-authService-logger MoveNext           - Signature validation passed for Saml Response _t0r6DHtsGygxkYcfNzdkEs72.M
DEBUG 2018-12-28 14:02:32,729  8906ms emv-authService-logger MoveNext           - Extracted SAML assertion oN4v.k9x2GE7s5S8OdeNWS.93j9
DEBUG 2018-12-28 14:02:32,729  8906ms emv-authService-logger MoveNext           - Validated conditions for SAML2 Response _t0r6DHtsGygxkYcfNzdkEs72.M
INFO  2018-12-28 14:02:32,729  8906ms emv-authService-logger ProcessResponse    - Successfully processed SAML response _t0r6DHtsGygxkYcfNzdkEs72.M and authenticated 10035094

最后我的重定向方法：

[OverrideAuthentication]
[HostAuthentication(DefaultAuthenticationTypes.ApplicationCookie)]
[AllowAnonymous]
[Route("UnsolicitedExternalLogin", Name = "UnsolicitedExternalLogin")]
public async void GetUnsolicitedExternalLogin()
{
    bool isAuthenticated = User.Identity.IsAuthenticated; //getting false
}

不幸的是，我已经被这个问题困扰了一个星期了。我相信这真的可以完成，因此我们将不胜感激。

谢谢！

Answer 1

看代码，我认为认证方案不匹配。

在管道设置中，将设置用于外部身份验证方案的cookie中间件。但是在GetUnsolicitedExternalLogin方法中，引用了ApplicationCookie方案。更改它以引用外部方案。

检查从~/AuthServices/Acs到GetUnsolicitedExternalLogin的重定向是否设置了外部身份验证cookie也是一个好主意。