1. 首頁
  2. 問答
  3. 無法通過MVC中的Kentor.AuthServices.Owin訪問聲明或saml屬性

無法通過MVC中的Kentor.AuthServices.Owin訪問聲明或saml屬性

2015-05-27 49 views
0

我正在構建連接到基於Shibboleth的SAML IdP的.net 4.5 MVC應用程序,以提供單點登錄功能。爲此,我正在使用Kentor.AuthServices.Owin中間件。無法通過MVC中的Kentor.AuthServices.Owin訪問聲明或saml屬性

有問題的IdP服務需要使用加密的斷言,而最新版本的Kentor.AuthServices不支持。相反,我不得不在這裏使用Raschmann-fork https://github.com/Raschmann/authservices/tree/78EncryptedAssertion(v0.8.1),然後嘗試..Raschmann/authservices/tree/Release(v0.10.1)。

(使用..Raschmann/authservices /樹/主(v0.12.1) - 或任何的KentorIT Kentor.AuthServices的建立 - 在LOGININFO被空內ExternalLoginCallback結果。)

使用上面讓我通過IdP登錄/註冊應用程序。但是,當調用ExternalLoginCallback時,loginInfo.ExternalIdentity中的ExternalClaims或Claims對象不包含任何聲明。

我已抓獲並解密從IDP SAML響應,並已證實,它正在發送的信息(如名字,姓氏,出生日期等)回我的應用程序,一旦我已經登錄。

如何我可以訪問正在返回的SAML數據嗎?內Startup.Auth.vb

ConfigureAuth:

Public Sub ConfigureAuth(app As IAppBuilder) 
     ' Configure the db context, user manager and signin manager to use a single instance per request 
     app.CreatePerOwinContext(AddressOf ApplicationDbContext.Create) 
     app.CreatePerOwinContext(Of ApplicationUserManager)(AddressOf ApplicationUserManager.Create) 
     app.CreatePerOwinContext(Of ApplicationSignInManager)(AddressOf ApplicationSignInManager.Create) 

     app.UseCookieAuthentication(New CookieAuthenticationOptions() With { 
      .AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, 
      .Provider = New CookieAuthenticationProvider() With { 
       .OnValidateIdentity = SecurityStampValidator.OnValidateIdentity(Of ApplicationUserManager, ApplicationUser)(
        validateInterval:=TimeSpan.FromMinutes(30), 
        regenerateIdentity:=Function(manager, user) user.GenerateUserIdentityAsync(manager))}, 
      .LoginPath = New PathString("/Account/Login")}) 



app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie) 
      app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5)) 
      app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie) 

      app.UseKentorAuthServicesAuthentication(New KentorAuthServicesAuthenticationOptions(True)) 
      AntiForgeryConfig.UniqueClaimTypeIdentifier = Global.System.IdentityModel.Claims.ClaimTypes.NameIdentifier 

End Sub

ExternalLoginCallback內AccountController.vb:

<AllowAnonymous> 
    Public Async Function ExternalLoginCallback(returnUrl As String) As Task(Of ActionResult) 

     Dim loginInfo = Await AuthenticationManager.GetExternalLoginInfoAsync() 

     If loginInfo Is Nothing Then 
      Return RedirectToAction("Login") 
     End If 

     Dim externalIdentity = Await AuthenticationManager.GetExternalIdentityAsync(DefaultAuthenticationTypes.ExternalCookie) 

     ' Sign in the user with this external login provider if the user already has a login 
     Dim result = Await SignInManager.ExternalSignInAsync(loginInfo, isPersistent:=False) 
     Select Case result 
      Case SignInStatus.Success 
       Dim user = Await UserManager.FindAsync(loginInfo.Login) 
       If user IsNot Nothing Then 
        'user.FirstName = loginInfo.ExternalIdentity.FindFirst(ClaimTypes.Name).Value 
        'user.Email = loginInfo.ExternalIdentity.FindFirst(ClaimTypes.Email).Value 
        Await UserManager.UpdateAsync(user) 
       End If 
       Return RedirectToLocal(returnUrl) 
      Case SignInStatus.LockedOut 
       Return View("Lockout") 
      Case SignInStatus.RequiresVerification 
       Return RedirectToAction("SendCode", New With { 
        .ReturnUrl = returnUrl, 
        .RememberMe = False 
       }) 
      Case Else 
       ' If the user does not have an account, then prompt the user to create an account 
       ViewBag.ReturnUrl = returnUrl 
       ViewBag.LoginProvider = loginInfo.Login.LoginProvider 
       Return View("ExternalLoginConfirmation", New ExternalLoginConfirmationViewModel() With { 
        .Email = loginInfo.Email 
       }) 
     End Select 
    End Function

來源

2015-05-27 Richard Shaw

回答

0

的owin管道quite complex。爲了調試這個,我建議你在調用UseKentorAuthServicesAuthentication()之前立即插入一個小斷點中間件。

app.Use(async (context, next) => 
{ 
    await next.Invoke(); 
});

對不起使用C#,但我假設你可以找到等效的VB語法。

運行應用程序並進行身份驗證。就在您觸發Idp將響應發回之前,在上面的代碼片段的右括號中放置一個斷點。然後調查context.Authentication.AuthenticationResponseGrant的內容。這是Kentor.AuthServices的實際輸出形式。索賠是否在那裏?

如果他們不是,那麼AuthServices中存在一個錯誤。請在GitHub問題追蹤器上將其報告爲問題,我會看一看。

如果聲明確實存在於此時,但稍後丟失,則可能是Owin Cookie Monster的受害者。

來源

2015-05-29 06:46:28

+0

你好@andersabel,我已經將它轉換爲 'app.Use(異步功能(上下文,[明]) 等待[下一頁] .Invoke() 端功能)' 但得到 _Parameter計數調用時出現不匹配。 –

+0

斷點中間件調用後收到的錯誤是: 堆棧跟蹤: [TargetParameterCountException:參數計數不匹配。] System.Reflection.RuntimeMethodInfo。InvokeArgumentsCheck(Object obj,BindingFlags invokeAttr,Binder binder,Object []參數,CultureInfo culture)+11101830 System.Reflection.RuntimeMethodInfo.UnsafeInvoke(Object obj,BindingFlags invokeAttr,Binder binder,Object []參數,CultureInfo culture)+33 System.Delegate.DynamicInvokeImpl(Object [] args)+104 System.Delegate.DynamicInvoke(Object [] args)+ 10' [next] .invoke'問題? –

+0

我嘗試使用Kentor.OwinCookieSaver(在app.UseCookieAuthentication之前聲明它),但是這對代碼的行爲沒有任何影響。 –

相關問題

 相關問題