使用带有管理STS方案的声明感知应用的Live ID STS的SAML受众错误 [英] SAML Audience error using Live ID STS with Claim Aware App with Managed STS scenario

问题描述

我正在使用日内瓦框架Beta 1中的Managed STS示例的声明感知应用程序尝试附加到Live ID STS。

我正被重定向到Live ID STS，我似乎正在接收从STS返回的RequestSecurityTokenResponse xml文档但是当它重定向回本地Web应用程序时出现以下错误：

异常详细信息： System.UriFormatException：无效的URI：格式为
无法确定URI。

来源错误：

在执行 当前Web请求期间生成了未处理的异常。可以使用下面的异常堆栈跟踪来识别有关 异常的来源和位置的信息。

堆栈跟踪：




< tr>

[UriFormatException：无效的URI：无法确定URI的格式。] 系统。 Uri.CreateThis（String uri，Boolean dontEscape，UriKind uriKind）+5366560 System.Uri..ctor（String uriString）+20 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAudienceRestrictionCondition（XmlReader reader）+204 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadCondition（XmlReader reader）+54 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadConditions（XmlReader reader）+397 Microsoft.IdentityModel.Tokens.Saml11 .Saml11SecurityTokenHandler.ReadAssertion（XmlReader reader）+700 Microsoft.IdentityModel.Tokens.Saml11 .Saml11SecurityTokenHandler.ReadToken（XmlReader reader）+16 Microsoft.IdentityModel.Tokens.SecurityTokenSerializerAdapter.ReadTokenCore（XmlReader reader，SecurityTokenResolver tokenResolver）+112 System.IdentityModel.Selectors.SecurityTokenSerializer.ReadToken（XmlReader reader，SecurityTokenResolver tokenResolver） +25 Microsoft.IdentityModel.Web.FederatedAuthentication.ReadToken（XmlReader reader，SecurityTokenSerializer securityTokenSerializer）+19 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken（String tokenXml，SecurityTokenSerializer securityTokenSerializer）+146 Microsoft.IdentityModel .Web.WSFederationAuthenticationModule.GetSecurityToken（String tokenXml）+154 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken（SignInResponseMessage message）+23 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken（HttpRequest request）+23 Microsoft.IdentityModel.Web.Federa tedAuthenticationModuleBase.AuthenticationCore（）+ 541 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.AuthenticationCore（）+ 5 Microsoft.IdentityModel.Web.FederatedAuthenticationModuleBase.OnAuthenticateRequest（Object sender，EventArgs args）+43 System.Web .SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute（）+ 68 System.Web.HttpApplication.ExecuteStep（IExecutionStep step，Boolean& completedSynchronously）+75

此错误似乎是由于将响应中的saml：audience解析为uri。


我从Live ID STS收到的SAML响应是：


< wst：RequestSecurityTokenResponse xmlns：wst =" http：// schemas。 xmlsoap.org/ws/2005/02/trust">
< wst：RequestedSecurityToken>
< saml：断言xmlns：saml =" urn：oasis：names：tc：SAML：1.0：断言" ; AssertionID = QUOT; UUID-59e136e2-2c94-4374-ad8f-0a7257411f48" IssueInstant = QUOT; 2008-12-03T11：41：54Z"发行者= QUOT; URI：的WindowsLiveID" MajorVersion = QUOT 1 QUOT; MinorVersion =" 1">
< saml：Conditions NotBefore =" 2008-12-03T11：41：54Z" NotOnOrAfter =" 2008-12-03T19：41：54Z">
< saml：AudienceRestrictionCondition>
< saml：Audience> win-7pc751qmfqi.dev.smoore.local< / saml：Audience> < br>< / saml：AudienceRestrictionCondition>
< / saml：条件>
< saml：AuthenticationStatement AuthenticationInstant =" 2008-12-03T11：41：54Z" AuthenticationMethod =" urn：oasis：names：tc：SAML：1.0：am：password">
< saml：Subject>
< saml：NameIdentifier Format =" http：//schemas.xmlsoap .org / claims / UPN"> 00060000809FA52C@Live.com< / saml：NameIdentifier>
< / saml：Subject>
< / saml：AuthenticationStatement>
< Signature xmlns =" http://www.w3.org/2000/09/xmldsig#">
< SignedInfo>
< CanonicalizationMethod Algorithm =" http：//www.w3.org/2001/10 / xml-exc-c14n＃">< / CanonicalizationMethod>
< SignatureMethod Algorithm =" http：//www.w3.org/2000/09/xmldsig#rsa-sha1">< / SignatureMethod>
< Reference URI ="＃uuid-59e136e2-2c94-4374-ad8f-0a7257411f48">
< Transforms>
< Transform Algorithm =" http：// www .w3.org / 2000/09 / xmldsig＃enveloped-signature">< / Transform>
< Transform Algorithm =" http：//www.w3.org/2001/10/xml-exc-c14n#">< / Transform>
< / Transforms>
< DigestMethod Algorithm =" http：//www.w3.org/2000/09/xmldsig#sha1">< / DigestMethod>
< ; DigestValue> TTXef + vusYacfTnBHGGRaLwKB3g =< / DigestValue>
< / SignInfo>
< / SignatureValue>
ontjpOfl9Tfoter3E6drF8jPyaJXNlEV1A88rPcqLHF9aZoaj7XbGj2Th5buZc35 / ywd6Kpm61ML

Fik + 56 / raqsNTfznjBKtHApPI5hd / l6zNVRKMRWQeAcRnop5bR6Zv808ajdZhvF4ZCioTu2qiSG1

zGPKLKHmPQlPir2C7OA =
< / SignatureValue>
< KeyInfo>
< X509Data>
< X509SKI> VbJyIcGL0AjB4 / Wm4DqUZ ux6uUk =< / X509SKI>
< / X509Data>
< KeyName> Window Live ID< / KeyName>
< / KeyInfo>
< / Signature>
< / saml：断言>
< / wst：RequestedSecurityToken>
< wsp：AppliesTo xmlns：wsp =" http：//schemas.xmlsoap.org/ws/2004/09/policy"> < br>< wsa：EndpointReference xmlns：wsa =" http：//schemas.xmlsoap.org/ws/2004/08/addressing">
< wsa：地址> http：// win-7pc751qmfqi。 dev.smoore.local< / wsa：地址>
< / wsa：EndpointReference>
< / wsp：AppliesTo>
< / wst：RequestSecurityTokenResponse>


任何想法??

