ID3206：登录响应只能在当前Web应用程序中重定向：不允许（url） [英] ID3206: A signin response may only redirect within the current web application: (url) is not allowed

问题描述

我已经看过有关此错误消息的其他帖子，但仅当它们适用于自定义STS时。我正在使用日内瓦测试版2.我将我的网站添加为依赖方。我运行fedutil将我的依赖方站点链接到日内瓦服务器，一切看起来都很棒。对web.config进行了一些调整，以允许令牌通过请求验证。

现在，当我从Geneva服务器获取令牌时，我收到此错误消息。

我的应用程序的标识符如下所示：https：//server/app.Namespace
有一个ws-federation被动端点： https://server/app.Namespace

我没有加密令牌或其他任何内容，也没有完成任何自定义操作。

这是完整的堆栈跟踪：

I have seen other posts about this error message, but only when they apply to custom STS. I'm using Geneva beta 2. I add my website as a relying party. I ran fedutil to link my relying party site to the Geneva server and everything seems great. Did a few tweaks to the web.config to allow the token to pass through request validation. Now as soon as I get the token from the Geneva server, I get this error message. The identifier for my app looks like this : https://server/app.Namespace There is one ws-federation passive endpoint: https://server/app.Namespace I am not encrypting tokens or anything else and haven't done anything custom at all. Here is the full stack trace: [FederationException: ID3206: A signin response may only redirect within the current web application: '/test.Web' is not allowed.] Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +1064 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +521 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +266 我在.NET Reflector中做了一些讨论，看起来触发这个失败的东西就是这样的代码： < span style ="color ：＃1000a0"> if （！ControlUtil 。 IsAppRelative （ returnUrlFromResponse ）） 因此，无论出于何种原因，它认为我的应用程序的重定向URL是绝对的而不是相对的。有没有办法在Geneva Beta 2中修复/调试/解决这个问题？ .NET Addict - http：//dotnetaddict.dotnetdevelopersjournal .com

I did some poking around in .NET Reflector and it looks like the thing that triggers this failure is code that looks like this:
if (!ControlUtil.IsAppRelative(returnUrlFromResponse))

So, for whatever reason, it thinks that the redirect URL for my application is absolute instead of relative. Is there any way to fix/debug/troubleshoot this in Geneva Beta 2?

---

The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com

推荐答案

好的，这是一个非常荒谬的bug。

如果我点击了网址 https：// server / myapp / 然后重定向工作。当我点击 https：// server / myapp （没有斜杠）时，重定向不起作用（它认为我使用的是绝对的URI而不是亲戚。）
当然我有一个问题，我没有从日内瓦Beta 2服务器上取回名称 - 我的应用程序认为我已通过身份验证，但我的名字是空值。我是否需要手动将此声明作为依赖方的声明规则吐出？我认为它是自动为AD索赔做的吗？

Ok, so this is a pretty ridiculous bug.

If I hit the URL  https://server/myapp/ then the redirect works. When I hit https://server/myapp (with no trailing slash), then the redirect does NOT work (it thinks I'm using an absolute URI instead of relative).

Now of course I'm having an issue where i'm not getting the name back from the Geneva Beta 2 server - my app thinks I'm authenticated but my name is null. do I need to manually spit this claim back as a claim rule for the relying party? I thought it did this automatically for AD claims?

这篇关于ID3206：登录响应只能在当前Web应用程序中重定向：不允许（url）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！