我使用以下代码来配置 Saml2
public static void ConfigureSaml2(this IServiceCollection services, IConfiguration configuration)
{
services.Configure<Saml2Configuration>(configuration.GetSection(Saml2Section));
services.Configure<Saml2Configuration>(saml2Configuration =>
{
var signingCertificateName = configuration.GetValue<string>($"{Saml2Section}:{SigningCertificateName}");
var signatureCertificateName = configuration.GetValue<string>($"{Saml2Section}:{SignatureCertificateName}");
Configure(saml2Configuration, signingCertificateName, signatureCertificateName);
});
services.AddSaml2(slidingExpiration: true);
}
private static void Configure(Saml2Configuration saml2Configuration, string signingCertificateName, string signatureCertificateName)
{
saml2Configuration.SignAuthnRequest = true;
saml2Configuration.AllowedIssuer = saml2Configuration.SingleSignOnDestination.ToString();
saml2Configuration.SigningCertificate = CertificateUtil.Load(
StoreName.My, StoreLocation.CurrentUser, X509FindType.FindBySubjectDistinguishedName, signingCertificateName);
saml2Configuration.SignatureValidationCertificates.Add(
CertificateUtil.Load(StoreName.My, StoreLocation.CurrentUser, X509FindType.FindBySubjectDistinguishedName, signatureCertificateName));
saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);
saml2Configuration.CustomCertificateValidator = new Saml2CertificateValidator
{
CertificateValidationMode = saml2Configuration.CertificateValidationMode,
RevocationMode = saml2Configuration.RevocationMode,
TrustedStoreLocation = StoreLocation.CurrentUser
};
saml2Configuration.CertificateValidationMode = X509CertificateValidationMode.Custom;
}
应用程序托管在 Azure …
我通过HTTP重定向绑定收到SAML请求,SAML请求的内容如下所示
{ "SigAlg"=> " http://www.w3.org/2000/09/xmldsig#rsa-sha1 ", "SAMLRequest"=>"lVLLaoQwFP0VyT5jEqPG4AiFoSDMtNApXXQzxDxaQRObRDqfX3XoolAKXd7DPQ/uuXUQ4zDxo3tzc3zSH7MOMWkPe3DpcixzVVVQl4RBqoiCncEYEmkoY7k00hCQvGgfemf3gOwQSNoQZt3aEIWNC4RwCRGGiD6jkmPMs2KHUPYKksPi0lsRN + Z7jFPgafqpvejtbtQpSK7jYAPfsu3B7C13IvSBWzHqwKPk57vTkS + WfPIuOukG0NSbub9R/yaJELRfzUGzrhmtFut15qdeeheciY926K2u05toUz8sIu0huXd + FPFv9RXpFTTbKp/WA4WobQT/jEYrykwhNaQ66yDNMwY7wijEtMCmysqqo6xOb8Ga + tbjWYe1jtYqfW0uCucoYwWCHS3F0kRGoajWTpAiiJRZJRmu01 Y3 + CPt2i + AA =="}
它还具有Signature值
WkDaGzC6vPTlzh + EnFA5/8IMmV7LviyRh2DA5EHF0K0nl + xzBlKfNCYRnunpwoEvGhereGdI5xBpv + mc9IguiCaLZSZjDh6lIDdpvctCnmSNzORqzWQwQGeZ9vjgtCLjUn35VZLNs3WgEqbi2cL + ObrUDS2gV1XvBA3Q3RRhoDmi + XE89Ztnd1cNpR3XdA + EL2ENbMI2XAD9qSgMufUJY/3GBBpT7Vg1ODtPxBudq + sXrgPh/+ + WtUUitLkkfC8tdRTCS1EZPv h27I5g/VNza23Xl8w2HdAuYP0F2FjREo8VV2aUtaOUd/jAF9 + bfkGV93y1PzFttLxdBbFoxp6qBg ==
但我不明白如何验证此签名是否正确.
有关SAML绑定的第3.4.4.1节https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
To construct the signature, a string consisting of the concatenation of the RelayState (if present),
SigAlg, and SAMLRequest (or SAMLResponse) query string parameters (each one URLencoded)
is constructed in one of the following ways …我们的大学已使用Shibboleth迁移到基于SAML的身份验证/授权方法.
