当前位置：文江博客话题详情

azure acs

在多个主机上托管 ACS 应用程序

发布于 2024-12-28 05:44:46 字数 987 浏览 0 评论 0 原文

我正在使用 Windows Azure ACS 来构建单点登录应用程序。我正在使用 javascript/HTML 来收集用户信息。我面临的问题是我需要在不同的主机上托管我的应用程序，例如：

localhost
localhost:81
*.cloudapp.net
另一个内部主机，如 http://helloacs/

我尝试为每个主机创建多个依赖应用程序，但它仅适用于 localhost/localhost:81。我的 *.cloudapp.net 信赖方应用程序是这样配置的：

Name: *.cloudapp.net
Realm: *.cloudapp.net
Return URL: http://*.cloudapp.net/

我的登录页面正在构建回复 url，如下所示：

http://*.cloudapp.net/Login.aspx

这是我生成的对 IdentityProviders.js 的调用：

https://*.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=*.cloudapp.net&reply_to=http://*.cloudapp.net/Login.aspx&version=1.0&callback=ShowSigninPage

导航到身份提供商并登录后，我得到：

ACS30000: There was an error processing an OpenID sign-in response.

我怎样才能得到如果这不是解决方案，我的应用程序可以在多个主机上运行吗？

原文

I am using the Windows Azure ACS for building Single sign on application. I am using javascript/HTML to collect information from the user. The problem I am facing is that I need to host my application on different hosts, for example:

localhost
localhost:81
*.cloudapp.net
another internal host like http://helloacs/

I tried creating multiple Relying Applications for each of those hosts, but it worked only for localhost/localhost:81. My *.cloudapp.net relying party app is configured that way:

Name: *.cloudapp.net
Realm: *.cloudapp.net
Return URL: http://*.cloudapp.net/

My login page is building replyto url like this:

http://*.cloudapp.net/Login.aspx

This is my generated call to IdentityProviders.js:

https://*.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=*.cloudapp.net&reply_to=http://*.cloudapp.net/Login.aspx&version=1.0&callback=ShowSigninPage

After I navigate to the identity provider and login I get:

ACS30000: There was an error processing an OpenID sign-in response.

How can I get my application to work on multiple hosts if this is not the solution?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

ˉ厌 2025-01-04 05:44:46

您为每个主机创建了多个依赖应用程序是正确的。但是，当您使用没有自定义代码的默认被动联合时，领域会在 web.config 文件中硬编码，如下所示：

  <microsoft.identityModel>
    <service>
     ..... 
     <audienceUris>
        <add value="http://localhost:4500/"/>
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" 
                      issuer="https://staykov.accesscontrol.windows.net/v2/wsfederation" 
                      realm="http://localhost:4500/"
                      requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>

如果您希望同一应用程序在多个主机名下同时运行，则必须添加一些内容编码。如果您需要在不同域下测试相同的应用程序 - 只需将 web.config 中的领域更改为相应的依赖方应用程序地址即可。您必须更改“audienceUris”部分中的地址以及“wsFederation”元素中的“realm”属性。如果 realm 属性与应用程序运行的域不同，身份验证将失败。

查看此和那个问题 - 都指向相同的文档和示例如何更改领域，以防万一您希望在多个域下为您的应用程序提供服务。我会寻找更多样本。

并查看这里如何更改领域/返回地址/

It is correct that you have create multiple Relying Applications for each of those hosts. However when you use the default passive federation with no custom code, the realm is hard coded in your web.config file like this:

  <microsoft.identityModel>
    <service>
     ..... 
     <audienceUris>
        <add value="http://localhost:4500/"/>
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" 
                      issuer="https://staykov.accesscontrol.windows.net/v2/wsfederation" 
                      realm="http://localhost:4500/"
                      requireHttps="false" />
        <cookieHandler requireSsl="false" />
      </federatedAuthentication>

If you want the same application to run at the same time under multiple host names, you have to add a little coding. If you need to just test same application under different domain - just change the realm in the web.config to the respective Relying party application address. You have to change the address in "audienceUris" section and the "realm" attribute in the "wsFederation" element. If the realm attribute is different than the domain your application runs, authentication will fail.

Check out this and that questions - both pointing to same documentation and samples how to change the realm, in case you want to serve your application under multiple domains. I will look over for more samples.

And look over here on how to change realm/return address/

回复收藏 0 原文

溺渁∝ 2025-01-04 05:44:46

我面临着类似的问题。我有两个 RP，一个使用 Windows Live Id 和 ADFS，第二个仅使用 ADFS。两个 RP 都指向同一个云服务，因此当我访问 https://orgB.myDomanin.com 时，我被重定向到 ACS，但正在使用我在 web.config 中指定的领域，例如：

https://name.accesscontrol.windows.net/v2/wsfederation?wa=sigin1.0&wtrealm=https%3a%2f%orgA.myDomain.com%2....

如果我像这样手动更改此设置：

https://name.accesscontrol.windows.net/v2/wsfederation?wa=sigin1.0&wtrealm=https%3a%2f%orgB.myDomain.com%2

可以正常工作。

最后我在 Sandrino 入门博客中找到了解决方案： http://fabriccontroller.net/blog/a-few-tips-to-get-up-and-running-with-theazure-appfabric-access-control-service，请参阅 '更新您的领域部分。如果博客无法访问，我将代码复制到此处，它必须位于此方法内：

private void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
{
    // Get the request url.
    var request = HttpContext.Current.Request;
    var requestUrl = request.Url;

    // Build the realm url.
    var realmUrl = new StringBuilder();
    realmUrl.Append(requestUrl.Scheme);
    realmUrl.Append("://");
    realmUrl.Append(request.Headers["Host"] ?? requestUrl.Authority);
    realmUrl.Append(request.ApplicationPath);
    if (!request.ApplicationPath.EndsWith("/"))
        realmUrl.Append("/");
    e.SignInRequestMessage.Realm = realmUrl.ToString();
}

I was facing a similar issue like this. I had two RP, one using Windows Live Id and ADFS and the second using just ADFS. Both RP are pointing to the same cloud service, so when I went to https://orgB.myDomanin.com, I was redirected to ACS but was using the realm that I specified in the web.config, something like:

https://name.accesscontrol.windows.net/v2/wsfederation?wa=sigin1.0&wtrealm=https%3a%2f%orgA.myDomain.com%2....

If I changed this manually like this:

https://name.accesscontrol.windows.net/v2/wsfederation?wa=sigin1.0&wtrealm=https%3a%2f%orgB.myDomain.com%2

Works like it should.

Finally I found the solution in a Sandrino entry blog: http://fabriccontroller.net/blog/a-few-tips-to-get-up-and-running-with-theazure-appfabric-access-control-service, see 'Updating your realm' section. In case the blog is inaccessible I copy the code here, it has to be inside this method:

private void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
{
    // Get the request url.
    var request = HttpContext.Current.Request;
    var requestUrl = request.Url;

    // Build the realm url.
    var realmUrl = new StringBuilder();
    realmUrl.Append(requestUrl.Scheme);
    realmUrl.Append("://");
    realmUrl.Append(request.Headers["Host"] ?? requestUrl.Authority);
    realmUrl.Append(request.ApplicationPath);
    if (!request.ApplicationPath.EndsWith("/"))
        realmUrl.Append("/");
    e.SignInRequestMessage.Realm = realmUrl.ToString();
}

回复收藏 0 原文