我有以下财产:
IDP:Azure
服务提供商:. Net核心6
客户:Vue 3
和以下代码:
var samlConfiguration = GetConfiguration<SamlConfiguration>(configuration);
serviceCollection.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = Saml2Defaults.Scheme;
})
.AddCookie()
.AddSaml2(Saml2Defaults.Scheme, options =>
{
options.SPOptions.EntityId = new EntityId(samlConfiguration.ServiceProviderEntityId);
options.SPOptions.ReturnUrl = new Uri(samlConfiguration.AssertionConsumerServiceUrl);
options.SPOptions.PublicOrigin = new Uri(samlConfiguration.PublishOrigin);
var idp = new IdentityProvider(new EntityId(samlConfiguration.IdentityProviderEntityId),
options.SPOptions)
{
LoadMetadata = true,
AllowUnsolicitedAuthnResponse = true,
MetadataLocation = samlConfiguration.MetadataLocation
};
options.IdentityProviders.Add(idp);
});
[Route("[controller]")]
[ApiController]
public class Saml2Controller : ControllerBase
{
private readonly SamlConfiguration _samlConfiguration;
private readonly ILogger<Saml2Controller> _logger;
public Saml2Controller(IOptions<SamlConfiguration> options, ILogger<Saml2Controller> logger)
{
_logger = logger;
_samlConfiguration = options.Value;
}
[HttpGet]
public IActionResult Initiate()
{
var authenticationProperties = new AuthenticationProperties
{
RedirectUri = _samlConfiguration.RedirectUri,
};
return Challenge(authenticationProperties, Saml2Defaults.Scheme);
}
[HttpPost("Acs")]
public async Task AssertionConsumerService()
{
try
{
_logger.LogInformation("-------begin AssertionConsumerService-------");
var result = await HttpContext.AuthenticateAsync(Saml2Defaults.Scheme);
if (!result.Succeeded)
{
throw new Exception("SAML authentication failed.");
}
_logger.LogInformation("-------set claims-------");
var claims = new List<Claim>();
claims.AddRange(result.Principal.Claims);
_logger.LogInformation("-------create ClaimsIdentity-------");
var identity = new ClaimsIdentity(claims, "saml");
var principal = new ClaimsPrincipal(identity);
_logger.LogInformation("-------begin SignIn-------");
await HttpContext.SignInAsync(principal);
_logger.LogInformation("-------end SignIn-------");
}
catch (Exception exception)
{
_logger.LogError("in {@className}\n--Exception: {@exception}\n--StackTrace: {@stackTrace}",
nameof(Saml2Controller), exception.Message, exception.StackTrace);
}
}
[HttpGet("logout")]
public IActionResult Logout()
{
HttpContext.SignOutAsync(Saml2Defaults.Scheme).Wait();
return Redirect("/");
}
}Saml配置如下所示:
"SamlConfiguration": {
"ServiceProviderEntityId": "https://sp.example.com/Saml2",
"IdentityProviderEntityId": "https://sts.windows.net/{tenantId}/",
"SingleSignOnServiceUrl": "https://login.microsoftonline.com/{tenantId}/Saml2",
"AssertionConsumerServiceUrl": "https://sp.example.com/Saml2/Acs",
"MetadataLocation": "https://login.microsoftonline.com/{tenantId}/federationmetadata/2007-06/federationmetadata.xml?appid={appId}",
"PublishOrigin": "https://sp.example.com",
"RedirectUri": "https://vue3.example.com"
}当客户端到达401时,然后重定向到"www.example.com",然后服务提供商重定向到iDP,登录后返回到"www.example.com",最后我们需要将Saml响应传递给客户端,客户端处理该响应。 https://sp.example.com/Saml2 " and then Service Provider redirect to iDP and after login returns to " https://sp.example.com/Saml2/Acs " and finally we need to pass the Saml Response to Client and Client prosses that response.
我的问题是路径"Saml2/Acs"是为Sustainsys.saml2库保留的,因为当我们通过 Postman 或手动调用该路径("Saml2/Acs")时,我们收到404错误。
可以做些什么来解决这个问题?
1条答案
按热度按时间f1tvaqid1#
您的设计错误。服务器端应用程序处理Saml响应并将生成的标识存储在Cookie中(通过对配置的身份验证方案调用SignInAsync)。建议JavaScript应用程序使用后端对前端模式,其中会话在服务器端处理,请参见https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps