使用Kentor.AuthServices.Owin 0.18.0(通常是此流量日志)可以正常工作。
200 GET https://some-saml2-idp.com/saml2/idp/SSO_1..39%3D&RelayState=Os..j
302 POST https://demo.local/AuthServices/Acs
200 GET for the set RedirectUri
升级到Sustainsys.Saml2.Owin 2.2.0后,我会收到此流量日志...
200 GET https://some-saml2-idp.com/saml2/idp/SSO_1a7f5..sy%2Fh9rebTw%3D%3D&RelayState=1M..3c
302 POST https://demo.local/AuthServices/Acs
303 GET https://demo.local/login?error=access_denied
200 GET https://some-saml2-idp.com/saml2/idp/SSO_1a7f..NfLr6E299uPwE%3D&RelayState=cS..L
302 POST https://demo.local/AuthServices/Acs
404 GET https://demo.local/saml2/idp/SSO_1..39?SAMLRequest=hZ..bTw==&RelayState=1M..c&error=access_denied
我曾尝试在各处清除cookie,并试图找到引起错误或错误参数的任何“自有”代码。
我希望我能在不影响IDP的情况下使我的两个分支机构都工作正常。
我的Web.config具有以下结构...
<sustainsys.saml2 entityId="https://demo.local/AuthServices"
returnUrl="https://demo.local"
publicOrigin="https://demo.local"
modulePath="/AuthServices">
<serviceCertificates>
<add fileName="~/somename.pfx"
use="Signing" />
</serviceCertificates>
<identityProviders>
<add entityId="My-IDP"
allowUnsolicitedAuthnResponse="true"
loadMetadata="true"
metadataLocation="https://some-saml2-idp.com/metadata" />
</identityProviders>
</sustainsys.saml2>
还有我的Owin初创公司...
var defaultSignInAsAuthType = "Cookies";
app.SetDefaultSignInAsAuthenticationType(defaultSignInAsAuthType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = defaultSignInAsAuthType,
ReturnUrlParameter = "returnUrl",
LoginPath = new PathString("/login"),
LogoutPath = new PathString("/logout")
});
var saml2Options = new Saml2AuthenticationOptions(true);
app.UseSaml2Authentication(saml2Options);
app.UseStageMarker(PipelineStage.Authenticate);
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
我想模仿较早的软件包设置时会缺少什么?
答案 0 :(得分:1)
这些版本之间有许多重大更改,可能会引发问题。
Katana日志记录将包含错误消息。一些相关的事情是:
minIncomingSigninAlgorithm配置进行设置。/Saml2,而不是/AuthServices。在问题中,它已经正确配置为/AuthServices以向后兼容。AcsCommandResultCreated通知来修改创建的身份。