谢谢，

Steve

解决方案

Geneva Framework希望受众群体成为有效的URL因为我们将尝试将传入的受众限制与当前端点进行匹配。

您需要配置要发布的Live STS完全限定的URI。我对Live STS策略配置不太熟悉，但在某些时候您可以输入依赖方标识符。确保这是依赖方端点的完整地址。

或者，您可以在RP配置中添加其他受众以匹配Live STS发送给您的任何内容，但是，您仍将仅限于有效的URL

I am running through the Claim Aware App with Managed STS sample in Geneva Framework Beta 1 trying to attach to the Live ID STS.

I am being redirected to the Live ID STS and I appear to be receiving a RequestSecurityTokenResponse xml document back from the STS however I get the following error when it redirects back to the local web application:

Exception Details: System.UriFormatException: Invalid URI: The format of the URI could not be determined.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[UriFormatException: Invalid URI: The format of the URI could not be determined.] System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) +5366560 System.Uri..ctor(String uriString) +20 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAudienceRestrictionCondition(XmlReader reader) +204 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadCondition(XmlReader reader) +54 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadConditions(XmlReader reader) +397 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader) +700 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader) +16 Microsoft.IdentityModel.Tokens.SecurityTokenSerializerAdapter.ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver) +112 System.IdentityModel.Selectors.SecurityTokenSerializer.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +25 Microsoft.IdentityModel.Web.FederatedAuthentication.ReadToken(XmlReader reader, SecurityTokenSerializer securityTokenSerializer) +19 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(String tokenXml, SecurityTokenSerializer securityTokenSerializer) +146 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(String tokenXml) +154 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(SignInResponseMessage message) +23 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.GetSecurityToken(HttpRequest request) +23 Microsoft.IdentityModel.Web.FederatedAuthenticationModuleBase.AuthenticationCore() +541 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.AuthenticationCore() +5 Microsoft.IdentityModel.Web.FederatedAuthenticationModuleBase.OnAuthenticateRequest(Object sender, EventArgs args) +43 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

 
This error appears to be caused by parsing the saml:audience in the response as a uri.


The SAML response I am receiving from the Live ID STS is:


<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
  <wst:RequestedSecurityToken>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="uuid-59e136e2-2c94-4374-ad8f-0a7257411f48" IssueInstant="2008-12-03T11:41:54Z" Issuer="uri:WindowsLiveID" MajorVersion="1" MinorVersion="1">
      <saml:Conditions NotBefore="2008-12-03T11:41:54Z" NotOnOrAfter="2008-12-03T19:41:54Z">
        <saml:AudienceRestrictionCondition>
          <saml:Audience>win-7pc751qmfqi.dev.smoore.local</saml:Audience>
        </saml:AudienceRestrictionCondition>
      </saml:Conditions>
      <saml:AuthenticationStatement AuthenticationInstant="2008-12-03T11:41:54Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
        <saml:Subject>
          <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">00060000809FA52C@Live.com</saml:NameIdentifier>
        </saml:Subject>
      </saml:AuthenticationStatement>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
          <Reference URI="#uuid-59e136e2-2c94-4374-ad8f-0a7257411f48">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
            <DigestValue>TTXef+vusYacfTnBHGGRaLwKB3g=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>
          ontjpOfl9Tfoter3E6drF8jPyaJXNlEV1A88rPcqLHF9aZoaj7XbGj2Th5buZc35/ywd6Kpm61ML

          Fik+56/raqsNTfznjBKtHApPI5hd/l6zNVRKMRWQeAcRnop5bR6Zv808ajdZhvF4ZCioTu2qiSG1

          zGPKLKHmPQlPir2C7OA=
        </SignatureValue>
        <KeyInfo>
          <X509Data>
            <X509SKI>VbJyIcGL0AjB4/Wm4DqUZux6uUk=</X509SKI>
          </X509Data>
          <KeyName>Window Live ID</KeyName>
        </KeyInfo>
      </Signature>
    </saml:Assertion>
  </wst:RequestedSecurityToken>
  <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
      <wsa:Address>http://win-7pc751qmfqi.dev.smoore.local</wsa:Address>
    </wsa:EndpointReference>
  </wsp:AppliesTo>
</wst:RequestSecurityTokenResponse>


Any thoughts??

thanks,

Steve

解决方案

Geneva Framework expects audiences to be valid URLs because we will attempt to match the incoming audience restriction with the current endpoint.

You need to configure the Live STS to issue a fully qualified URI. I'm not too familiar with the Live STS policy configuration, but at some point you will be able to enter a relying party identifier. Make sure this is the full address to the relying party endpoint.

Alternatively, you can add additional audiences in the RP config to match whatever the Live STS sends to you, however, you will still be limited to valid URLs.

这篇关于使用带有管理STS方案的声明感知应用的Live ID STS的SAML受众错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！