使用带有管理STS方案的声明感知应用的Live ID STS的SAML受众错误 [英] SAML Audience error using Live ID STS with Claim Aware App with Managed STS scenario
问题描述
我正在使用日内瓦框架Beta 1中的Managed STS示例的声明感知应用程序尝试附加到Live ID STS。
我正被重定向到Live ID STS,我似乎正在接收从STS返回的RequestSecurityTokenResponse xml文档但是当它重定向回本地Web应用程序时出现以下错误:
异常详细信息: System.UriFormatException:无效的URI:格式为
无法确定URI。
来源错误:
在执行 |
堆栈跟踪:
[UriFormatException:无效的URI:无法确定URI的格式。]
|
此错误似乎是由于将响应中的saml:audience解析为uri。
我从Live ID STS收到的SAML响应是:
< wst:RequestSecurityTokenResponse xmlns:wst =" http:// schemas。 xmlsoap.org/ws/2005/02/trust">
< wst:RequestedSecurityToken>
< saml:断言xmlns:saml =" urn:oasis:names:tc:SAML:1.0:断言" ; AssertionID = QUOT; UUID-59e136e2-2c94-4374-ad8f-0a7257411f48" IssueInstant = QUOT; 2008-12-03T11:41:54Z"发行者= QUOT; URI:的WindowsLiveID" MajorVersion = QUOT 1 QUOT; MinorVersion =" 1">
< saml:Conditions NotBefore =" 2008-12-03T11:41:54Z" NotOnOrAfter =" 2008-12-03T19:41:54Z">
< saml:AudienceRestrictionCondition>
< saml:Audience> win-7pc751qmfqi.dev.smoore.local< / saml:Audience> < br>< / saml:AudienceRestrictionCondition>
< / saml:条件>
< saml:AuthenticationStatement AuthenticationInstant =" 2008-12-03T11:41:54Z" AuthenticationMethod =" urn:oasis:names:tc:SAML:1.0:am:password">
< saml:Subject>
< saml:NameIdentifier Format =" http://schemas.xmlsoap .org / claims / UPN"> 00060000809FA52C@Live.com< / saml:NameIdentifier>
< / saml:Subject>
< / saml:AuthenticationStatement>
< Signature xmlns =" http://www.w3.org/2000/09/xmldsig#">
< SignedInfo>
< CanonicalizationMethod Algorithm =" http://www.w3.org/2001/10 / xml-exc-c14n#">< / CanonicalizationMethod>
< SignatureMethod Algorithm =" http://www.w3.org/2000/09/xmldsig#rsa-sha1">< / SignatureMethod>
< Reference URI ="#uuid-59e136e2-2c94-4374-ad8f-0a7257411f48">
< Transforms>
< Transform Algorithm =" http:// www .w3.org / 2000/09 / xmldsig#enveloped-signature">< / Transform>
< Transform Algorithm =" http://www.w3.org/2001/10/xml-exc-c14n#">< / Transform>
< / Transforms>
< DigestMethod Algorithm =" http://www.w3.org/2000/09/xmldsig#sha1">< / DigestMethod>
< ; DigestValue> TTXef + vusYacfTnBHGGRaLwKB3g =< / DigestValue>
< / SignInfo>
< / SignatureValue>
ontjpOfl9Tfoter3E6drF8jPyaJXNlEV1A88rPcqLHF9aZoaj7XbGj2Th5buZc35 / ywd6Kpm61ML
Fik + 56 / raqsNTfznjBKtHApPI5hd / l6zNVRKMRWQeAcRnop5bR6Zv808ajdZhvF4ZCioTu2qiSG1
zGPKLKHmPQlPir2C7OA =
< / SignatureValue>
< KeyInfo>
< X509Data>
< X509SKI> VbJyIcGL0AjB4 / Wm4DqUZ ux6uUk =< / X509SKI>
< / X509Data>
< KeyName> Window Live ID< / KeyName>
< / KeyInfo>
< / Signature>
< / saml:断言>
< / wst:RequestedSecurityToken>
< wsp:AppliesTo xmlns:wsp =" http://schemas.xmlsoap.org/ws/2004/09/policy"> < br>< wsa:EndpointReference xmlns:wsa =" http://schemas.xmlsoap.org/ws/2004/08/addressing">
< wsa:地址> http:// win-7pc751qmfqi。 dev.smoore.local< / wsa:地址>
< / wsa:EndpointReference>
< / wsp:AppliesTo>
< / wst:RequestSecurityTokenResponse>
任何想法??
谢谢,
Steve
Geneva Framework希望受众群体成为有效的URL因为我们将尝试将传入的受众限制与当前端点进行匹配。
您需要配置要发布的Live STS完全限定的URI。我对Live STS策略配置不太熟悉,但在某些时候您可以输入依赖方标识符。确保这是依赖方端点的完整地址。
或者,您可以在RP配置中添加其他受众以匹配Live STS发送给您的任何内容,但是,您仍将仅限于有效的URL
I am running through the Claim Aware App with Managed STS sample in Geneva Framework Beta 1 trying to attach to the Live ID STS.
I am being redirected to the Live ID STS and I appear to be receiving a RequestSecurityTokenResponse xml document back from the STS however I get the following error when it redirects back to the local web application:
Exception Details: System.UriFormatException: Invalid URI: The format of
the URI could not be determined.
Source Error:
An unhandled exception was generated during the execution of the
current web request. Information regarding the origin and location of the
exception can be identified using the exception stack trace below.
|
Stack Trace:
[UriFormatException: Invalid URI: The format of the URI could not be determined.] |
This error appears to be caused by parsing the saml:audience in the response as a uri.
The SAML response I am receiving from the Live ID STS is:
<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="uuid-59e136e2-2c94-4374-ad8f-0a7257411f48" IssueInstant="2008-12-03T11:41:54Z" Issuer="uri:WindowsLiveID" MajorVersion="1" MinorVersion="1">
<saml:Conditions NotBefore="2008-12-03T11:41:54Z" NotOnOrAfter="2008-12-03T19:41:54Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>win-7pc751qmfqi.dev.smoore.local</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2008-12-03T11:41:54Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">00060000809FA52C@Live.com</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#uuid-59e136e2-2c94-4374-ad8f-0a7257411f48">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>TTXef+vusYacfTnBHGGRaLwKB3g=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
ontjpOfl9Tfoter3E6drF8jPyaJXNlEV1A88rPcqLHF9aZoaj7XbGj2Th5buZc35/ywd6Kpm61ML
Fik+56/raqsNTfznjBKtHApPI5hd/l6zNVRKMRWQeAcRnop5bR6Zv808ajdZhvF4ZCioTu2qiSG1
zGPKLKHmPQlPir2C7OA=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509SKI>VbJyIcGL0AjB4/Wm4DqUZux6uUk=</X509SKI>
</X509Data>
<KeyName>Window Live ID</KeyName>
</KeyInfo>
</Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>http://win-7pc751qmfqi.dev.smoore.local</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</wst:RequestSecurityTokenResponse>
Any thoughts??
thanks,
Steve
Geneva Framework expects audiences to be valid URLs because we will attempt to match the incoming audience restriction with the current endpoint.
You need to configure the Live STS to issue a fully qualified URI. I'm not too familiar with the Live STS policy configuration, but at some point you will be able to enter a relying party identifier. Make sure this is the full address to the relying party endpoint.
Alternatively, you can add additional audiences in the RP config to match whatever the Live STS sends to you, however, you will still be limited to valid URLs.
这篇关于使用带有管理STS方案的声明感知应用的Live ID STS的SAML受众错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!