我们在 Sitecore 9.3 中有一个站点,我们正在尝试向其中添加 SAML SSO 功能。我们有一个联合的 SAML IDP。IDP 中的断言消费者服务 url 指向我们 SP 中的路由(自定义 Sitecore MVC 控制器中的控制器操作)。
成功登录后,我被重定向到该断言服务 url。但在相应的控制器中,两者HttpContext.User.Identity.IsAuthenticated
都是Sitecore.Context.User.IsAuthenticated
假的,并且Sitecore.Context.User.Identity.Name
是外网\匿名的。此外,我不确定在登录过程中的哪个位置调用 AcsCommandResultCreated 以及如何将声明传递给控制器。
我正在遵循此博客文章中显示的示例https://blogs.perficient.com/2018/06/06/federated-authentication-in-sitecore-9-part-3-implementation-of-saml2p/
我不确定我的 Sitecore 配置端或 Sustainsys 端是否缺少某些东西。任何帮助,将不胜感激。
站点核心配置:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/">
<sitecore>
<federatedAuthentication>
<identityProviders>
<identityProvider id="SamlIDP" type="Sitecore.Owin.Authentication.Configuration.DefaultIdentityProvider, Sitecore.Owin.Authentication">
<param desc="name">$(id)</param>
<param desc="domainManager" type="Sitecore.Abstractions.BaseDomainManager" resolve="true" />
<caption>Log in with SamlIDP</caption>
<domain>extranet</domain>
<triggerExternalSignOut>false</triggerExternalSignOut>
</identityProvider>
</identityProviders>
<identityProvidersPerSites>
<mapEntry name="sites with SamlIDP authentication" type="Sitecore.Owin.Authentication.Collections.IdentityProvidersPerSitesMapEntry, Sitecore.Owin.Authentication" resolve="true">
<identityProviders hint="list:AddIdentityProvider">
<identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SamlIDP']" />
</identityProviders>
<sites hint="list">
<site>website</site>
</sites>
<externalUserBuilder type="Sitecore.Foundation.Authentication.SamlIDP.SamlIDPExternalUserBuilder, Sitecore.Foundation.Authentication.SamlIDP" resolve="true">
<IsPersistentUser>false</IsPersistentUser>
</externalUserBuilder>
</mapEntry>
</identityProvidersPerSites>
</federatedAuthentication>
</sitecore>
</configuration>
注入 Sitecore OWIN 管道的 Sustainsys 设置
var options = new Saml2AuthenticationOptions(false)
{
SPOptions = new SPOptions
{
EntityId = new EntityId(_spEntityId),
ReturnUrl = new Uri(_spReturnUrl),
},
AuthenticationType = GetAuthenticationType()
};
options.IdentityProviders.Add(new Sustainsys.Saml2.IdentityProvider(new EntityId(_ipEntityId), options.SPOptions)
{
MetadataLocation = _ipMetadataLocation,
LoadMetadata = true,
SingleSignOnServiceUrl = new Uri("https://myidp.com/saml20/login?RequestBinding=HTTPPost&PartnerId=https://mysp"),
});
options.Notifications = new Saml2Notifications
{
AcsCommandResultCreated = (result, response) =>
{
var identityProvider = GetIdentityProvider();
((ClaimsIdentity)result.Principal.Identity).ApplyClaimsTransformations(new TransformationContext(FederatedAuthenticationConfiguration, identityProvider));
},
};
args.App.UseSaml2Authentication(options);