asp.net-mvc - 使用 MVC 应用程序中的 Kentor 身份验证服务库将 Google 实现为身份提供者(IDP)？

Question

嗨，我正在使用 kentor 身份验证服务(Kentor 身份验证服务是一个库，它将 SAML2P 支持添加到 ASP.NET 和 IIS 网站，允许该网站充当 SAML2 服务提供商 (SP))。现在我正在使用 Google作为用于测试我的应用程序的身份特权 (使用 owin 中间件进行身份验证 )。我也设置了 Google 身份提供程序。但是当我运行应用程序时，它给了我一个错误

“400。这是一个错误。
Invalid Request，请求URL中的idpId无效，请检查SP端是否正确配置了SSO URL。这就是我们所知道的。”

我使用过 SingleSignOnServiceUrl= https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx

DiscoveryServiceUrl= https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx

上面的配置对吗？

我在下面附加了 App_start 配置。这来自 Kentor 身份验证服务库。

public partial class Startup
{
    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        // Configure the db context, user manager and signin manager to use a single instance per request
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        // Enable the application to use a cookie to store information for the signed in user
        // and to use a cookie to temporarily store information about a user logging in with a third party login provider
        // Configure the sign in cookie
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        app.UseKentorAuthServicesAuthentication(CreateAuthServicesOptions());
    }

    private static KentorAuthServicesAuthenticationOptions CreateAuthServicesOptions()
    {
        var spOptions = CreateSPOptions();
        var authServicesOptions = new KentorAuthServicesAuthenticationOptions(false)
        {
            SPOptions = spOptions
        };

        var idp = new IdentityProvider(new EntityId("~/App_Data/GoogleIDPMetadata.xml"), spOptions)
            {
                AllowUnsolicitedAuthnResponse = true,
                Binding = Saml2BindingType.HttpRedirect,
                SingleSignOnServiceUrl = new Uri("https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx")
            };

        idp.SigningKeys.AddConfiguredKey(
            new X509Certificate2(
                HostingEnvironment.MapPath(
                    "~/App_Data/Kentor.AuthServices.StubIdp.cer")));

        authServicesOptions.IdentityProviders.Add(idp);

        // It's enough to just create the federation and associate it
        // with the options. The federation will load the metadata and
        // update the options with any identity providers found.
        new Federation("http://example.com/Federation", true, authServicesOptions);

        return authServicesOptions;
    }

    private static SPOptions CreateSPOptions()
    {
        var swedish = CultureInfo.GetCultureInfo("sv-se");

        var organization = new Organization();
        organization.Names.Add(new LocalizedName("Kentor", swedish));
        organization.DisplayNames.Add(new LocalizedName("Kentor IT AB", swedish));
        organization.Urls.Add(new LocalizedUri(new Uri("http://www.kentor.se"), swedish));

        var spOptions = new SPOptions
        {
            EntityId = new EntityId("https://example.com/AuthServices"),
            ReturnUrl = new Uri("https://example.com/Account/ExternalLoginCallback"),
            DiscoveryServiceUrl = new Uri(https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"),
            Organization = organization
        };

        var techContact = new ContactPerson
        {
            Type = ContactType.Technical
        };
        techContact.EmailAddresses.Add("authservices@example.com");
        spOptions.Contacts.Add(techContact);

        var supportContact = new ContactPerson
        {
            Type = ContactType.Support
        };
        supportContact.EmailAddresses.Add("support@example.com");
        spOptions.Contacts.Add(supportContact);

        var attributeConsumingService = new AttributeConsumingService("AuthServices")
        {
            IsDefault = true,
        };

        attributeConsumingService.RequestedAttributes.Add(
            new RequestedAttribute("urn:someName")
            {
                FriendlyName = "Some Name",
                IsRequired = true,
                NameFormat = RequestedAttribute.AttributeNameFormatUri
            });

        attributeConsumingService.RequestedAttributes.Add(
            new RequestedAttribute("Minimal"));

        spOptions.AttributeConsumingServices.Add(attributeConsumingService);

        spOptions.ServiceCertificates.Add(new X509Certificate2(
            AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Kentor.AuthServices.Tests.pfx"));

        return spOptions;
    }

为什么当我重定向到 google saml 页面时会收到 400 错误？提前致谢

Answer 1

AFAIK 谷歌不提供发现服务。删除 DiscoveryServiceUrl从配置。

此外，您应该真正清理配置，而不是使用示例应用程序的配置。

为了进行测试，您还可以使用项目中包含的 Stub idp，该项目可在 http://stubidp.kentor.se 处获得。