使用Ws-Federation OWIN中间件跳过家庭领域发现 [英] Skipping home realm discovery with Ws-Federation OWIN Middleware

问题描述

我们的Mvc/WebAPI解决方案当前具有四个已在ADFS3中注册的受信任的身份提供程序.我们的用户可以通过直接链接使用这些身份提供者中的每一个，从而有效解决ADFS可能创建的任何家庭领域Cookie(例如:www.ourportal.com/accounts/facebook或www.ourportal.com/accounts/推特).当前，我们正在从WIF迁移到OWIN，但通过实现wsfederation和cookie身份验证中间件，暂时将继续使用WS-Federation协议.使用WIF时，我们执行以下操作以直接转到已知的身份提供者:

Our Mvc/WebAPI solution currently has four trusted identity providers which we have registered in ADFS3. Each of these identity providers can be used by our users by direct links, effectively working around any home-realm-cookies that ADFS may have created (eg: www.ourportal.com/accounts/facebook or www.ourportal.com/accounts/twitter). Currently we are migrating from WIF to OWIN but will keep using WS-Federation protocol for the time being by implementing wsfederation and cookie authentication middleware. When using WIF, we did the following in order to go directly to a known identity provider:

var signInRequest = new SignInRequestMessage(stsUrl, realm) { HomeRealm = homeRealm };
return new RedirectResult(signInRequest.WriteQueryString());

这似乎有两个令人关注的行为，它没有传递WsFedOwinState参数，并且在返回依赖方时，在触发Owin身份验证中间件之前，已构建Home.cshtml(使用Windows主体).在Owin中间件之前被触发的Home.cshtml是最令人担忧的，因为此视图依赖于身份验证管道完成的转换中将提供的Claims，此之后将被触发，因此我们的视图不起作用.以常规方式(例如www.ourportal.com)进入门户网站时，它以正确的顺序工作.

This seems to have two concerning behaviors, it does not pass the WsFedOwinState parameter, and on the return back to the Relying Party, the Home.cshtml is built (with a windows principal) before the the Owin authentication middleware is fired. The Home.cshtml being fired before the Owin middleware is the most concering as this view relies on Claims that would is provided in the transformation done by the authentication pipeline, which is fired afterwards and thus our view does not work. It works in the correct order when going to the portal in the normal way (eg www.ourportal.com)

我了解为了提供Whr参数，在配置ws-federation中间件时，请执行以下操作:

I understand that in order to provide the Whr parameter, you do the following when configuring the ws-federation middleware:

RedirectToIdentityProvider = (context) =>
{
    context.ProtocolMessage.Whr = "SomeUrnOfAnIdentityProvider";
    return Task.FromResult(0);
}

但是这为整个解决方案设置了一个身份提供者，并且不允许我们的用户直接进入身份提供者列表之一.

but this sets a single identity provider for the whole solution and does not allow our users to go directly to one of a list of identity providers.

当前无法构建登录请求的方法:

The non-working method which builds the sign-in-request is currently:

private RedirectResult FederatedSignInWithHomeRealm(string homeRealm)
{
    var stsUrl = new Uri(ConfigurationManager.AppSettings["ida:Issuer"]);
    string realm = ConfigurationManager.AppSettings["ida:Audience"];

    var signInRequest = new SignInRequestMessage(stsUrl, realm)
    {
        HomeRealm = homeRealm
    };
 HttpContext.Request.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
        return new RedirectResult(signInRequest.WriteQueryString());
    }

将ws-federation和cookie中间件配置为OWIN启动中的第一个中间件，并且默认身份验证设置为 app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

The ws-federation and cookie middleware are configured as the first middleware in OWIN startup and the default authentication is set to app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

推荐答案

我想我找到了解决方案.跳过家庭领域屏幕的新方法将如下所示:

I think I found a solution. The new method for skipping the home realm screen would be like this :

private void FederatedSignInWithHomeRealm(string homeRealm)
{
    HttpContext.Request
               .GetOwinContext()
               .Authentication
               .SignOut(CookieAuthenticationDefaults.AuthenticationType);
    var authenticationProperties = new AuthenticationProperties { RedirectUri = "/" };
    authenticationProperties.Dictionary.Add("DirectlyToIdentityProvider", homeRealm);
    HttpContext.GetOwinContext().Authentication.Challenge(authenticationProperties);
}

OWIN WS-Federation中间件的配置如下:

And the OWIN WS-Federation middleware would be configured like this :

app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
    Notifications = new WsFederationAuthenticationNotifications()
    {
        RedirectToIdentityProvider = notification =>
        {
            string homeRealmId = null;
            var authenticationResponseChallenge = notification.OwinContext
                                                              .Authentication
                                                              .AuthenticationResponseChallenge;
            var setIdentityProvider = authenticationResponseChallenge != null 
                                      && authenticationResponseChallenge.Properties
                                                                        .Dictionary
                                                                        .TryGetValue("DirectlyToIdentityProvider", out homeRealmId);
            if (setIdentityProvider)
            {
                notification.ProtocolMessage.Whr = homeRealmId;
            }
            return Task.FromResult(0);
        }
    },
    MetadataAddress = wsFedMetadata,
    Wtrealm = realm,
    SignInAsAuthenticationType =     CookieAuthenticationDefaults.AuthenticationType,
    TokenValidationParameters = new TokenValidationParameters
    {
        ValidAudience = realm
    }    
});

这篇关于使用Ws-Federation OWIN中间件跳过家庭领域发现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！