2

我是 SAML2 身份验证的新手,并尝试过使用 ITfoxtec。运行我的应用程序时出现此错误

AuthenticationException:根据验证程序,远程证书无效。System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken 消息,AsyncProtocolRequest asyncRequest,ExceptionDispatchInfo 异常)

HttpRequestException:无法建立 SSL 连接,请参阅内部异常。System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(流流,SslClientAuthenticationOptions sslOptions,CancellationToken cancelToken)

WebException:无法建立 SSL 连接,请参阅内部异常。根据验证程序,远程证书无效。System.Net.HttpWebRequest.GetResponse()

我正在使用使用 OpenSSL 生成的证书,并将 pfx 证书安装在 MMC 的受信任的根 CA 存储中。我不确定为什么它仍然会导致我出错。我还已经在我的 ADFS 中将该应用程序添加为依赖信任方。## 标题 ##

这是我的 StartUp.cs 的片段

  services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));

            services.Configure<Saml2Configuration>(saml2Configuration =>
            {

                //saml2Configuration.SignAuthnRequest = true;
                saml2Configuration.SigningCertificate = CertificateUtil.Load(Configuration["Saml2:SigningCertificateFile"], Configuration["Saml2:SigningCertificatePassword"]);
               //saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"]);



                var entityDescriptor = new EntityDescriptor();
                entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
                if (entityDescriptor.IdPSsoDescriptor != null)
                {
                    saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
                    saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
                    saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
                    saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
                    if (entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue)
                    {
                        saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
                    }
                }
                else
                {
                    throw new Exception("IdPSsoDescriptor not loaded from metadata.");
                }
            });
            services.AddSaml2();

这是我的appsettings.json

  "Saml2": {
    "IdPMetadata": "adfs url/FederationMetadata/2007-06/FederationMetadata.xml",
    "Issuer": "saml_Example",
    "SingleSignOnDestination": "http://adfs url/adfs/ls/",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "SigningCertificateFile": "cert.pfx",
    "SigningCertificatePassword": "pw",
    "CertificateValidationMode": "None",
    "RevocationMode": "NoCheck"
  },
4

1 回答 1

1

根据错误,您的机器/服务器不信任 AD FS SSL/TLS 证书。

您已配置"IdPMetadata": "adfs url/FederationMetadata/2007-06/FederationMetadata.xml". 它应该是一个真实的 URL,例如https://....

于 2021-08-02T07:57:33.367 回答