asp.net-mvc - MVC、ADFS 2.0 和 WIF 4.5 问题

Question

我正在尝试在 MVC 4.0 项目中主动查询 ADFS。我们将有多个 STS，并且无法以我目前对“被动”身份验证配置的理解来解决。

我能够从 ADFS 服务器取回令牌，但是当我尝试读取令牌时，我收到一条加密错误消息以及“数据无效”的内部异常。

*关于 ApplicationPool 的建议不是我的问题。

EndpointAddress endpointAddress = new EndpointAddress(OtherStsAddress);
UserNameWSTrustBinding binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, endpointAddress);
factory.Credentials.UserName.UserName = string.Concat(domain, "\\", username); 
factory.Credentials.UserName.Password = password;
factory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;
WSTrustChannel channel = (WSTrustChannel)factory.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue, KeyTypes.Symmetric);
rst.AppliesTo = new EndpointReference(YourStsAddress);    
var genericToken = channel.Issue(rst) as GenericXmlSecurityToken;                
var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;

// blowing up here
var token = handlers.ReadToken(new XmlTextReader(new StringReader(genericToken.TokenXml.OuterXml)));  

var identity = handlers.ValidateToken(token).First();    
var sessionToken = new SessionSecurityToken(new ClaimsPrincipal(identity));
FederatedAuthentication.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(sessionToken, true);
return token;       

例外情况如下：

System.InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.  ---> System.Security.Cryptography.CryptographicException: The data is invalid.

   at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
   at System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded)
   --- End of inner exception stack trace ---
   at System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
   at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Compass.SupplyChain.UI.Controllers.Registration.RegistrationController.RequestSecurityToken(String domain, String username, String password)

任何方向都会受到赞赏，即使你没有直接的答案。我什至不确定下一步该做什么。在这一点上，谷歌搜索甚至没有返回有用的结果。或者，也许我现在只是脑死亡。

Answer 1

您可能正在采取最大复杂性的路线:-)。“被动配置”有什么问题？它应该可以工作。

有很多 MVC 4 / ADFS（或其他 STS）的例子。

一些示例/资源可供查看：

• http://msdn.microsoft.com/en-us/library/hh291061.aspx
• http://msdn.microsoft.com/en-us/library/ff423674.aspx
• http://msdn.microsoft.com/en-us/library/ff359105.aspx
• http://claimsid.codeplex.com/releases/view/68061