我一直在研究如何将SAML与.net核心Web应用程序结合使用.我不能使用Identity Server 4,因为它是OaTH/Open ID.我在msdn上找到了一些指向商业实现的文档.我在一年前遇到过这个SO答案,说Kentor可能在将来支持它,但在github页面上找不到任何关于支持.net核心或.net核心示例Web应用程序的内容.截至1月份仍有计划,但没有日期.
大学有身份提供者运行.我不明白的是以下内容:
此外,任何使用SAML而不使用商业插件的示例应用程序将不胜感激.
将 ITfoxtec 用于 ASP.NET Core 3.0 时遇到问题。
作为上下文,我试图在 Web 应用程序和第三方登录服务之间建立连接。为了预先封装一些可能性,第三方可以访问我们的元数据 url 并为我们的 web 应用程序配置他们的服务。
所需的用户工作流程:
目前采取的步骤:
"Saml2": {
"IdPMetadata": "wwwroot/SAML/Metadata.xml",
"Issuer": "myIssuerName",
"SignatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
"CertificateValidationMode": "ChainTrust",
"RevocationMode": "NoCheck",
"SigningCertificateFile": "\\licenses\\certificate.pfx",
"SigningCertificatePassword": "password1"
},
services
.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"))
.Configure<Saml2Configuration>(configuration =>
{
configuration.SigningCertificate = CertificateUtil.Load(
$"{Environment.WebRootPath}{Configuration["Saml2:SigningCertificateFile"]}",
Configuration["Saml2:SigningCertificatePassword"]);
configuration.AllowedAudienceUris.Add(configuration.Issuer);
var entityDescriptor = new EntityDescriptor();
entityDescriptor.ReadIdPSsoDescriptorFromFile(Configuration["Saml2:IdpMetadata"]);
if (entityDescriptor.IdPSsoDescriptor == null) throw new Exception("Failed to read the metadata."); …我正在尝试使用 ITFoxtec-saml 和 Auth0 作为 IdP。但在 ACS 上,我收到以下错误:
ITfoxtec.Identity.Saml2.Cryptography.InvalidSignatureException: Signature is invalid.
at ITfoxtec.Identity.Saml2.Saml2Request.ValidateXmlSignature(SignatureValidation documentValidationResult) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 237
at ITfoxtec.Identity.Saml2.Saml2Request.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Request.cs:line 204
at ITfoxtec.Identity.Saml2.Saml2Response.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2Response.cs:line 66
at ITfoxtec.Identity.Saml2.Saml2AuthnResponse.Read(String xml, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Request\Saml2AuthnResponse.cs:line 214
at ITfoxtec.Identity.Saml2.Saml2PostBinding.Read(HttpRequest request, Saml2Request saml2RequestResponse, String messageName, Boolean validateXmlSignature) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 106
at ITfoxtec.Identity.Saml2.Saml2PostBinding.UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, String messageName) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2PostBinding.cs:line 96
at ITfoxtec.Identity.Saml2.Saml2Binding`1.Unbind(HttpRequest request, Saml2Response saml2Response) in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\src\ITfoxtec.Identity.Saml2\Bindings\Saml2Binding.cs:line 70
at TestWebAppCore.Controllers.AuthController.AssertionConsumerService() in C:\Documents\Repos\ITfoxtec.Identity.Saml2-master\ITfoxtec.Identity.Saml2-master\test\TestWebAppCore\Controllers\AuthController.cs:line 58
我正在尝试让我的 ASP.NET MVC Web 应用程序向多个 IdP 提供 SSO,并且我想知道是否可以使用 ITfoxtec.SAML2 库支持此场景。
我有许多不同的客户,其中一些客户希望将 SSO 与我的服务集成。每个客户端都有不同的子域(例如business1.myapp.com、business2.myapp.com等),我需要使用其名称的唯一部分来查找其元数据并生成一个配置,该配置将和他们顶嘴。
我看到的示例代码似乎支持更传统的一 IdP 到一 SP 场景。
此外,如果有人知道非核心 ASP.NET MVC 示例应用程序,我将非常感激知道在哪里可以找到它。