saml-2.0 - thinktecture identityserver 2 - 在应用程序和 IdP 之间弹跳

Question

我们在同一台服务器上部署了 3 个应用程序。1 个应用程序按预期工作，允许我们识别 thinktecture 身份服务器 2，没有问题。其他 2 个应用程序具有以下模式：

1. 转到应用程序 URL
2. 由于您未登录，因此您将按预期重定向到 IdP
3. 您登录 IdP 并获得 IdP cookie
4. 您被带回应用程序
5. 应用程序确定您未登录，并将您发送回 IdP
6. IdP 决定您已登录并将您发送回应用程序
7. 无限重复步骤 5 和 6

我们正在使用 SAML 2.0。

来自工作应用程序的 web.config 的片段：

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="WSHttpBinding_IArmDAL" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="1262144" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
      <readerQuotas maxDepth="32" maxStringContentLength="65536" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
      <security mode="Message">
        <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
        <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<client>
  <endpoint address="http://localhost:81/ArmDAL.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IArmDAL" contract="ArmDALService.IArmDAL" name="WSHttpBinding_IArmDAL">
    <identity>
      <dns value="localhost" />
    </identity>
  </endpoint>
</client>
</system.serviceModel>
<system.identityModel>
<identityConfiguration>
  <tokenReplayDetection enabled="true" />
  <audienceUris>
    <add value="https://Z.com/" />

  </audienceUris>
  <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="http://idp.com/IdentityServer">
      <keys>
        <add thumbprint="FD2BA696B57FD24D597034D4EC308D010D506C9A" />
      </keys>
      <validIssuers>
        <add name="http://idp.com/IdentityServer" />
      </validIssuers>
    </authority>
  </issuerNameRegistry>
  <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
  <securityTokenHandlers>
    <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </securityTokenHandlers>
  <certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
  <cookieHandler requireSsl="false" />
  <wsFederation passiveRedirectEnabled="true" issuer="https://idp-alpha.com/issue/wsfed" realm="https://z.com/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>

来自 web.config 的不工作应用程序的片段

<system.identityModel>
 <identityConfiguration>
  <tokenReplayDetection enabled="true" />
  <audienceUris>
    <add value="https://X.com/" />

  </audienceUris>
  <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
    <authority name="http://IdP.com/IdentityServer">
      <keys>
        <add thumbprint="FD2BA696B57FD24D597034D4EC308D010D506C9A" />
      </keys>
      <validIssuers>
        <add name="http://IdP.com/IdentityServer" />
      </validIssuers>
    </authority>
  </issuerNameRegistry>
  <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
  <securityTokenHandlers>
    <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  </securityTokenHandlers>
  <certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
  <cookieHandler requireSsl="false" />
  <wsFederation passiveRedirectEnabled="true" issuer="https://idp-alphacom/issue/wsfed" realm="https://X.com/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>

Answer 1

您是否在依赖方中捕获错误？如果您正在获取令牌重放检测，您可以将其关闭

<tokenReplayDetection enabled="false" />