asp.net - 以编程方式完成 ADFS 登录

Question

我需要在代码中执行完整的 AFDS 登录操作。我无法将用户重定向到 ADFS 登录页面。用户已经使用自定义身份验证机制进行了身份验证，我使用相同的凭据对 ADFS 进行身份验证，以启用对 SAP EP 的 SSO。

我可以从 ADFS 成功检索 SAML token ，但 SAP 显然只能处理开箱即用的身份验证。所以我需要对整个 session 进行身份验证。

这是我现在拥有的:

获取 token :

            var binding = new WS2007HttpBinding();
            binding.Security.Message.EstablishSecurityContext = false;
            binding.Security.Message.NegotiateServiceCredential = false;
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
            binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
            binding.Security.Mode = SecurityMode.TransportWithMessageCredential;

            var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(AppSettings.AdfsUrl));
            trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
            trustChannelFactory.Credentials.UserName.UserName = user.UserName;
            trustChannelFactory.Credentials.UserName.Password = PasswordService.Decrypt(user.UserPassword, user.UserID.ToString(CultureInfo.InvariantCulture));
            trustChannelFactory.ConfigureChannelFactory();

            // Create issuance issuance and get security token
            var requestToken = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
            requestToken.AppliesTo = new EndpointAddress(AppSettings.ServicePortalUrl);
            requestToken.KeyType = WSTrust13Constants.KeyTypes.Bearer;
            var tokenClient = (WSTrustChannel) trustChannelFactory.CreateChannel();
            var token = tokenClient.Issue(requestToken) as GenericXmlSecurityToken;

            return token;

并尝试获取声明，以便我可以在重定向到 SAP 门户之前将用户主体放入 HttpContext 中。 (远射)

        var tokenHandlers = new SecurityTokenHandlerCollection(new SecurityTokenHandler[] { new SamlSecurityTokenHandler() });
        tokenHandlers.First().Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
        tokenHandlers.First().Configuration.CertificateValidationMode = X509CertificateValidationMode.None;
        tokenHandlers.Configuration.CertificateValidationMode = X509CertificateValidationMode.None;

        var trusted = new TrustedIssuerNameRegistry("*.domain.com");
        tokenHandlers.Configuration.IssuerNameRegistry = trusted;

        var samlToken = tokenHandlers.ReadToken(new XmlTextReader(new StringReader(token.TokenXml.OuterXml)));
        var claimsPrincipal = new ClaimsPrincipal(tokenHandlers.ValidateToken(samlToken).First());
        HttpContext.Current.User = claimsPrincipal;     

这不起作用，因为我不断收到 X5​​09 证书验证错误。

我尝试过的:

• 提供 SAML 签名作为 MYSAPSSO2 token (不可能成功)
• 将用户主体放在 HTTP 上下文中，因为我看到 SAP 在 HTTP 上下文中查找 IPrincipal。 (无法正常工作)
• 设置 MSISAuthenticated cookie，但不知道如何获取值(身份验证时刻的 base64 时间戳？)

我有什么明显的监督方式吗？基本上，我只想执行与 ADFS 登录页面相同的身份验证，但在代码中，因此用户看不到第二个登录页面。

Answer 1

像这样尝试......

            // ######################### TOKEN HANDLER ########################################################################################################################
            var genericToken = token as GenericXmlSecurityToken;
            var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlerCollectionManager.SecurityTokenHandlerCollections.First();

            // ######################## HANDLE AudienceRestriction programatically.############################################################################################
            //handlers.Configuration.AudienceRestriction.AudienceMode.Equals(0);
            handlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri (svcEndpoint)); // porgramatically validate AllowedAudienceUris. This is your RP. https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.selectors.audienceurimode?view=netframework-4.8#fields
            // ##### HANDLE STS SIGNING CERTIFICATE VALIDATIONS. Set to none for ADFS autocertificaterollover.
            handlers.Configuration.CertificateValidationMode = X509CertificateValidationMode.None; //Also set in App.config / web.config 

            // ########################## HANDLE IssuerNameRegistry automatically.##############################################################################################
            
            // ######################## READ METADATA OF ADFS TO EXTRACT SIGNING CERTIFICATE ###################################################################################
            AdfsMetadataService svc = new AdfsMetadataLoader("https://" + opts.Farmname +  "/FederationMetadata/2007-06/FederationMetadata.xml");
            var metadata = svc.Get();
            string IdP = metadata.Result.Identity;
            string stringSigningCert = metadata.Result.SigningCertificateString;

            // ####################### CONVERT FROM BASE64 TO READ SIGNING CERTIFICATE THUMBPRINT AND SUBJECT TO USE IN ISSUERNAMEREGISTRY #####################################
            byte[] bytes = Convert.FromBase64String(stringSigningCert);
            var AdfsSigncert = new X509Certificate2(bytes);

            //Console.WriteLine(IdP +  stringSigningCert + cert.Thumbprint + cert.Subject);
            var registry = new ConfigurationBasedIssuerNameRegistry();
            registry.AddTrustedIssuer(AdfsSigncert.Thumbprint, AdfsSigncert.Subject);
            handlers.Configuration.IssuerNameRegistry = registry;

            var cToken = handlers.ReadToken(new XmlTextReader(new StringReader(genericToken.TokenXml.OuterXml)));
            var identity = handlers.ValidateToken(cToken).First();
            var userIdenity = new ClaimsPrincipal(identity);
            Console.WriteLine("Successfully Authenticated with identity type userIdenity.Identity.Name with value ~~~ " + userIdenity.Identity.Name);
            foreach (var c in userIdenity.Claims)
            {
                Console.WriteLine("Claim Type = " + c.Type + " ~~~ Claim Value = " + c.Value);   
            }