将SAML身份验证添加到.net WebAPI [英] Add SAML Authentication to .net WebAPI
问题描述
我需要使用Azure AD作为身份提供者将SAML身份验证添加到我的Web应用程序(WebAPI后端/Angular前端)中.
I need to add SAML Authentication to my web application (WebAPI Back-End / Angular Front-End) with Azure AD as my Identity Provider.
我计划使用Sustainsys.Saml2库,但不确定如何正确使用该库提供的方法.
I plan to use Sustainsys.Saml2 library but I'm not sure how to correctly use the methods that the library provide.
我已经将Web应用程序添加为Azure AD上的企业应用程序,并执行了必要的SSO SAML配置.
I already added my web app as an the Enterprise Application on Azure AD and performed the necessary SSO SAML configurations.
我已经在web.config中配置了sustainsys,如下所示:
I have configured sustainsys in the web.config as following:
<sustainsys.saml2 entityId="https://myWebApp/api/saml/login" returnUrl="https://myWebApp/">
<identityProviders>
<add
entityId="https://sts.windows.net/36tg486z-9l1f/"
signOnUrl="https://login.microsoftonline.com/36tg486z-9l1f/saml2"
metadataLocation="https://login.microsoftonline.com/36tg486z-9l1f/federationmetadata/2007-06/federationmetadata.xml?appid=82fc2g56-2as2"
allowUnsolicitedAuthnResponse="true"
loadMetadata="true"
binding="HttpPost"
>
</add>
</identityProviders>
<serviceCertificates>
<add fileName="~/App_Data/Sustainsys.Saml2.Tests.pfx" />
</serviceCertificates>
</sustainsys.saml2>
我的想法是编写两个API:
My idea is to write two APIs:
1-执行登录Azure AD的API:
1 - API that perform the sign in into Azure AD:
[HttpGet]
[Route("api/saml/signIn")]
[ResponseType(typeof(void))]
public HttpResponseMessage SignIn()
{
var context = new HttpContextWrapper(HttpContext.Current);
HttpRequestBase request = context.Request;
var opt = Sustainsys.Saml2.Configuration.Options.FromConfiguration;
var result = CommandFactory.GetCommand(CommandFactory.SignInCommandName).Run(request.ToHttpRequestData(), opt);
var response = Request.CreateResponse(result.HttpStatusCode);
if (!string.IsNullOrEmpty(result.SetCookieName))
{
var protectedData = HttpRequestData.ConvertBinaryData(MachineKey.Protect(result.GetSerializedRequestState(),HttpRequestBaseExtensions.ProtectionPurpose));
var cookie = new CookieHeaderValue(result.SetCookieName, protectedData) { HttpOnly = true };
var cookies = new List<CookieHeaderValue>() { cookie };
response.Headers.AddCookies(cookies);
}
response.Headers.Location = result.Location;
return response;
}
2-从Azure AD接收响应并读取SAML令牌内的声明的API:
2 - API that receive the response from Azure AD and reads the claims inside the SAML token:
[HttpPost]
[Route("api/saml/acs")]
[ResponseType(typeof(result))]
public HttpResponseMessage Acs()
{
var context = new HttpContextWrapper(HttpContext.Current);
HttpRequestBase request = context.Request;
var opt = Sustainsys.Saml2.Configuration.Options.FromConfiguration;
var result = CommandFactory.GetCommand(CommandFactory.AcsCommandName).Run(request.ToHttpRequestData(), opt);
// ... read claims ...
// ... build [LoginResult] with claims ...
var response = Request.CreateResponse(result.HttpStatusCode, [LoginResult]);
response.Headers.Location = new Uri(result.Location.AbsoluteUri);
return response;
}
这是使用SustainSys添加SAML身份验证的正确方法吗?
Is this the correct way to add SAML authentication using SustainSys ?
推荐答案
以下是使用SustainSys存根IDp的WebApi + Angular Spa的工作示例.它也可以与Azure AD配置一起使用.
Here is a working example of WebApi + Angular Spa using SustainSys stub Idp. It can also be used with Azure AD configuration.
https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample
这篇关于将SAML身份验证添加到.net WebAPI的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!