mor*_*ran 3 c# adfs http-post saml-2.0 asp.net-mvc-4
我正在向ADFS发送saml 2.0注销请求并获取注销响应,状态代码为:"urn:oasis:names:tc:SAML:2.0:status:Requester".
我检查了Name ID值,它等于Assertion上的名称ID.我没有看到ADFS日志有任何错误.
这是我的退出请求:
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" Destination="https://IDP_adfs.xxx.com/adfs/ls/" ID="id007471cfceb449239be1a6a48d28ae89" IssueInstant="2015-01-05T15:30:56.3978094Z">
<saml:Issuer>https://SP.xxx.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#id007471cfceb449239be1a6a48d28ae89">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>GsF...t/uwM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>qY5RIT/eT9Tgkg7dj...IPn/2STu7iepIQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC5jCCAc...qAdOYsuKUgO9WNers=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:NameID Format="http://schemas.xmlsoap.org/claims/UPN">user@xxx.com</saml:NameID>
<samlp:SessionIndex>_48b8991b-d3c4-4f8a-9c8b-a86e0a718c95</samlp:SessionIndex>
</samlp:LogoutRequest>
Run Code Online (Sandbox Code Playgroud)
这是我的退出响应:
<?xml version="1.0"?>
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_79573c99-c8d3-4ea3-8b53-e15551128318" Version="2.0" IssueInstant="2015-01-05T15:31:02.954Z" Destination="https://SP.xxx.com/Account/logout/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="id007471cfceb449239be1a6a48d28ae89">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_79573c99-c8d3-4ea3-8b53-e15551128318">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>B/badvPpTrEuKZsqOvBQM54CIJ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cWIEl5wY3...lIiQDltacRcjxyw==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2jCCAcKgAwIBA...LmlI6oFWC3Lw=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
</samlp:Status>
</samlp:LogoutResponse>
Run Code Online (Sandbox Code Playgroud)
这是我对saml的回应:
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8b594b16-6505-4da6-9f4c-0d0d301bedb1" Version="2.0" IssueInstant="2015-01-05T14:25:40.241Z" Destination="https://SP.xxx.com/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_e32452c1-8651-49cc-b17b-87b45b9b4a52">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d6df6a72-99de-4935-8153-0db0d6f4b3f6" IssueInstant="2015-01-05T14:25:40.241Z" Version="2.0">
<Issuer>http://IDP_Adfs.xxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_d6df6a72-99de-4935-8153-0db0d6f4b3f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LUFxx...MY8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>svLLi2ooLayZCvYCrZlDnLJAt2K7SzUcNSPS7m1Qlb1UUXZWoznd5gqusXRRrGazx6AVdnpcLgI6LVZ7xirOUBGpFxNZO7q/0zkyvzY7/lwhO4RTqtTHL2QlJTwapalWXZ9FCw0kTbmLgwgZaaqRUee5hE1kpDrIpusJXU9L9Abc/UBLZhAcstTaXDVUvCF/FH2dz2Kv9P07pV5Kcy0RvQWeJ5IkDZHefDYNsm+9Y+2V3kuPC4Ry54/7cxWc2DvDcYaKxht88/J2MA2kOqzF60Ty2Ka1hy1GpCviVO8X+SfWtgOpGcjj0NxJGSwqIcgF5PGXYfgR5sLF66xaY1t+9w==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC2jCCAcKgA...lI6oFWC3Lw=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="http://schemas.xmlsoap.org/claims/UPN">user@xxx.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_e32452c1-8651-49cc-b17b-87b45b9b4a52" NotOnOrAfter="2015-01-05T14:30:40.241Z" Recipient="https://SP.xxx.com/"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-01-05T14:25:40.241Z" NotOnOrAfter="2015-01-05T15:25:40.241Z">
<AudienceRestriction>
<Audience>https://SP.xxx.com</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>user@xxx.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>user@xxx.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
<AttributeValue>User User</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2015-01-05T14:25:40.225Z" SessionIndex="_d6df6a72-99de-4935-8153-0db0d6f4b3f6">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Run Code Online (Sandbox Code Playgroud)
我正在使用HTTP-POST绑定发送注销请求并获得注销响应.根据"urn:oasis:names:tc:SAML:2.0:status:Requester"状态代码,我的注销请求存在问题,但遗憾的是我找不到它.
urn:oasis:names:tc:SAML:2.0:status:Requester意味着ADFS不"喜欢"请求并归咎于请求的来源.正如Hans Z指出的那样,ADFS日志和跟踪文件中应该有一些东西.如果没有消息,请检查您的ADFS修补程序和修补程序级别.
现在上面的消息中的问题.对于注销,必须有两个正确的标识:NameID和SessionIndex.虽然你似乎编辑了XML,这使得我写的任何东西都是推测性的......问题可能是SessionIndex.
在断言中:AuthnStatement@SessionIndex="_d6df6a72-99de-4935-8153-0db0d6f4b3f6"在LogoutRequest-SessionIndex中有值_48b8991b-d3c4-4f8a-9c8b-a86e0a718c95
我没有看过其他可能的错误,因为您似乎已经编辑了XML.由于这个原因,验证解析器会拒绝它,从而错过其他可能的问题.
| 归档时间: |
|
| 查看次数: |
6043 次 |
| 最近记录: |