基于 WIF 的身份验证不联系 STS 颁发者 [英] WIF Based Authentication Does Not Contact STS Issuer
问题描述
我正在尝试针对我们的内部 STS 服务器使用基于声明的身份验证构建一个 asp.net 4.7 (v4.5 WIF).我们有较旧的工作 .Net 应用程序(<4.5)可以成功获得声明.
I am attempting to build an asp.net 4.7 (v4.5 WIF) using claims based authentication against our internal STS server. We have older working .Net apps (< 4.5) that can successfully get claims.
问题在于新应用从不联系 STS 服务器.
The issue is that the new app never contacts the STS server.
我推测失败在于我如何设置联合 web.config 与旧的.这是我的最新配置,不工作,然后是使用旧身份进程 (WIF 3.5) 工作的配置.
I surmise the failure is in how I am setting up the federation web.config vs the old. Here is my latest config, non working, followed by a config that works using the old identity process (WIF 3.5).
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="urn:jabberwocky" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="{MyThumbprint}" name="https://{MyIssuerURL}" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true"
issuer="https://{MySTSUrl}"
realm="urn:jabberwocky"
reply="http://localhost:44301/"
requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
V3.5 WIF web.config(旧 4.0 项目)
<microsoft.identityModel>
<service>
<audienceUris>
<add value="urn:Jabberwocky" />
</audienceUris>
<certificateValidation certificateValidationMode="None" />
<claimsAuthenticationManager type="{Namespace}.MyAuthenticationManager, {Namespace}" />
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true"
issuer="https://{MySTSUrl}"
requireHttps="true"
realm="urn:Jabberwocky" />
<cookieHandler requireSsl="true" />
</federatedAuthentication>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="{MyThumbprint}" name="https://{MyIssuerURL}" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
- 我知道它不会影响 STS 服务器,因为我使用无效的
audienceUris
值作为测试,而且我不会像在旧项目中那样被服务器拒绝.立> - 我觉得这与旧版中缺少
federatedAuthentication
值有关,但在新版中找不到. - I know it does not hit the STS server because I use an invalid
audienceUris
value as a test, and I don't get rejected by the server as I would in the old project. - I sense it has something to do with the missing
federatedAuthentication
value in the old but not found in the new.
推荐答案
至于您当前的配置,请确保 SAM 和 FAM 模块都在那里.
As for your current config, make sure both SAM and FAM modules are there.
如果您想控制正在发生的事情,我建议改用程序化方法.看看我的教程.
If you want to control what's going on, I suggest switching to programmatic approach. Take a look at my tutorial.
这篇关于基于 WIF 的身份验证不联系 STS 颁发者的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!