错误 - SignInResponse消息只能在当前Web应用程序--MVC 2.0应用程序中重定向

Question

我有一个情况,我们有一个MVC 2应用程序(我尝试使用基本的MVC 2应用程序,没有任何额外的东西,仍然是同样的问题),并使用adfs 2来验证我的用户.

所以..现在我进入我的应用程序,我得到以下.. ID3206:SignInResponse消息可能只在当前Web应用程序中重定向:'/ [app]'是不允许的.描述:执行当前Web请求期间发生未处理的异常.请查看堆栈跟踪以获取有关错误及其源自代码的位置的更多信息.异常详细信息:Microsoft.IdentityModel.Protocols.FederationException:ID3206:SignInResponse消息只能在当前Web应用程序中重定向:不允许使用'/ [app]'.

我已经阅读了大部分博客,并发布到一个..

    <federatedAuthentication>
            <wsFederation passiveRedirectEnabled="true" issuer="https://auth.[domain]/adfs/ls/" realm="https://[development domain]/[app]/" requireHttps="true" />
            <cookieHandler requireSsl="true" />
          </federatedAuthentication>
<audienceUris>
    <add value="https://[development domain]/[app]/" />
  </audienceUris>

1. 我对领域和观众有一个尾随的斜线.
2. 我已将他建议的内容添加到Application_BeginRequest中 - 然后我将代码复制到[开发域],就像证书所在的那样..它只是陷入了无限循环.
3. 我还检查了日内瓦服务器上的依赖方..标识符和端点(POST)都是https:// [开发域名]/[app]/ - 再次使用尾部斜杠

我认为这是一个MVC应用程序的问题,我已经在default.aspx页面创建了许多Claims Aware网站并获得了我的声明等.我的想法是,与MVC应用程序有关的路由以某种方式将其错误地发布？

任何帮助真的有点像我正在看这个安静一段时间现在无济于事..

Ĵ

Answer 1

我一直在撕扯我的头发.我也有配置中指定的尾部斜杠.事实证明,在我的情况下,在浏览器中使用尾部斜杠导航到我的应用程序,如下所示:

HTTP://本地主机/ MyApp的/

会工作,而

HTTP://本地主机/ MYAPP

将不会.

如果我能找到更多原因,为什么会出现这种情况,我会补充更多关于为什么会这样的背景.

Answer 2

我重写了RedirectToIdentityProvideron的子类WSFederationAuthenticationModule.在重定向到STS之前,这只发生一次.你必须告诉配置文件使用这个类FixedWSFederationAuthenticationModule而不是defualtWSFederationAuthenticationModule

public class FixedWSFederationAuthenticationModule : WSFederationAuthenticationModule
{
    public override void RedirectToIdentityProvider(string uniqueId, string returnUrl, bool persist)
    {
        //This corrects WIF error ID3206 "A SignInResponse message may only redirect within the current web application:"
        //First Check if the request url doesn't end with a "/"
        if (!returnUrl.EndsWith("/"))
        {
            //Compare if Request Url +"/" is equal to the Realm, so only root access is corrected
            //https://localhost/AppName plus "/" is equal to https://localhost/AppName/
            //This is to avoid MVC urls
            if (String.Compare(System.Web.HttpContext.Current.Request.Url.AbsoluteUri + "/", base.Realm, StringComparison.InvariantCultureIgnoreCase) == 0)
            {
                //Add the trailing slash
                returnUrl += "/";
            }
        }
        base.RedirectToIdentityProvider(uniqueId, returnUrl, persist);
    }
}

Answer 3

这段代码负责(把它放在global.asax中):

private void Application_BeginRequest(object sender, EventArgs e)
{
//  This corrects WIF error ID3206 "A SignInResponse message may only redirect within the current web application: '/NHP' is not allowed."
//  For whatever reason, accessing the site without a trailing slash causes this error.
if (String.Compare(Request.Path, Request.ApplicationPath, StringComparison.InvariantCultureIgnoreCase) == 0 && !(Request.Path.EndsWith("/")))
Response.Redirect(Request.Path + "/");
}

编辑:

另一件要检查的是Web.config中microsoft.identityModel中的federationAuthentication/wsFederation元素.验证颁发者和领域是否正确.

Answer 4

我正在使用WIF表单身份验证.表单auth模块将未经授权的请求重定向到正确的控制器并将最初请求的URL存储在ReturnUrl参数中,因此我通过覆盖该GetReturnUrlFromResponse方法解决了这个问题.

/// <summary>
/// Provides a workaround for a bug in the standard authentication module.
/// </summary>
/// <remarks>
/// This class corrects WIF error ID3206 "A SignInResponse message may only
/// redirect within the current web application..."
/// WSFAM produces the error when the ReturnUrl is the root of the web application,
/// but doesn't have a trailing slash. For instance, "/app" is considered incorrect
/// by WSFAM whereas "/app/" is correct.
/// </remarks>
public class FixedWsFederationAuthenticationModule : System.IdentityModel.Services.WSFederationAuthenticationModule
{
    /// <summary>
    /// Extracts the URL of the page that was originally requested from
    /// the sign-in response.
    /// </summary>
    /// <returns>
    /// The URL of the page that was originally requested by the client.
    /// This is the URL (at the relying party) to which the client should
    /// be redirected following successful sign-in.
    /// </returns>
    /// <param name="request">
    /// The HTTP request that contains a form POST, which contains the
    /// WS-Federation sign-in response message.
    /// </param>
    protected override string GetReturnUrlFromResponse(HttpRequestBase request)
    {
        string returnUrl = base.GetReturnUrlFromResponse(request);

        // First Check if the request url doesn't end with a "/"
        if (!string.IsNullOrEmpty(returnUrl) && !returnUrl.EndsWith("/"))
        {
            // Compare if (return Url +"/") is equal to the Realm path,
            // so only root access is corrected.
            // /AppName plus "/" is equal to /AppName/
            // This is to avoid MVC urls.
            if (string.Compare(
                returnUrl + "/",
                new Uri(Realm).LocalPath,
                StringComparison.InvariantCultureIgnoreCase) == 0)
            {
                // Add the trailing slash.
                returnUrl += "/";
            }
        }

        return returnUrl;
    }
}

要使用此类,需要在web.config中注册它.将此元素添加到该system.webServer/modules部分,更改相应的部分:

<add name="WSFederationAuthenticationModule" type="YOUR_NAMESPACE.FixedWsFederationAuthenticationModule, YOUR_ASSEMBLY" preCondition="managedHandler" />