在Shibboleth IDP和Geneva Beta 2之间进行互通时的例外情况 [英] Exception when interworking between Shibboleth IDP and Geneva Beta 2

问题描述

我有一个简单的ASP.Net应用程序与日内瓦服务器一起工作。我现在正在尝试使用Shibboleth IDP。我可以从"选择登录选项"列表中选择IDP并重定向到IDP用户名和密码页面。假设我输入的用户名和密码正确，我将被重定向到日内瓦服务器上的/ FederationPassive /页面，该服务器出现MSIS7012错误。

在事件日志中，我得到：

联合身份验证服务在处理WS-Trust请求时遇到严重错误。
请求类型：http：//schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

附加数据
例外细节：
系统.IdentityModel.Tokens.SecurityTokenException：ID4153：无法从Saml2Assertion创建Saml2SecurityToken，因为它包含指定Address值的SubjectConfirmationData。默认情况下不支持强制执行此值。要自定义SubjectConfirmationData处理，请在Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ResolveSecurityKeys（Saml2Assertion断言）中扩展Saml2SecurityTokenHandler并覆盖ValidateConfirmationData。 ，SecurityTokenResolver解析器）
在Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken（XmlReader reader）
在Microsoft.IdentityModel.SecurityTokenService.SecurityTokenElement.get_SecurityToken（）
在Microsoft.IdentityServer.SecurityTokenService .MSISSecurityTokenService.GetOnBehalfOfContext（RequestSecurityToken请求，IClaimsPrincipal callerPrincipal，IClaimsPrincipal& principal，AuthenticationContext& authenticationContext）
在Microsoft.IdentityServer.SecurityTokenService.MSISSecurityTokenService.BeginGetScope（IClaimsPrincipal princip al，RequestSecurityToken请求，AsyncCallback回调，对象状态）
在Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue（IClaimsPrincipal principal，RequestSecurityToken请求，AsyncCallback回调，对象状态）
在Microsoft.IdentityModel.Protocols.WSTrust .WSTrustServiceContract.WSTrustServiceContractAsyncResult.BeginRST（IClaimsPrincipal authContext，RequestSecurityToken请求）
在Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginCore（消息requestMessage，AsyncCallback回调，对象状态，WSTrustRequestSerializer requestSerializer，WSTrustResponseSerializer responseSerializer，String requestAction，String responseAction ，String trustNamespace）

我可以重新配置东西以忽略SubjectConfirmationData吗？或者我是否需要找到一种在Shibboleth端关闭它的方法？

任何想法？

I've got a simple ASP.Net app working with a Geneva server. I'm now trying to get things working with a Shibboleth IDP.
I can choose the IDP from the list 'Select Sign In Options' and get redirected to the IDPs username and password page. Assuming I get the username and password correct I get redirected to the /FederationPassive/ page on the Geneva server which has an MSIS7012 error.

In the event log I get:

The Federation Service encountered a serious error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data
Exception details:
System.IdentityModel.Tokens.SecurityTokenException: ID4153: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an Address value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConfirmationData(Saml2SubjectConfirmationData confirmationData)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ResolveSecurityKeys(Saml2Assertion assertion, SecurityTokenResolver resolver)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenElement.get_SecurityToken()
   at Microsoft.IdentityServer.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfContext(RequestSecurityToken request, IClaimsPrincipal callerPrincipal, IClaimsPrincipal& principal, AuthenticationContext& authenticationContext)
   at Microsoft.IdentityServer.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.WSTrustServiceContractAsyncResult.BeginRST(IClaimsPrincipal authContext, RequestSecurityToken request)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginCore(Message requestMessage, AsyncCallback callback, Object state, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace)

Can I reconfigure things to just ignore the SubjectConfirmationData or do I need to find a way to turn it off on the Shibboleth end?

Any ideas?

推荐答案

嗨斯科特，

你需要在Shibboleth结束时关闭地址确认。 AD FS 2不支持验证此确认数据。

Hi Scott,

You will need to turn off the Address confirmation at the Shibboleth end.  AD FS 2 does not support validating this confirmation data.

这篇关于在Shibboleth IDP和Geneva Beta 2之间进行互通时的例外情况的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！