Authenticate a SAML2 (P?) token in body in asp.net mvc

2018-06-25 15:33:04

I have an ASP.NET MVC application which currently allows users to connect via two ThinkTecture IDP servers. The MVC app trusts both of these IDP servers and it authenticates users perfectly.

The current setup uses the < System.IdentityModel.Services.WSFederationAuthenticationModule > and the < System.IdentityModel.Services.SessionAuthenticationModule > in the < modules > section in the web.config to handle these.

We now have a new party who want to authenticate their users by sending us a SAML v2 token, but the MVC app doesn't seem to recognise it.

I've compared the POST response from both the IDP server (SAML1) and the new login server (SAML2) and there are some subtle differences, which maybe causing problems.

The IDP server seems to use < trust:RequestedSecurityToken > attributes to wrap to < saml:Assertion > . Whereas the new client sends a POST request body containing < saml >< samlp:Response >

My questions are:

1)Is this new < samlp:Response > a SAML2P version which is not supported by Microsoft WIF? Or is it just interested in the < saml:Assertion > element?

2) Where will WIF look for the SAML token? POST Body? Authentication header (Bearer)?

3)Currently, when the user is not authenticated, it redirects them to their local IDP servers, they login and it returns the SAML response, with is then picked up. But the new client, will simply pass a request to view a page with the SAML token (true single-sign-on). I wonder if this difference is causing problems. I currently manually handle redirects to the user's local IDP, so have tried to turn this off for the new client.

EDIT After much digging...

SAML2 Protocol is not supported by Microsoft WIF and ever likely to be.

SAML2 Protocol messages are usually as a form parameter (saml= < saml:Response>< etc... within the body of the HTTP POST. In my case it didn't use the standard parameter format of (saml=), the XML was just directly inline in the HTTP POST body.

AFAIK, samlp is a protocol that is not (yet?) supported by WIF. It is a replacement for the querystring parameters used in WS-Federation. You should look for third party extensions (How should I implement SAMLP 2.0 in an ASP.NET MVC 4 service provider?). Since I haven't used any myself I cananot give further advice.

Indeed its not officially supported but you can do something like this to make it work.

http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx

The best solution I've found is the Kentor IT - AuthServices.

It handles digitally signed SAML tokens.

Although it will not work out of the box for me, as my third party seem to be using a non-standard binding technique (rather than the standard HTTP Post or HTTP Redirect), so I will have to build my own custom-binding.

链接地址: http://www.djcxy.com/p/71784.html

上一篇: 在Windows Identity Foundation STS后面摘录OpenID Connect Idp

下一篇: 在asp.net mvc中身份验证SAML2（P？）令牌