WIF BootstrapToken 已过期
我正在使用由 WIF 保护的 ASP.NET MVC + WCF 开发 Web 应用程序。我正在使用主动 STS。 我遇到 BootstrapToken 过期但 SessionSecurityToken 由于滑动过期而仍然有效的情况。我遇到异常:
ID3242:无法对安全令牌进行身份验证或授权。
- 我可以延长 bootstraptoken 过期时间吗?
- SAM 不检查 cookie 内的 bootstraptoken 是否过期,这是否是有效的行为?在我滑动会话过期的同一事件中,最好的检查位置是什么?
I'm developing web application using ASP.NET MVC + WCF secured by WIF. I'm using active STS.
I have a problem with situation where BootstrapToken expired but SessionSecurityToken is still valid because of sliding expiration. I got exception:
ID3242: The security token could not be authenticated or authorized.
- Can I extend bootstraptoken expiration time?
- Is it valid behavior of SAM that it doesn't check if bootstraptoken inside cookie expired. What is the best place to check that - in the same event where I slid session expiration?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
SAM 不将引导令牌包含在会话 cookie 中。一旦 SAM 对其进行验证并建立会话,引导令牌实际上会默认被丢弃。因此,回答您的问题:
只有签署引导令牌的身份提供商才能控制令牌的生命周期。 SAM 无法更改这一点。
SAM 仅在身份验证期间验证引导程序过期时间。一旦完成此操作并建立会话,SAM 就不再需要引导令牌。
SAM
The SAM does not include the bootstrap token in the session cookie. Once the SAM validates it and establishes a session, the bootstrap token is actually discarded by default. So to answer your questions:
Only the identity provider that signed the bootstrap token has control over the token's lifetime. The SAM cannot change this.
The SAM only validates the bootstrap expiration time during authentication. Once it's done this and a session is established, the SAM no longer needs the bootstrap token.
以下是我在这篇帖子中的回答副本。
如果您使用 Microsoft 的 Active Directory 联合身份验证服务 (AD FS),则可以将 AD FS 依赖方令牌的超时调整/增加得更长,这将延长引导令牌的生命周期。
例如,我们遇到了一个问题:我们正在获取新的会话令牌,但在 AD FS Web SSO 超时之前仍然出现超时。一位开发人员发现有一个设置可以延长依赖方令牌的生命周期,该设置与 Windows Identity Foundation (WIF) 中的引导令牌相关。
设置如下:
将依赖方令牌的超时设置为与 Web SSO 令牌超时相同后,它就起作用了。
注意:您可以使用以下命令检查当前依赖方令牌的超时:
注意二:您可以通过打开 AD FS 管理工具,单击左侧导航窗格中的“AD FS”,然后单击“编辑”来检查 Web SSO 令牌的超时。联合身份验证服务属性...”位于右窗格的“操作”窗格中。
Below is a copy of my answer from this post.
If you're using Microsoft's Active Directory Federation Services (AD FS), then you can adjust/increase the timeout of the AD FS relying party token to be longer, which will extend the lifetime of the bootstrap token.
For example, we had an issue where we were getting new session tokens, but we still had timeouts before the AD FS Web SSO timeout. One of the developers discovered that there is a setting to extend the relying party token's lifetime, which correlates to the bootstrap token in Windows Identity Foundation (WIF).
The setting is below:
After we set the relying party token's timeout to be the same as the Web SSO token timeout, then it worked.
Note: You can check the current relying party token's timeout with the following command:
Note II: You can check the Web SSO token's timeout by opening the AD FS Management tool, clicking "AD FS" in the left navigation pane, then click "Edit Federation Service Properties..." in the Actions pane in the right pane.