我需要在代码中执行完整的 AFDS 登录操作。我无法将用户重定向到 ADFS 登录页面。用户已经使用自定义身份验证机制进行了身份验证,我使用相同的凭据向 ADFS 进行身份验证,这样可以启用 SSO 到 SAP EP。
我可以从 ADFS 成功检索 SAML 令牌,但 SAP 显然只能处理开箱即用的身份验证。所以我需要对整个会话进行身份验证。
这就是我现在所拥有的:
检索令牌:
var binding = new WS2007HttpBinding();
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.NegotiateServiceCredential = false;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(AppSettings.AdfsUrl));
trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
trustChannelFactory.Credentials.UserName.UserName = user.UserName;
trustChannelFactory.Credentials.UserName.Password = PasswordService.Decrypt(user.UserPassword, user.UserID.ToString(CultureInfo.InvariantCulture));
trustChannelFactory.ConfigureChannelFactory();
// Create issuance issuance and get security token
var requestToken = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
requestToken.AppliesTo = new EndpointAddress(AppSettings.ServicePortalUrl);
requestToken.KeyType = WSTrust13Constants.KeyTypes.Bearer;
var tokenClient = (WSTrustChannel) trustChannelFactory.CreateChannel();
var token = tokenClient.Issue(requestToken) as GenericXmlSecurityToken;
return token;
并尝试获取声明,以便我可以在重定向到 SAP 门户之前将用户主体放在 HttpContext 中。(远射)
var tokenHandlers = new SecurityTokenHandlerCollection(new SecurityTokenHandler[] { new SamlSecurityTokenHandler() });
tokenHandlers.First().Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
tokenHandlers.First().Configuration.CertificateValidationMode = X509CertificateValidationMode.None;
tokenHandlers.Configuration.CertificateValidationMode = X509CertificateValidationMode.None;
var trusted = new TrustedIssuerNameRegistry("*.domain.com");
tokenHandlers.Configuration.IssuerNameRegistry = trusted;
var samlToken = tokenHandlers.ReadToken(new XmlTextReader(new StringReader(token.TokenXml.OuterXml)));
var claimsPrincipal = new ClaimsPrincipal(tokenHandlers.ValidateToken(samlToken).First());
HttpContext.Current.User = claimsPrincipal;
这不起作用,因为我不断收到 X509 证书验证错误。
我试过的:
- 提供 SAML 签名作为 MYSAPSSO2 令牌(远射,没用)
- 将用户主体放在 HTTP 上下文中,因为我看到 SAP 在 HTTP 上下文中查找 IPrincipal。(无法让它工作)
- 设置 MSISAuthenticated cookie,但不知道如何获取值(认证时刻的 base64 时间戳?)
我有什么明显的监督方式吗?基本上,我只想执行与 ADFS 登录页面相同的身份验证,但在代码中,因此用户看不到第二个登录页面。