我正在实现一个SP,该SP允许用户使用SAML2 IDP登录。 我正在使用ASP.NET Core和Sustainsys Saml2包来实现SP。 我们正在使用OWIN中间件。它可以很好地登录。 我添加了一个证书,整个ting作为一个蔚蓝的网站运行。 我的问题是,如果IDP发送注销事件,则要检测哪个用户已注销。
我们在登录时会获得SessionIndex和LogoutNameIdentifier,但在退出时却不会。
在浏览器中使用SAML2跟踪器,我看到我从IDP收到一个注销包,如下所示:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:LogoutRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://example.com/Saml2/Logout"
ID="_0498f5109d6c09a3de3dc5a7ee6ef34bdd"
IssueInstant="2020-10-11T15:01:46.408Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
https://my.testidp.com/samlv2/idp/metadata/0/30
</saml2:Issuer>
<saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
_041d2ec8046088eed3567c8761a925b48e
</saml2:NameID>
</saml2p:LogoutRequest>
在Startup.cs中,我为名为LogoutCommandResultCreated
的注销事件添加了一个事件处理程序。看起来像这样:
(有所简化)
public void ConfigureServices(IServiceCollection services)
{
var authenticationBuilder = services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
});
authenticationBuilder.AddCookie("Cookies");
string authenticationScheme = $"{configheader.Name}.saml2";
authenticationBuilder.AddSaml2(authenticationScheme, options =>
{
...
var spOptions = new SPOptions
{
EntityId = new EntityId(entityId),
Organization = myorganization,
MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
ModulePath = "/Saml2",
ReturnUrl = new Uri("/auth/saml2/", UriKind.Relative)
};
spOptions.ServiceCertificates.Add(mycertificate);
options.SPOptions = spOptions;
options.Notifications.LogoutCommandResultCreated = commandResult =>
{
// LOGOUT TRIGGERED.
logger.LogDebug(Newtonsoft.Json.JsonConvert.SerializeObject(commandResult));
// TODO: What to do with commandResult?
};
commandResult的json-serialization的输出并没有给我很多:
{"HttpStatusCode":303,
"Cacheability":1,
"Location":"https://my.testidp.com/samlv2/idp/sloresp/0/30?mgvhostparam=0
&SAMLResponse=jJHLasMwEEX3hf6D0d6W%2FGws7JTSbAL....kd8%2BK%2Fh7%2B8gcAAP%2F%2FAwA%3D
&igAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256
&Signature=nmZApcBYHbsnNruq...duQA%3D",
"Principal":null,
"SessionNotOnOrAfter":null,
"Content":null,"ContentType":null,
"RelayData":null,"TerminateLocalSession":true,
"SetCookieName":null,
"SetCookieSecureFlag":false,
"RelayState":null,
"RequestState":null,
"ClearCookieName":null,
"HandledResult":false,
"Headers":{}}
答案 0 :(得分:0)
由于使用NameID格式urn:oasis:names:tc:SAML:2.0:nameid-format:transient
来执行SSO,因此需要在SP端找到NameId值。