使用ITfoxtec.Identity.Saml2映射SAML声明
使用ITfoxtec.Identity.Saml2映射SAML声明
提问于 2020-11-27 13:57:24
我正在使用TestWebAppCore项目来测试ASP.NET核心web应用程序的SAML集成,我认为它可以工作,但是与用户会话相关的声明不是IdP在SAML响应中返回的声明,我不确定映射返回的声明需要什么样的额外配置。
单击Login后,我被重定向到我的IdP,在登录到IdP后,将使用以下SAML响应(删除部分以保持问题简短):
...
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="samlsso"
SPNameQualifier="https://my.identity.provider"
>edde16f1-9fee-4e44-9c4d-3810a3a6f73a</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_01b18bfb2348b2d1dcc1df73bcdb88dc"
NotOnOrAfter="2020-11-27T13:20:41Z"
Recipient="https://my.identity.provider/samlsso"
/>
</saml:SubjectConfirmation>
</saml:Subject>
...
<saml:AttributeStatement>
<saml:Attribute Name="MiddleName">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Ben</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>peter.parker@dailybugle.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="GivenName">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Peter</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="FamilyName">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Parker</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
...登录后,我被重定向到主页,我看到"Hi,edde16f1-9fee-4e44-9c4d-3810a3a6f73a“,所以我点击"SAML索赔”,页面显示:
The users Claims (Iteration on User.Claims)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Value: edde16f1-9fee-4e44-9c4d-3810a3a6f73a
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
Value: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
Value: 2020-11-27T13:10:37.504Z
http://schemas.itfoxtec.com/ws/2014/02/identity/claims/saml2nameid
Value: edde16f1-9fee-4e44-9c4d-3810a3a6f73a
http://schemas.itfoxtec.com/ws/2014/02/identity/claims/saml2nameidformat
Value: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress这个列表不包括我想从IdP获得的SAML响应中使用的声明,所以我尝试通过稍微修改代码在ClaimsTransform类中添加声明:
private static ClaimsPrincipal CreateClaimsPrincipal(ClaimsPrincipal incomingPrincipal)
{
var claims = new List<Claim>();
// All claims
////claims.AddRange(incomingPrincipal.Claims);
var givenName = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";
claims.Add(new Claim(givenName, GetClaimValue(incomingPrincipal, givenName)));
// Or custom claims
//claims.AddRange(GetSaml2LogoutClaims(incomingPrincipal));
//claims.Add(new Claim(ClaimTypes.NameIdentifier, GetClaimValue(incomingPrincipal, ClaimTypes.NameIdentifier)));
return new ClaimsPrincipal(new ClaimsIdentity(claims, incomingPrincipal.Identity.AuthenticationType, ClaimTypes.NameIdentifier, ClaimTypes.Role)
{
BootstrapContext = ((ClaimsIdentity)incomingPrincipal.Identity).BootstrapContext
});
}
private static Claim GetClaim(ClaimsPrincipal principal, string claimType)
{
return ((ClaimsIdentity)principal.Identity).Claims.FirstOrDefault(c => c.Type == claimType);
}
private static string GetClaimValue(ClaimsPrincipal principal, string claimType)
{
var claim = GetClaim(principal, claimType);
return claim?.Value;
}但是,对代码的这种更改会导致来自Claim类的错误:
Value cannot be null.值似乎为空是否还有我缺少的其他配置,允许我使用"AttributeStatement“部分中的声明?
更新
进一步阅读代码让我感到困惑,在AssertionConsumerService路由中,测试代码正在创建一个全新的SAMLResponse?新响应不包含来自IdP响应的任何属性,这将解释为什么没有声明。
如果代码是这样工作的,那么是否可以将来自IdP响应的声明包含在ITfoxtec.identity.saml2生成的新响应中?
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://my.test.website/Auth/AssertionConsumerService"
ID="_9099f6ccf0b9ac7703d6b320df6357a0"
InResponseTo="_08e3a2b0-4ac8-4673-80bc-31460812738f"
IssueInstant="2020-11-28T01:13:15.726Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>https://my.test.provider</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_9099f6ccf0b9ac7703d6b320df6357a0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>IRYj+9sUoEsO5rEgEj+laMogGk0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...removed...</SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...removed...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_fbe41ccdaa799fe0c3038d5d07edc18e"
IssueInstant="2020-11-28T01:13:15.726Z"
Version="2.0"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://my.test.provider</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_fbe41ccdaa799fe0c3038d5d07edc18e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>FbSefxSL8LDE1pJdhScHaNijdEY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...removed...</SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...removed...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">edde16f1-9fee-4e44-9c4d-3810a3a6f73a</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_08e3a2b0-4ac8-4673-80bc-31460812738f"
NotOnOrAfter="2020-11-28T01:18:15.726Z"
Recipient="https://my.test.website/Auth/AssertionConsumerService"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-11-28T01:13:15.726Z"
NotOnOrAfter="2020-11-28T01:18:15.726Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://my.test.website</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-11-28T01:13:15.647Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>AssertionConsumerService的代码
[Route("AssertionConsumerService")]
public async Task<IActionResult> AssertionConsumerService()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(config);
binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);
if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
{
throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
}
binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));
var relayStateQuery = binding.GetRelayStateQuery();
var returnUrl = relayStateQuery.ContainsKey(relayStateReturnUrl) ? relayStateQuery[relayStateReturnUrl] : Url.Content("~/");
return Redirect(returnUrl);
}回答 1
Stack Overflow用户
发布于 2020-11-29 11:47:53
我没有试着去读那些看起来像你描述的属性。但我认为图书馆应该能够读取这些属性。
通常,属性如下所示:
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>Peter</AttributeValue>
</Attribute>具有完整的命名空间。但是,也应该可以读取一个名称类似于givenname的声明。
ITfoxtec恒等式包只支持SAML2.0。在SAML2.0中,NameID有一个SAML2.0命名空间:
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">edde16f1-9fee-4e44-9c4d-3810a3a6f73a</NameID>也许XML中还存在其他问题,无法使SAML2.0兼容。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/65038575
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号