2

作为上下文:我正在尝试使用 ITfoxtec.Identity.Saml2 库实现 SAML2.0 身份验证。我想为一个服务提供者使用多个证书,因为不同的客户端可以登录到服务提供者,并且每个客户端都可以拥有自己的证书。当 SAML 请求发生时,我需要第三方登录服务可以从我的服务提供者 metadata.xml 的证书列表中进行选择。ITfoxtec.Identity.Saml2 库是否支持这种可能性,或者是否有一些解决方法可以实现它?谢谢你

4

1 回答 1

3

您通常会有一个 Saml2Configuration。但在你的情况下,我会实现一些 Saml2Configuration 逻辑,我可以在其中请求具有当前证书(SigningCertificate/DecryptionCertificate)的特定 Saml2Configuration。然后在 AuthController 中使用这个特定的 Saml2Configuration。

然后元数据 (MetadataController) 将调用 Saml2Configuration 逻辑以获取所有证书的列表。

像这样的东西:

public class MetadataController : Controller
{
    private readonly Saml2Configuration config;
    private readonly Saml2ConfigurationLogic saml2ConfigurationLogic;

    public MetadataController(IOptions<Saml2Configuration> configAccessor, Saml2ConfigurationLogic saml2ConfigurationLogic)
    {
        config = configAccessor.Value;
        this.saml2ConfigurationLogic = saml2ConfigurationLogic;
    }

    public IActionResult Index()
    {
        var defaultSite = new Uri($"{Request.Scheme}://{Request.Host.ToUriComponent()}/");

        var entityDescriptor = new EntityDescriptor(config);
        entityDescriptor.ValidUntil = 365;
        entityDescriptor.SPSsoDescriptor = new SPSsoDescriptor
        {
            WantAssertionsSigned = true,
            SigningCertificates = saml2ConfigurationLogic.GetAllSigningCertificates(),
            //EncryptionCertificates = saml2ConfigurationLogic.GetAllEncryptionCertificates(),
            SingleLogoutServices = new SingleLogoutService[]
            {
                new SingleLogoutService { Binding = ProtocolBindings.HttpPost, Location = new Uri(defaultSite, "Auth/SingleLogout"), ResponseLocation = new Uri(defaultSite, "Auth/LoggedOut") }
            },
            NameIDFormats = new Uri[] { NameIdentifierFormats.X509SubjectName },
            AssertionConsumerServices = new AssertionConsumerService[]
            {
                new AssertionConsumerService {  Binding = ProtocolBindings.HttpPost, Location = new Uri(defaultSite, "Auth/AssertionConsumerService") }
            },
            AttributeConsumingServices = new AttributeConsumingService[]
            {
                new AttributeConsumingService { ServiceName = new ServiceName("Some SP", "en"), RequestedAttributes = CreateRequestedAttributes() }
            },
        };
        entityDescriptor.ContactPerson = new ContactPerson(ContactTypes.Administrative)
        {
            Company = "Some Company",
            GivenName = "Some Given Name",
            SurName = "Some Sur Name",
            EmailAddress = "some@some-domain.com",
            TelephoneNumber = "11111111",
        };
        return new Saml2Metadata(entityDescriptor).CreateMetadata().ToActionResult();
    }

    private IEnumerable<RequestedAttribute> CreateRequestedAttributes()
    {
        yield return new RequestedAttribute("urn:oid:2.5.4.4");
        yield return new RequestedAttribute("urn:oid:2.5.4.3", false);
    }
}
于 2019-11-21T09:18:13.837 回答