azure 当从iDP通过路由Saml 2/Acs回叫时,Saml 2 Sustainsys返回404

lymnna71  于 2023-02-16  发布在  其他
关注(0)|答案(1)|浏览(299)

我有以下财产:
IDP:Azure
服务提供商:. Net核心6
客户:Vue 3
和以下代码:

var samlConfiguration = GetConfiguration<SamlConfiguration>(configuration);

        serviceCollection.AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = Saml2Defaults.Scheme;
            })
            .AddCookie()
            .AddSaml2(Saml2Defaults.Scheme, options =>
            {
                options.SPOptions.EntityId = new EntityId(samlConfiguration.ServiceProviderEntityId);
                options.SPOptions.ReturnUrl = new Uri(samlConfiguration.AssertionConsumerServiceUrl);
                options.SPOptions.PublicOrigin = new Uri(samlConfiguration.PublishOrigin);
              
                var idp = new IdentityProvider(new EntityId(samlConfiguration.IdentityProviderEntityId),
                    options.SPOptions)
                {
                    LoadMetadata = true,
                    AllowUnsolicitedAuthnResponse = true,
                    MetadataLocation = samlConfiguration.MetadataLocation
                };
                options.IdentityProviders.Add(idp);
            });

[Route("[controller]")]
[ApiController]
public class Saml2Controller : ControllerBase
{
    private readonly SamlConfiguration _samlConfiguration;
    private readonly ILogger<Saml2Controller> _logger;

    public Saml2Controller(IOptions<SamlConfiguration> options, ILogger<Saml2Controller> logger)
    {
        _logger = logger;
        _samlConfiguration = options.Value;
    }

    [HttpGet]
    public IActionResult Initiate()
    {
        var authenticationProperties = new AuthenticationProperties
        {
            RedirectUri = _samlConfiguration.RedirectUri,
        };

        return Challenge(authenticationProperties, Saml2Defaults.Scheme);
    }

    [HttpPost("Acs")]
    public async Task AssertionConsumerService()
    {
        try
        {
            _logger.LogInformation("-------begin AssertionConsumerService-------");

            var result = await HttpContext.AuthenticateAsync(Saml2Defaults.Scheme);
            if (!result.Succeeded)
            {
                throw new Exception("SAML authentication failed.");
            }

            _logger.LogInformation("-------set claims-------");

            var claims = new List<Claim>();
            claims.AddRange(result.Principal.Claims);

            _logger.LogInformation("-------create ClaimsIdentity-------");
            var identity = new ClaimsIdentity(claims, "saml");
            var principal = new ClaimsPrincipal(identity);

            _logger.LogInformation("-------begin SignIn-------");
            await HttpContext.SignInAsync(principal);
            _logger.LogInformation("-------end SignIn-------");
        }
        catch (Exception exception)
        {
            _logger.LogError("in {@className}\n--Exception: {@exception}\n--StackTrace: {@stackTrace}",
                nameof(Saml2Controller), exception.Message, exception.StackTrace);
        }
    }

    [HttpGet("logout")]
    public IActionResult Logout()
    {
        HttpContext.SignOutAsync(Saml2Defaults.Scheme).Wait();
        return Redirect("/");
    }
}

Saml配置如下所示:

"SamlConfiguration": {
    "ServiceProviderEntityId": "https://sp.example.com/Saml2",
    "IdentityProviderEntityId": "https://sts.windows.net/{tenantId}/",
    "SingleSignOnServiceUrl": "https://login.microsoftonline.com/{tenantId}/Saml2",
    "AssertionConsumerServiceUrl": "https://sp.example.com/Saml2/Acs",
    "MetadataLocation": "https://login.microsoftonline.com/{tenantId}/federationmetadata/2007-06/federationmetadata.xml?appid={appId}",
    "PublishOrigin": "https://sp.example.com",
    "RedirectUri": "https://vue3.example.com"
  }

当客户端到达401时,然后重定向到"www.example.com",然后服务提供商重定向到iDP,登录后返回到"www.example.com",最后我们需要将Saml响应传递给客户端,客户端处理该响应。 https://sp.example.com/Saml2 " and then Service Provider redirect to iDP and after login returns to " https://sp.example.com/Saml2/Acs " and finally we need to pass the Saml Response to Client and Client prosses that response.
我的问题是路径"Saml2/Acs"是为Sustainsys.saml2库保留的,因为当我们通过 Postman 或手动调用该路径("Saml2/Acs")时,我们收到404错误。
可以做些什么来解决这个问题?

f1tvaqid

f1tvaqid1#

您的设计错误。服务器端应用程序处理Saml响应并将生成的标识存储在Cookie中(通过对配置的身份验证方案调用SignInAsync)。建议JavaScript应用程序使用后端对前端模式,其中会话在服务器端处理,请参见https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps

相关问题