使用ARR的反向代理的SSO ADFS重定向问题 [英] SSO ADFS redirection issue with reverse proxy with ARR
问题描述
我在IIS 8.5上有ARR和URL Rewite的反向代理设置
I have a reverser proxy setup with ARR and URL Rewite on IIS 8.5
公开网站公开的是http:/ publicsite
public site exposed is http:/publicsite
http:/ publicsite充当内部网站的反向代理http:/ internalsite
http:/publicsite act as a reverse proxy to the internal site http:/internalsite
我们为内部网站实施SSO之前一切正常。
一旦实施了sso,内部网站就会重定向到http:/ ssosite进行身份验证
Every thing was working fine till we implement SSO for the internal site. Once sso is implemeted internal site is redirecting to http:/ssosite to get authenticated
因为在ARR中我们启用了在响应头中反向重写主机选项重定向到sso网站是不合适的。
使其工作禁用响应头中的反向重写主机。并且sso重定向开始工作。
Since in ARR we have enabled the option "Reverse rewrite host in response headers" the redirection to sso site was not proper. To make it work "Reverse rewrite host in response headers" is disabled. and the sso redirection started working.
但是现在问题发生在成功登录后,ADFS尝试重定向到http:/ publicsite。反向代理用302响应,响应中的位置是http:/ internalsite,客户端机器无权访问。
But now the issue happening is after succesful login the ADFS tries to redirect to http:/publicsite. and reverse proxy respond with a 302 and the location in the response is http:/internalsite and the client machine doesnt have access to.
在同一浏览器中,如果我尝试再次访问网站http:/ publicsite所有内容都按预期工作,因为它已经过身份验证,并且不需要重定向到sso站点并返回应用程序。
In the same browser if i try to access the site http:/publicsite again everything is working as expected because it is already authenticated and no redirection required to sso site and back to application.
我的理解是响应由于我们已禁用在响应头中反向重写主机选项,因此未重写头文件。
My understanding is the response header is not getting re written since we have disabled the "Reverse rewrite host in response headers" option.
推荐答案
设置preserveHostHeader = 在反向代理服务器中的applicationhost.config中为true。这解决了这个问题。
Set preserveHostHeader="true" in applicationhost.config in the reverse proxy server. This solved the issue.
https://forums.iis .net / t / 1176668.aspx
这篇关于使用ARR的反向代理的SSO ADFS重定向问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
