All geek questions in one place

Ws-Federation Authentication in MVC Not Retaining Requirement Information After SAML2.0 Verification

I am trying to add a new auth method with Azure ACS to support users from ADFS, but I had a very specific problem.

I can check SAML2.0 with the following configuration:

var audienceRestriction = new AudienceRestriction(AudienceUriMode.Never); var issuerRegistry = new ConfigurationBasedIssuerNameRegistry(); issuerRegistry.AddTrustedIssuer("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "https://XXXX.accesscontrol.windows.net/"); app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions { MetadataAddress = "https://XXXXX.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml", Wtrealm = "http://someurl/", SecurityTokenHandlers = new SecurityTokenHandlerCollection { new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My,StoreLocation.LocalMachine)), new SamlSecurityTokenHandlerEx { CertificateValidator = X509CertificateValidator.None, Configuration = new SecurityTokenHandlerConfiguration() { IssuerNameRegistry = issuerRegistry, AudienceRestriction = audienceRestriction } } }, });

With a handler implemented as follows:

 public class SamlSecurityTokenHandlerEx : Saml2SecurityTokenHandler, ISecurityTokenValidator { public override bool CanReadToken(string securityToken) { return base.CanReadToken(XmlReader.Create(new StringReader(securityToken))); } public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver); var claims = new ClaimsPrincipal(ValidateToken(validatedToken)); return claims; } public int MaximumTokenSizeInBytes { get; set; } }

If I check the claims in the ValidateToken, it will be authenticated with the claims I want, but after it calls the callback page (where I want to create a new correct login for webapp). He no longer has information about the federal auth.

+5
source share
1 answer

Solved!

I ran the ACS page from the same mechanism as other external auth providers, but for some reason it failed. Invoking the ACS login page ( https://someacs.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=https%3a%2f%2fsomeappsite%2f ) directly resolved my problem.

0
source

Source: https://habr.com/ru/post/1260091/

More articles:


All Articles