使用多个ADFS+Cookies时未执行OWIN Challenge()方法
本文关键字:Challenge OWIN 方法 执行 ADFS+Cookies | 更新日期: 2023-09-27 18:25:32
我的ASP.Net应用程序使用OWIN/CAtana/Claims,并允许使用登录
- 传统用户名/密码(适用于所有用户)
- 谷歌
- Azure AD
它工作得很好,所有必要的重定向/声明传输都很好(用户名标识符/提供者(/tender)的详细信息会传回我的应用程序,这样就可以链接唯一的id值)。请注意,用户不会注册/注册该应用程序-访问权限由其组织的超级用户提供,并向他们发送用户名/密码,然后他们可以连接到Google/AAzure。
然而,我现在需要扩展此功能,以允许用户连接到其组织的ADFS提供商。这里是唯一一个远程关闭的工作示例(教程/代码),但它严格基于ADFS。当我把它应用到我的项目中时,它不会起作用。
我的整个StartupAuth文件如下所示。我很感激可能存在配置错误,但根据我在过去六周里发现的少量样本,这是我最好的。
public void Configuration(IAppBuilder app)
{
// STANDARD CODE FOR APP COOKIE AND GOOGLE - WORKS PERFECTLY
CookieAuthenticationOptions coa = new CookieAuthenticationOptions {
AuthenticationMode = AuthenticationMode.Active,
CookieName = "MyAppName",
ExpireTimeSpan = TimeSpan.FromMinutes(60),
SlidingExpiration = true,
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/login.aspx"),
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.SameAsRequest,
Provider = new CookieAuthenticationProvider { OnValidateIdentity = context =>
{
dynamic ret = Task.Run(() =>
{
// Verify that "userId" and "customerId" claims exist, and that each has a valid value (greater than zero) - removed for brevity
return Task.FromResult(0);
});
return ret;
} }
};
app.SetDefaultSignInAsAuthenticationType(coa.AuthenticationType);
app.UseCookieAuthentication(coa);
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions {
ClientId = "84***********************k3.apps.googleusercontent.com",
ClientSecret = "jue*****************Ppi"
});
// NEW CODE THAT FAILS TO WORK - SPECIFYING EACH CUSTOMER'S ADFS AS A NEW WSFED AUTH OPTION
WsFederation.WsFederationAuthenticationOptions Adfs_CompanyA = new WsFederation.WsFederationAuthenticationOptions {
AuthenticationMode = AuthenticationMode.Passive,
MetadataAddress = "https://CompanyA.net/FederationMetadata/2007-06/FederationMetadata.xml",
AuthenticationType = AdfsAuthenticationTypes.CompanyA,
Wtrealm = "https://www.CompanyA.co.uk/MyAppName"
};
WsFederation.WsFederationAuthenticationOptions Adfs_CompanyB = new WsFederation.WsFederationAuthenticationOptions {
AuthenticationMode = AuthenticationMode.Passive,
MetadataAddress = "https://CompanyB.net/federationmetadata/2007-06/federationmetadata.xml",
AuthenticationType = AdfsAuthenticationTypes.CompanyB,
Wtrealm = "http://www.CompanyB.co.uk/azure/MyAppName"
};
// User (who is logged in), route for hyperlink "Link my account with ADFS"
app.Map("/SSO/LinkUserAccount/ADFS/process", configuration => { configuration.UseWsFederationAuthentication(Adfs_CompanyA); });
// CompanyA ADFS - single sign-on route
app.Map("/SSO/Login/CompanyA/ADFS/Go", configuration => { configuration.UseWsFederationAuthentication(Adfs_CompanyA); });
// CompanyB ADFS - single sign-on route
app.Map("/SSO/Login/CompanyB/ADFS/Go", configuration => { configuration.UseWsFederationAuthentication(Adfs_CompanyB); });
}
}
这是我用来发布OWIN挑战的代码:
string provider = MyApp.SingleSignOn.GetCustomerAdfsAuthenticationType(customerName);
string redirectUrl = string.Format("{0}/SSO/Login/{1}/ADFS/Go", Request.Url.GetLeftPart(UriPartial.Authority), provider); // creates https://myapp.com/SSO/Login/CompanyA/ADFS/Go for CompanyA users
Context.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = redirectUrl }, provider);
Response.StatusCode = 401;
Response.End();
这是网络表单,但请不要让它阻止MVC pro的贡献。不管怎样,代码实际上是相同的,我使用的是路由。
我遇到的问题是,当用户点击"使用ADFS登录"链接时,例如URL变成https://myapp.com/SSO/Login/CompanyA/ADFS我收到一个401未经授权的错误,而不是将用户重定向到ADFS登录页面
在web.config中,我允许未经授权访问路径"SSO"。由于某种原因,Challenge()方法从不重定向用户,它只是被忽略,代码到达返回401的点。字符串provider的值与Startup.Auth.中定义的WsFederationAuthenticationOptions.AuthenticationType值完全匹配
我已经为此奋斗了六个星期了,所以这件事一有机会就会得到赏金,解决后会把一箱啤酒送到你选择的地址。
我解决了这个问题。令人惊讶的是,它就像我在StartupAuth:的结尾错过的一样简单
app.UseStageMarker(PipelineStage.Authenticate);
您设置了OWIN日志记录吗?有线索吗?
同时测试驱动Katana的WS-Federation身份验证中间件。
请查看IdentityServer 3中的代码。那里有一个WS-Fed插件,文档在这里(底部)。