使用.NET访问跨域单点登录网站 [英] Access the cross domain single sign-on websites using .NET
问题描述
假设我有两个网站位于不同的域中,并且已经通过SSO登录进行了身份验证。我登录到第一个网站并进行身份验证,现在我决定使用第一个网站上显示的链接访问第二个网站。此链接重定向到第二个网站,无需凭据。 (请注意,这些网站是由其他公司开发和托管的,我无法访问源代码。我有一个登录凭据,我希望访问第二个网站的页面数据)
我尝试过:
我想使用.net代码访问网站。我做了一些工作,然后使用HTTP请求和重定向到第二个网站的cookie访问第一个网站的链接。但是在我点击链接后不久,它在新的浏览器选项卡中打开域2并生成新的会话ID。它与第一个网站cookie没有任何关联。但是当我手动传递网站2的URL和当前会话ID时,我可以访问网站2的数据。
SSO登录后是否有任何安全机制可以突破访问网站1和网站2的公共会话ID?如何在两个会话ID之间找到两个域之间的连接。我不能在这里发布代码,因为它有我客户的一些隐私信息。
Let's say I have two websites that live on separate domains, and they have been authenticated with SSO login. I log into the first website and authenticate, and now I decide to visit the second website using a link visible in 1st website. This link redirect to the second website and no credentials needed. (Note that these websites are developed and hosted by some other company and I don't have access to the source code. I have one login credentials and I am expecting to access the page data of second website)
What I have tried:
I want to access the websites using .net code. I have done some work and gone up to accessing the link of first website using HTTP requests and cookies which redirects to the second website. But soon after I clicked the link it open domain 2 in new browser tab and generates new session id as well. It doesn't have any connection with first website cookie. But I can access the data of website 2 when I pass the URL and current session id of website 2 manually.
Is there any security mechanism behind SSO login which can be break through to access the common session Id for both website 1 and website 2?How can I find the connection between two domains when they have two session Ids. I can't post the codes here as it have some privacy information of my client.
推荐答案
我解决了这个问题。从两个域发送到登录服务器的SAML请求和中继状态。即使它们不相同,我们在访问表单数据时也必须考虑它们。还有cookies我必须从第一次请求到最后一次请求发送pls_login_cookietime。
Ex:
var cookie =
new
{
pls_login_cookieTime = Cookietime.CookieValue(pls_login_cookieTime),
pls_login_SimpleSAMLSessionID = HttpUtility.UrlEncode(login.CookieValue(pls_login_SimpleSAMLSessionID)),
TimeOutCheckID = login.CookieValue(TimeOutCheckID),
pls_login_SimpleSAMLAuthToken = login.CookieValue( pls_login_SimpleSAMLAuthToken),
pls_login_rememberme = login.CookieValue(pls_login_rememberme)
这里Cookietime和登录是两个不同的URL访问,其中CookieTime是初始URL,登录包括登录服务器URL。即使登录不提供响应cookie为pls_login_cookieTime,我也必须将其作为请求标题传递给最终URL。
他们很少有混淆。如果您使用fiddler等工具来检查http请求,您可以了解他们在多个域中管理cookie的大部分内容。休息在你手中。你必须认真思考一点点。但总的来说并不困难。它只是混淆了。
I solved the problem. There was SAML request and relay state which were sent to login server from both domains. Even though they are not identical, we have to consider them when access the form data. Also with cookies I had to send pls_login_cookietime specifically from the very first request to last request.
Ex:
var cookie =
new
{
pls_login_cookieTime = Cookietime.CookieValue("pls_login_cookieTime"),
pls_login_SimpleSAMLSessionID = HttpUtility.UrlEncode(login.CookieValue("pls_login_SimpleSAMLSessionID")),
TimeOutCheckID = login.CookieValue("TimeOutCheckID"),
pls_login_SimpleSAMLAuthToken = login.CookieValue("pls_login_SimpleSAMLAuthToken"),
pls_login_rememberme =login.CookieValue("pls_login_rememberme")
Here Cookietime and login are two different url accessing where CookieTime is the initial url and login includes the login server url. Even though login doesn't provide response cookie as pls_login_cookieTime, I had to pass it for final url as request headers.
They were very little confusions. If you use tools like fiddler to check http requests you can understand most of the part how they have manged cookies in multiple domains. Rest is in your hand. You have to think little bit hard and differently. But overall it is not difficult. It is just confused only.
这篇关于使用.NET访问跨域单点登录网站的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
