在ASP.NET应用程序中编程配置Microsoft.IdentityModel不起作用 - 被动重定向已启用但从未生效

Question

在ASP.NET应用程序中编程配置Microsoft.IdentityModel不起作用 - 被动重定向已启用但从未生效

c#asp.netasp.net-mvcwif

4

我正在开发一个基于声明的身份验证应用程序，并希望将 Microsoft.IdentityModel 配置从 web.config 文件移动到我的代码中，以便动态管理配置。

这是包含在 web.config 中的 federatedAuthentication 部分：

<federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="trust" realm="real" requireHttps="false" />
    <cookieHandler requireSsl="true" />
</federatedAuthentication>

我曾尝试使用Application_Start()方法附加EventHandler来实现代码中的配置，而不是使用web.config文件：

    protected void Application_Start()
    {
        FederatedAuthentication.ServiceConfigurationCreated += new EventHandler<ServiceConfigurationCreatedEventArgs>(FederatedAuthentication_ServiceConfigurationCreated);
    }

    private static void FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
    {
        const string rpRealm = "realm";
        const bool requireSsl = false;
        const bool requireHttps = false;
        const bool passRedirect = true;
        const string issuer = "trust";

        ...

        FederatedAuthentication.WSFederationAuthenticationModule.PassiveRedirectEnabled = passRedirect;
        FederatedAuthentication.WSFederationAuthenticationModule.Issuer = issuer;
        FederatedAuthentication.WSFederationAuthenticationModule.Realm = rpRealm;
        FederatedAuthentication.WSFederationAuthenticationModule.RequireHttps = requireHttps;

        ...
    }

当我从web.config文件中移除配置并编译代码后，出现了这样的问题：即使PassiveRedirectEnabled属性已经设置为true，应用程序仍无法重定向到Issuer URL。通过设置断点，我确认上面的代码确实运行了且没有生成异常；然而，被动重定向从未起作用。附言：我使用的是WIF 3.5；导入的程序集是Microsoft.IdentityModel.dll。

- everfor

2个回答

2

这是我做的方式 - 创建一个FederationConfiguration对象，然后添加到它的WsFederationConfiguration属性中，最后将整个对象设置为事件参数。

  private static void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
    //from appsettings...
    const string allowedAudience = "http://audience1/user/get";
    const string rpRealm = "http://audience1/";
    const string domain = "";
    const bool requireSsl = false;
    const string issuer = "http://sts/token/create;
    const string certThumbprint = "mythumbprint";
    const string authCookieName = "StsAuth";

    var federationConfiguration = new FederationConfiguration();
                             federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));

    var issuingAuthority = new IssuingAuthority(internalSts);
    issuingAuthority.Thumbprints.Add(certThumbprint);
    issuingAuthority.Issuers.Add(internalSts);
    var issuingAuthorities = new List<IssuingAuthority> {issuingAuthority};

    var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry {IssuingAuthorities = issuingAuthorities};
    federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
    federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;

    var chunkedCookieHandler = new ChunkedCookieHandler {RequireSsl = false, Name = authCookieName, Domain = domain, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)};
    federationConfiguration.CookieHandler = chunkedCookieHandler;
    federationConfiguration.WsFederationConfiguration.Issuer = issuer;
    federationConfiguration.WsFederationConfiguration.Realm = rpRealm;
    federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;

    e.FederationConfiguration = federationConfiguration;

- jonho

非常感谢！由于您的代码适用于WIF 4.5，而我正在使用WIF 3.5，因此我对代码进行了一些调整，进行了一些研究，并提出了可行的解决方案！我也发布了我的答案。谢谢！ - everfor

2

@Endri - 是的，它可以。我在这里有一个完整的工作原型 https://github.com/seantarogers/SsoWsFederation 这是使用MVC 5实现的。 - jonho

@jonho，你的解决方案看起来很有趣。我正在尝试运行它，但是我无法创建指定的证书。链接重定向到另一篇文章。我正在使用VS 2015和Windows 7。你能告诉我如何生成证书吗？ - Endri

@jonho 我在使用MMC时遇到了问题，它显示Microsoft Management Console已停止工作。除了使用MMC之外，是否有其他方法可以解决这个问题？或者你知道什么原因会导致MMC停止工作吗？如果这些问题不是主题，请见谅。 - Endri

无法在AspNetCore中使其工作-它仍然在访问FederatedAuthentication.FederationConfiguration属性时引发错误，而不是触发Created事件，并出于某种原因要求system.identityModel部分（这应该不再需要）。 - Alexander

显示剩余5条评论

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- everfor · Accepted Answer

感谢 @jonho 的帮助！不过你的代码只适用于 WIF 4.5，而我正在使用 WIF 3.5，这里有些区别...

在互联网上进行了调查并测试了我的代码后，我在 http://social.msdn.microsoft.com/forums/vstudio/en-US/41b9a137-faca-43c6-b965-01d5322df5f0/change-microsoftidentitymodel-configuration 的帮助下找到了一个可行的解决方案。

以防万一其他人也会像我一样卡住，这是我所做的：

Add an event handler when ServiceConfiguration is created, and add the allowed audience and certificate information in the event handler:

protected void Application_Start()
{
    FederatedAuthentication.ServiceConfigurationCreated += 
                new EventHandler<ServiceConfigurationCreatedEventArgs>(FederatedAuthentication_ServiceConfigurationCreated);
}

private static void FederatedAuthentication_ServiceConfigurationCreated(Object sender, ServiceConfigurationCreatedEventArgs e)
{
    const string allowedAudience = "allowed_aud";
    const string certThumbprint = "thumb";
    const string certName = "name";

    var serviceConfiguration = new ServiceConfiguration();

    serviceConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));

    var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
    issuerNameRegistry.AddTrustedIssuer(certThumbprint, certName);
    serviceConfiguration.IssuerNameRegistry = issuerNameRegistry;
    serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;

    e.ServiceConfiguration = serviceConfiguration;
}

Implement Application_AuthenticateRequest() method for the ASP.NET application. Provide the issuer information there:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl = requireSsl;
    FederatedAuthentication.WSFederationAuthenticationModule.Issuer = issuer;
    FederatedAuthentication.WSFederationAuthenticationModule.Realm = rpRealm;
    FederatedAuthentication.WSFederationAuthenticationModule.PassiveRedirectEnabled = passRedirect;
    FederatedAuthentication.WSFederationAuthenticationModule.RequireHttps = requireHttps;
}

这应该足以使ASP.NET应用程序在WIF 3.5中实现被动重定向。