不带身份的用于ASP.NET Core WebAPI的Sustainsys SAML2示例 [英] Sustainsys SAML2 Sample for ASP.NET Core WebAPI without Identity

问题描述

是否有人为仅适用于ASP.NET Core WebAPI的项目(无Mvc)的Sustainsys Saml2库提供了工作示例，没有ASP身份标识，还有什么更重要? github上提供的示例强烈依赖我不需要也不想使用的MVC和SignInManager.

Does anyone have a working sample for Sustainsys Saml2 library for ASP.NET Core WebAPI only project (no Mvc) and what's more important without ASP Identity? The sample provided on github strongly relies on MVC and SignInManager which I do not need nor want to use.

我添加了Saml2身份验证，起初它可以与我的IdP正常工作(我还检查了Sustainsys提供的StubIdP)，以便进行以下几个步骤:

I added Saml2 authentication and at first it worked fine with my IdP (I also checked the StubIdP provided by Sustainsys) for first few steps so:

• IdP元数据已正确加载
• 我的API正确重定向到登录页面
• 登录页面重定向到/Saml2/Acs页面，我在日志中看到它成功解析了结果

但是我不知道如何从那里继续前进并提取用户登录名和其他声明(我的IdP还提供了一封电子邮件，并且它已包含在我在日志中确认的SAML响应中).

However I don't know how to move forward from there and extract user login and additional claims (my IdP provided also an e-mail, and it is included in SAML response which I confirmed in the logs).

在网上找到一些示例并修改GitHub的MVC示例后，我做了以下事情:

Following some samples found on the web and modyfing a little bit the MVC Sample from GitHub I did the following:

在Startup.cs中:

In Startup.cs:

...
.AddSaml2(Saml2Defaults.Scheme,
                       options =>
                       {
                           options.SPOptions.EntityId = new EntityId("...");
                           options.SPOptions.ServiceCertificates.Add(...));
                           options.SPOptions.Logger = new SerilogSaml2Adapter();
                           options.SPOptions.ReturnUrl = new Uri(Culture.Invariant($"https://localhost:44364/Account/Callback?returnUrl=%2F"));

                           var idp =
                               new IdentityProvider(new EntityId("..."), options.SPOptions)
                               {
                                   LoadMetadata = true,
                                   AllowUnsolicitedAuthnResponse = true, // At first /Saml2/Acs page throwed an exception that response was unsolicited so I set it to true
                                   MetadataLocation = "...",
                                   SingleSignOnServiceUrl = new Uri("...") // I need to set it explicitly because my IdP returns different url in the metadata
                               };
                           options.IdentityProviders.Add(idp);
                       });

在AccountContoller.cs中(我尝试遵循

In AccountContoller.cs (I tried to follow a somewhat similar situation described at how to implement google login in .net core without an entityframework provider):

[Route("[controller]")]
[ApiController]
public class AccountController : ControllerBase
{
    private readonly ILog _log;

    public AccountController(ILog log)
    {
        _log = log;
    }

    [HttpGet("Login")]
    [AllowAnonymous]
    public IActionResult Login(string returnUrl)
    {
        return new ChallengeResult(
            Saml2Defaults.Scheme,
            new AuthenticationProperties
            {
                // It looks like this parameter is ignored, so I set ReturnUrl in Startup.cs
                RedirectUri = Url.Action(nameof(LoginCallback), new { returnUrl })
            });
    }

    [HttpGet("Callback")]
    [AllowAnonymous]
    public async Task<IActionResult> LoginCallback(string returnUrl)
    {

        var authenticateResult = await HttpContext.AuthenticateAsync(Constants.Auth.Schema.External);

        _log.Information("Authenticate result: {@authenticateResult}", authenticateResult);

// I get false here and no information on claims etc.
        if (!authenticateResult.Succeeded)
        {
            return Unauthorized();
        }

// HttpContext.User does not contain any data either


// code below is not executed
        var claimsIdentity = new ClaimsIdentity(Constants.Auth.Schema.Application);
claimsIdentity.AddClaim(authenticateResult.Principal.FindFirst(ClaimTypes.NameIdentifier));

        _log.Information("Logged in user with following claims: {@Claims}", authenticateResult.Principal.Claims);           

        await HttpContext.SignInAsync(Constants.Auth.Schema.Application, new ClaimsPrincipal(claimsIdentity));

        return LocalRedirect(returnUrl);
    }

TLDR:在我的ASP.NET Core WebApi项目中配置SAML看起来不错，并且在日志中检查了正确的声明后，我获得了成功响应.我不知道如何提取此数据(返回URL错误或我的回调方法应以不同的方式工作).同样，令人困惑的是为什么从SSO登录页面成功重定向被视为未经请求"，也许是问题所在?

TLDR: Configuration for SAML in my ASP.NET Core WebApi project looks fine, and I get success response with proper claims which I checked in the logs. I do not know how to extract this data (either return url is wrong or my callback method should work differently). Also, it is puzzling why successfuly redirect from SSO Sign-In page is treated as "unsolicited", maybe this is the problem?

感谢您的帮助

推荐答案

对于在此问题上仍需要帮助的任何人，我将一个完整的工作示例推送到github，该示例使用.Net Core WebAPI作为后端，并且使用Angular客户端使用WebAPI.您可以在此处找到示例:

For anyone who still needs assistance on this issue, I pushed a full working example to github which uses a .Net Core WebAPI for backend and an Angular client using the WebAPI. you can find the example from here:

https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample

这篇关于不带身份的用于ASP.NET Core WebAPI的Sustainsys SAML2示例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！