将AD FS登录名添加到现有的ASP.NET网站

时间:2019-01-11 18:29:48

标签: c# iis adfs wif

我正在一个面向Web的ASP.NET网站上工作,任务是向该网站的子文件夹中添加AD FS登录(例如https://website.com/secret/test.aspx)。主站点(https://website.com)不需要任何登录。

我们想对AD FS SAML 2.0 / WS-Federation端点使用被动WIF(我是说对的),然后将其重定向回https://website.com/secret/test.aspx

我可以通过STS重定向到Web.conf根目录:

<!-- Start WIF authentication additions in <configuration> -->
<configSections>
  <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=XXX" />
  <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=XXX" />
</configSections>
<location path="FederationMetadata">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>
<!-- End WIF authentication additions -->

... 

<!-- Start WIF authentication additions in <system.web> -->
<authorization>
  <deny users="?" />
</authorization>
<authentication mode="None" />
<!-- End WIF authentication additions -->

... 

<!-- Start WIF authentication additions in <system.webServer> -->
<modules>
  <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=XXX" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=XXX" preCondition="managedHandler" />
</modules>
<!-- End WIF authentication additions -->

... 

<!-- Start WIF authentication additions after <system.identityModel> -->
<system.identityModel>
  <identityConfiguration>
    <audienceUris>
      <add value="https://website.com/secret/test.aspx" />
    </audienceUris>
    <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=XXX">
      <trustedIssuers>
        <add thumbprint="XXX" name="XXX Relying Party Trust" />
      </trustedIssuers>
    </issuerNameRegistry>
    <certificateValidation certificateValidationMode="None" />
  </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="true" />
    <wsFederation passiveRedirectEnabled="true" issuer="https://fs.website.com/adfs/ls" realm="https://website.com/secret/test.aspx" reply="https://website.com/secret/test.aspx" requireHttps="true" />
  </federationConfiguration>
</system.identityModel.services>
<!-- End WIF authentication additions -->

但是,这迫使整个网站获得授权,而不仅仅是/ secret /子文件夹,而且要想弄清楚这一点,我比我想的要困难得多。这是正确的方法吗?我是否应该研究一种完全基于代码的解决方案?

该网站不是MVC。

即使您只是Google应该使用的一些更准确的术语,也要感谢您提供的任何指导。

软件版本:

Web服务器-Windows Server 2016 v1607 b14393.2665(IIS v10.0.14393.0)

AD FS主机-Windows Server 2012 R2标准版

1 个答案:

答案 0 :(得分:1)

您可以通过web.config在根级别或文件夹级别对文件夹使用“允许/拒绝”。

例如

<location path="Folder">
   <system.web>
      <authorization>
         <deny users="*"/> 
      </authorization>
   </system.web>
</location>

因此,通常允许用户(按照上面的元数据)并拒绝文件夹级别的访问。

相关问题
最新问题