在一个IIS站点WIF跨域，动态设置境界 [英] WIF cross-domain on one IIS site, dynamically setting of realm

问题描述

我们有很多在一个IIS网站/程序池运行域。
现在，我们都在使用Windows身份验证基础实现SSO的过程。

We have a lot of domains running on one IIS WebSite/AppPool. Right now we are in the process of implementing SSO with Windows Identity Foundation.

在web.config中的境界与设定

in web.config the realm has to be set with

<wsFederation passiveRedirectEnabled="true" issuer="http://issuer.com" realm="http://realm.com" requireHttps="false" />

我的问题是，该领域是依赖于该域的用户访问的网站上
所以我做了什么，是我把它在全球行动的过滤器这样的

My problem is that the realm is dependent on which domain the user accessed the website on so what I did is that I set it in an global action filter like this

var module = context.HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
module.Realm = "http://" + siteInfo.DomainName;

我的问题是。当我设置的境界就是这样，它是每个用户实例设置
或应用程序实例。

My question is. When I set the realm like this, is it set per user instance or application instance.

情景。

用户A加载页面和领域得到设为domain.a.com。

User A loads the page and the realm get set to domain.a.com.

用户B已经登录的domain.b.com和presses登录。

User B is already logged in on domain.b.com and presses login.

由于用户A加载之前用户B pressed登录页面，用户A将达到STS
用错误的领域集中。

Since user A loaded the page before User B pressed login, user A will hit the STS with the wrong realm set.

什么会发生在这里？

如果这不是设置每个用户实例境界的路上，有另一种方式来做到这一点？

If this is not the way to set the realm per user instance, is there another way to do it?

推荐答案

我已经解决了这个问题。

I have already solved the problem.

我在web.config中设置PassiveRedirectEnabled为false

I set PassiveRedirectEnabled to false in web.config

我成立了MVC项目使用窗体身份验证，eventhough我不。
我这样做，这样我会重定向到我的登录控制器与返回URL每次带控制器[授权]运行。

I set up the mvc project to use forms authentication, eventhough I dont. I do that so that I will get redirected to my login controller with a return url everytime a controller with [Authorize] is run.

在我登录控制器我

var module = HttpContext.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
        module.PassiveRedirectEnabled = true;
        SignInRequestMessage mess = module.CreateSignInRequest("passive", returnUrl, false);
        mess.Realm = "http://" + Request.Url.Host.ToLower();
        HttpContext.Response.Redirect(mess.WriteQueryString());

这肯定是不是真的应该的，对我来说，感觉就像Windows标识基础相对滞后，无论是在文档和微软技术明智的，没有例子的MVC。

This is definitely not really how it should be, for me it feels like Windows Identity Foundation is lagging behind, both in documentation and microsoft technology wise, no examples for MVC.

对于其他MVC的人，我建议他们不要使用fedutil向导，而是写code和配置自理

For other MVC people i recommend them to not use the fedutil wizard, and instead write the code and configuration themself

这篇关于在一个IIS站点WIF跨域，动态设置境界的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！