【发布时间】:2020-07-01 15:50:09
【问题描述】:
在我的环境中,有一个 ADFS 4.0 和 asp.net 项目,其中 IdentityServer4 + WsFederation 包作为声明提供程序。所有使用 Ws-Fed 协议的 RP 都可以正常工作。但是 SAMLP RP 没有收到响应中的声明。
测序: RP 在 ADFS 中发起 SAML 登录请求。 ADFS 向 IdentityServer4 发出 Ws-Fed singin 请求。 ADFS 获得 Ws-Fed 响应,并带有一个 propper 声明。但是在下一步,当 ADFS 从 Ws-Fed 响应生成 SAML 响应时,ADFS 会为 RP 发出 SAML 响应,而无需声明...... 事件日志中有错误:
事件ID:303:
Additional Data
Exception details:
System.IdentityModel.Tokens.SecurityTokenException: MSIS7099: SubjectConfirmationData element was missing in received token.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateRequestProperties(Saml2SecurityToken token)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
带有 UPN 和电子邮件声明的 Ws-Fed 消息:
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"
Context="RPUrl=http://xxxxxx.com%2fadfs%2fservices%2ftrust\BaseUrl=http%3a%2f%2fxxxxxxxx.com%2fadfs%2fservices%2ftrust\ProtocolID=Saml\Id=id-8cbbc2e6-70f5-4804-9e61-99fd13781978\SAMLRequest=xxxxxxxx%3d\ProtocolBinding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-Redirect\RelayState=8e27a614-61b2-47f0-9583-f9be1d9ee75a"
>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://xxxxxxxx.xxxxxxxxx.com/adfs/services/trust</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_aac09822-5db4-4791-b677-690ef5bf273e"
IssueInstant="2020-07-01T14:10:26.357Z"
Version="2.0"
>
<Issuer>https://xxxxxxxxxx.xxxxxxxxxxx.com</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_aac09822-5db4-4791-b677-690ef5bf273e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>/2MHUXKcVJHSzV70wbFJVFrnYawDdFYPuekSh1/zEC4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xxxxxxxxxx</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>xxxxxxxxx</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xxxxxxxx</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2020-07-01T14:10:26.357Z"
NotOnOrAfter="2020-07-02T00:10:26.357Z"
>
<AudienceRestriction>
<Audience>http://xxxxxxx.xxxxxxxx.com/adfs/services/trust</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>xxxxxxxxx</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>xxxxxxxxxx</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-07-01T14:10:26.342Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</t:RequestedSecurityToken>
</t:RequestSecurityTokenResponse>
WS-Fed -> SAML(UPN 和电子邮件丢失):
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_59eef1fa-81c5-4ede-8538-6caf4dbdf480"
Version="2.0"
IssueInstant="2020-07-01T14:10:26.698Z"
Destination="xxxxxxxxx/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="id-7052d47f-3df0-4d49-8ddf-673603bccb8e"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">xxxxxxxx/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_59eef1fa-81c5-4ede-8538-6caf4dbdf480">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>iia3AYaxxx8UoxILqjhsxkgeO4rXqPk9Jil1t0jUbLU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxxxxxx</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>xxxxxxxxxxxxxxxxxx</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
</samlp:Status>
</samlp:Response>
有人遇到过类似的吗?
【问题讨论】:
标签: asp.net-core saml adfs ws-federation