我们有一个自主开发的 webapp A 和一个第 3 方 webapp B。两者都是我们在 Windows 2019 数据中心上的本地 ADFS 4.0 服务器中的依赖方。
Webapp A 使用 WS-Federation,webapp B 可能使用 SAML 2.0,但不能 100% 确定。Webapp A 没有签名证书。Webapp B 具有有效的签名证书。
只要这发生在不同的浏览器会话中,用户就可以登录到 webapp A 和 webapp B 并退出而不会出现任何问题。
但是,如果用户在 webapp A 中并打开另一个浏览器选项卡以转到 webapp B,并尝试从 webapp A 注销,他们会收到错误“MSIS7054:SAML 注销未正确完成”。
ADFS 事件查看器显示以下异常:
The Federation Service encountered an error while processing the SAML authentication request.
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadLogoutRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, String sessionState, String logoutState, Boolean partialLogout, Boolean isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState, Boolean& validLogoutRequest)
Webapp A 是一个 dotnet 核心 MVC 应用程序。这是退出代码:
[Authorize]
public async Task SignOut()
{
//redirect to /signoutcallback after signout
await SignOutCustom("/signoutcallback");
}
[Authorize]
public async Task SignOutCustom(string redirectUri)
{
await HttpContext.SignOutAsync("Cookies");
var prop = new AuthenticationProperties { RedirectUri = redirectUri };
//redirect to provided target
await HttpContext.SignOutAsync("WsFederation", prop);
}
[AllowAnonymous]
public ActionResult SignOutCallback()
{
if (User.Identity.IsAuthenticated)
{
// Redirect to home page if the user is authenticated.
return RedirectToAction("Index", "Home");
}
return View();
}
启动.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddWsFederation(options =>
{
options.Wtrealm = Configuration["Federation:idaWtrealm"];
options.MetadataAddress = Configuration["Federation:idaADFSMetadata"];
})
.AddCookie();
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages();
services.AddRouting(options => options.LowercaseUrls = true);
services.AddHttpContextAccessor();
// Add functionality to inject IOptions<T>
services.AddOptions();
// Add our Config object so it can be injected
services.Configure<EndpointOptions>(Configuration.GetSection("Endpoints"));
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/home/error");
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}");
endpoints.MapRazorPages();
});
}