0

我正在使用 idp 发起的 SSO 流。我正在使用使用 OWIN 中间件的 Kentor.AuthServices。

除了在成功处理 SAML 响应后控件到达我的回调方法时,用户身份没有得到设置之外,大部分流程都有效。

在 web.config 中设置:

<kentor.authServices entityId="https://one-staging.com/MVSAMLServiceProvider" 
                     returnUrl="https://5814a15e.ngrok.io/api/Account/UnsolicitedExternalLogin">
    <identityProviders>
      <add entityId="https://shibidp.edu/idp/shibboleth"
          metadataLocation = "~/Providers/SAML2/Metadata/shibidp.edu.xml"
          allowUnsolicitedAuthnResponse="false" 
          disableOutboundLogoutRequests="false"
          binding="HttpRedirect">
      </add>
      <add entityId="abb:one:saml20:idp"
           metadataLocation="~/Providers/SAML2/Metadata/abb.xml"
           allowUnsolicitedAuthnResponse="true"
           disableOutboundLogoutRequests="false"
           binding="HttpRedirect">
      </add>
    </identityProviders>
</kentor.authServices>

这是我的 Startup.cs:

public void ConfigureOAuth(IAppBuilder app)
{
    app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);

    OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
    OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
    {
        //For Dev enviroment only (on production should be AllowInsecureHttp = false)
        AllowInsecureHttp = true,
        TokenEndpointPath = new PathString("/oauth2/token"),
        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(30),
        Provider = new CustomOAuthProvider(),
        AccessTokenFormat = new CustomJwtFormat()
    };

    // OAuth 2.0 Bearer Access Token Generation
    app.UseOAuthAuthorizationServer(OAuthServerOptions);
    app.UseOAuthBearerAuthentication(OAuthBearerOptions);

    googleAuthOptions = new GoogleOAuth2AuthenticationOptions()
    {
        ClientId = System.Configuration.ConfigurationManager.AppSettings["GoogleClientId"],
        ClientSecret = System.Configuration.ConfigurationManager.AppSettings["GoogleClientSecret"],
        Provider = new GoogleAuthProvider()
    };
    app.UseGoogleAuthentication(googleAuthOptions);


    app.Use(async (Context, next) =>{await next.Invoke();});    
    app.UseKentorAuthServicesAuthentication(CreateSAMLAuthServicesOptions());
    app.Use(async (Context, next) =>{await next.Invoke();});
}

以下是 Kentor 日志(日志中没有错误):

DEBUG 2018-12-28 14:02:32,682  8859ms emv-authService-logger MoveNext           - Received unsolicited Saml Response _t0r6DHtsGygxkYcfNzdkEs72.M which is allowed for idp abb:one:saml20:idp
DEBUG 2018-12-28 14:02:32,729  8906ms emv-authService-logger MoveNext           - Signature validation passed for Saml Response _t0r6DHtsGygxkYcfNzdkEs72.M
DEBUG 2018-12-28 14:02:32,729  8906ms emv-authService-logger MoveNext           - Extracted SAML assertion oN4v.k9x2GE7s5S8OdeNWS.93j9
DEBUG 2018-12-28 14:02:32,729  8906ms emv-authService-logger MoveNext           - Validated conditions for SAML2 Response _t0r6DHtsGygxkYcfNzdkEs72.M
INFO  2018-12-28 14:02:32,729  8906ms emv-authService-logger ProcessResponse    - Successfully processed SAML response _t0r6DHtsGygxkYcfNzdkEs72.M and authenticated 10035094

最后我的重定向方法:

[OverrideAuthentication]
[HostAuthentication(DefaultAuthenticationTypes.ApplicationCookie)]
[AllowAnonymous]
[Route("UnsolicitedExternalLogin", Name = "UnsolicitedExternalLogin")]
public async void GetUnsolicitedExternalLogin()
{
    bool isAuthenticated = User.Identity.IsAuthenticated; //getting false
}

不幸的是,我已经被这个问题困扰了一个星期。我相信这真的很接近完成,所以任何帮助将不胜感激。

谢谢!

4

1 回答 1

1

查看代码,我认为身份验证方案不匹配。

在管道设置中,设置了用于外部身份验证方案的 cookie 中间件。但在GetUnsolicitedExternalLogin方法中,ApplicationCookie引用了方案。将其更改为引用外部方案。

~/AuthServices/Acs检查重定向 from是否GetUnsolicitedExternalLogin设置了外部身份验证 cookie也是一个好主意。

于 2019-01-02T20:45:01.403 回答