基于 WIF 的身份验证不联系 STS 颁发者 [英] WIF Based Authentication Does Not Contact STS Issuer

问题描述

我正在尝试针对我们的内部 STS 服务器使用基于声明的身份验证构建一个 asp.net 4.7 (v4.5 WIF).我们有较旧的工作 .Net 应用程序(<4.5)可以成功获得声明.

I am attempting to build an asp.net 4.7 (v4.5 WIF) using claims based authentication against our internal STS server. We have older working .Net apps (< 4.5) that can successfully get claims.

问题在于新应用从不联系 STS 服务器.

The issue is that the new app never contacts the STS server.

我推测失败在于我如何设置联合 web.config 与旧的.这是我的最新配置，不工作，然后是使用旧身份进程 (WIF 3.5) 工作的配置.

I surmise the failure is in how I am setting up the federation web.config vs the old. Here is my latest config, non working, followed by a config that works using the old identity process (WIF 3.5).

<system.identityModel>
    <identityConfiguration>
        <audienceUris>
            <add value="urn:jabberwocky" />
        </audienceUris>
        <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
            <trustedIssuers>
                <add thumbprint="{MyThumbprint}" name="https://{MyIssuerURL}" />
            </trustedIssuers>
        </issuerNameRegistry>
        <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="false" />
        <wsFederation passiveRedirectEnabled="true"
                        issuer="https://{MySTSUrl}"
                        realm="urn:jabberwocky"
                        reply="http://localhost:44301/"
                        requireHttps="true" />
    </federationConfiguration>
</system.identityModel.services>

V3.5 WIF web.config(旧 4.0 项目)

<microsoft.identityModel>
  <service>
    <audienceUris>
      <add value="urn:Jabberwocky" />
    </audienceUris>
    <certificateValidation certificateValidationMode="None" />
    <claimsAuthenticationManager type="{Namespace}.MyAuthenticationManager, {Namespace}" />
    <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" 
                    issuer="https://{MySTSUrl}" 
                    requireHttps="true" 
                    realm="urn:Jabberwocky" />
      <cookieHandler requireSsl="true" />
    </federatedAuthentication>
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
        <add thumbprint="{MyThumbprint}" name="https://{MyIssuerURL}" />
      </trustedIssuers>
    </issuerNameRegistry>
  </service>
</microsoft.identityModel>

---

• 我知道它不会影响 STS 服务器，因为我使用无效的 audienceUris 值作为测试，而且我不会像在旧项目中那样被服务器拒绝.
• 我觉得这与旧版中缺少 federatedAuthentication 值有关，但在新版中找不到.

---

• I know it does not hit the STS server because I use an invalid audienceUris value as a test, and I don't get rejected by the server as I would in the old project.
• I sense it has something to do with the missing federatedAuthentication value in the old but not found in the new.

推荐答案

至于您当前的配置，请确保 SAM 和 FAM 模块都在那里.

As for your current config, make sure both SAM and FAM modules are there.

如果您想控制正在发生的事情，我建议改用程序化方法.看看我的教程.

If you want to control what's going on, I suggest switching to programmatic approach. Take a look at my tutorial.

这篇关于基于 WIF 的身份验证不联系 STS 颁发者的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！