如何获取 WIF SAML2 扩展? Saml2AuthenticationModule 可以在 Windows Azure 计算模拟器中工作吗?
在 IIS Express 中,使用 Saml2AuthenticationModule(来自 SAML2 协议的 WIF 扩展)导致以下应用程序流程:
- 用户转到服务调用
Saml2AuthenticationModule.Current.SignIn(args) 的提供程序 URL; - 该模块将请求路由到身份提供者。
- 根据 SP 的 AssertionConsumerService 元数据,IdP 将 SSO 响应发送回 SP。在我当前的测试中,此 URL 为“{rootdomain}/
ServiceProvider/saml/post/ac”。据我所知,这个 URL 是不可配置的。 - 该模块拦截此响应,配置 IClaimsIdentity,然后将流重定向回 SP 应用程序(在步骤 1 中传递的参数)。
当以 Windows Azure 模拟器而不是 IIS Express 为目标时,我更改了 web.config 以指向不同的 SP 元数据文件,并使用适合模拟器 URL 的不同 AssertionConsumerService:
<md:AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://127.0.0.1/ServiceProvider/saml/post/ac" />
在 azure 计算模拟器中进行调试时,流程在步骤后停止#3。当到达步骤 #4 时,我最终会看到此 URL 的 404 页面:
https://127.0.0.1/ServiceProvider/saml/post/ac
这里发生了什么?该模块不是应该拦截此 URL 并处理 SAML 响应吗?为什么这在 IIS Express 中有效,但在 azure 计算模拟器中无效?
这是 SAML 内容的 web.config:
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true">
<add name="Saml2AuthenticationModule"
type="Microsoft.IdentityModel.Web.Saml2AuthenticationModule"/>
<add name="SessionAuthenticationModule"
type="Microsoft.IdentityModel.Web.SessionAuthenticationModule"/>
</modules>
...
</system.webServer>
...
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://www.mydomain.com/saml2/development/azure"/>
</audienceUris>
<certificateValidation certificateValidationMode="None"/>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry">
<!-- The set of trusted issuers. -->
<trustedIssuers>
<add name="urn:samples:identityprovider" thumbprint="59 fc 9a da 58 86 31 8d 1d d5 f8 a6 0f 9a 53 f8 09 fc 0e 63"/>
</trustedIssuers>
</issuerNameRegistry>
<serviceTokenResolver type="Samples.Saml.Utilities.SampleServiceProviderSecurityTokenResolver"/>
<!-- Enable saveBootstrapTokens so the token visualizer can show the raw SAML assertion. -->
<securityTokenHandlers>
<securityTokenHandlerConfiguration saveBootstrapTokens="true">
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
<federatedAuthentication>
<cookieHandler requireSsl="true"/>
</federatedAuthentication>
</service>
</microsoft.identityModel>
...
<microsoft.identityModel.saml metadata="saml2-azure.xml">
<identityProviders>
<metadata file="identityprovider.xml"/>
</identityProviders>
</microsoft.identityModel.saml>
saml2-azure 中的实体 ID 是 https:// www.mydomain.com/saml2/development/azure,具有上述 AssertionConsumerService URL,并且在测试中的 SP 和 IdP 中。
In IIS Express, using the Saml2AuthenticationModule (from the WIF Extension for SAML2 Protocol) results in the following application flow:
- User goes to Service Provider URL that invokes
Saml2AuthenticationModule.Current.SignIn(args); - The module routes a request to the Identity Provider.
- Depending on the SP's AssertionConsumerService metadata, the IdP sends an SSO response back to the SP. In my current tests, this URL is "{rootdomain}/
ServiceProvider/saml/post/ac". As far as I can tell, this URL is not configurable. - The module intercepts this response, does its thing to configure IClaimsIdentity, and then redirects flow back into the SP application (arg passed in step 1).
When targeting the Windows Azure Emulator instead of IIS Express, I changed the web.config to point to a different SP metadata file, with a different AssertionConsumerService that fits with the emulator URL:
<md:AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://127.0.0.1/ServiceProvider/saml/post/ac" />
When debugging in the azure compute emulator, the flow stops after step #3. When it reaches step #4, I end up looking at a 404 page for this URL:
https://127.0.0.1/ServiceProvider/saml/post/ac
What's going on here? Isn't the module supposed to intercept this URL and process the SAML response? Why is this working in IIS Express but not in the azure compute emulator?
Here is the web.config for the SAML stuff:
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true">
<add name="Saml2AuthenticationModule"
type="Microsoft.IdentityModel.Web.Saml2AuthenticationModule"/>
<add name="SessionAuthenticationModule"
type="Microsoft.IdentityModel.Web.SessionAuthenticationModule"/>
</modules>
...
</system.webServer>
...
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://www.mydomain.com/saml2/development/azure"/>
</audienceUris>
<certificateValidation certificateValidationMode="None"/>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry">
<!-- The set of trusted issuers. -->
<trustedIssuers>
<add name="urn:samples:identityprovider" thumbprint="59 fc 9a da 58 86 31 8d 1d d5 f8 a6 0f 9a 53 f8 09 fc 0e 63"/>
</trustedIssuers>
</issuerNameRegistry>
<serviceTokenResolver type="Samples.Saml.Utilities.SampleServiceProviderSecurityTokenResolver"/>
<!-- Enable saveBootstrapTokens so the token visualizer can show the raw SAML assertion. -->
<securityTokenHandlers>
<securityTokenHandlerConfiguration saveBootstrapTokens="true">
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
<federatedAuthentication>
<cookieHandler requireSsl="true"/>
</federatedAuthentication>
</service>
</microsoft.identityModel>
...
<microsoft.identityModel.saml metadata="saml2-azure.xml">
<identityProviders>
<metadata file="identityprovider.xml"/>
</identityProviders>
</microsoft.identityModel.saml>
The entityID in saml2-azure is https://www.mydomain.com/saml2/development/azure, has the above AssertionConsumerService URL, and is in both the SP and IdP under test.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论