ADFS SSO匿名主页MVC 4 ASP.NET
本文关键字:ASP NET MVC 主页 SSO ADFS | 更新日期: 2023-09-27 18:10:02
我一直在寻找这个问题的答案,但无可否认,这在谷歌是一个难以表达的概念。我有几个MVC站点使用我们的ADFS使用单点登录进行身份验证。效果很好。然而,我想知道是否有可能有一个主页,允许匿名用户访问一些功能,而无需登录。我看到有人提到,在用户从依赖方单点登录退出后,将用户重定向到匿名主页。基本上,我可以使用ADFS SSO保护一半的应用程序吗?
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<connectionStrings>
</connectionStrings>
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:FederationMetadataLocation" value="https://sts.testsite.com/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Realm" value="https://localhost:44301" />
<add key="ida:AudienceUri" value="https://localhost:44301" />
<add key="owin:AutomaticAppStartup" value="false" />
</appSettings>
<location path="Account">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None" />
<authorization>
<deny users="?" />
</authorization>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
<customErrors mode="On" defaultRedirect="~/Error.cshtml">
</customErrors>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
<runtime>
<runtimes here.../>
</runtime>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
<parameters>
<parameter value="v11.0" />
</parameters>
</defaultConnectionFactory>
<providers>
<provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
</providers>
</entityFramework>
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost:44301" />
</audienceUris>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://sts.testsite.com/adfs/services/trust">
<keys>
<add thumbprint="AA6032061B0E74B3B5B0D495DC7C55B18B0862A4" />
</keys>
<validIssuers>
<add name="http://sts.testsite.com/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true" issuer="https://sts.testsite.com/adfs/ls/" realm="https://localhost:44301" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
</configuration>这是Global.asax.
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Email;
}
protected void Application_BeginRequest()
{
if (!Context.Request.IsSecureConnection)
Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
}
protected void Application_Error(object sender, EventArgs e)
{
var error = Server.GetLastError();
var cryptoEx = error as CryptographicException;
if (cryptoEx != null)
{
FederatedAuthentication.WSFederationAuthenticationModule.SignOut();
Server.ClearError();
if (Request.Cookies["StoreNumber"] != null)
{
HttpCookie storeNumber = Request.Cookies["StoreNumber"];
storeNumber.Expires = DateTime.Now.AddDays(-1);
}
}
}
默认情况下,它应该按照您想要的方式运行。最有可能发生的是,这个设置在你的网页。配置导致它要求每个人登录,因为这是对匿名用户的显式拒绝。试着删除它,看看它是否像你想的那样工作。
<authorization>
<deny users="?" />
</authorization>
理论上,如果您将[Authorize]放在任何需要授权/登录的控制器上,您也不应该需要以下行。一旦删除了拒绝,它应该允许匿名用户访问AccountController。您应该能够单独使用[Authorize]和[AllowAnonymous]控制哪些控制器/方法需要授权。
<location path="Account">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>