问题
I am trying to programatically generate the following configuration contained inside the microsoft.identityModel configuration.
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false" requireHttps="true" issuer="https://IssuedByFoo.com" realm="http://Foo.com/" />
<cookieHandler requireSsl="true" path="/" />
</federatedAuthentication>
So far I have not been able to successfully configure this. I have tried setting the following in application_Start but I get an error message when I try to federate
"ID5002: The Issuer property on the FederatedPassiveSignIn control must be set to the address of an STS endpoint that can process WS-Federation passive protocol messages."
FederatedAuthentication.WSFederationAuthenticationModule.Realm = "http://Foo.com/";
FederatedAuthentication.WSFederationAuthenticationModule.Issuer = "https://IssuedByFoo.com";
FederatedAuthentication.WSFederationAuthenticationModule.PassiveRedirectEnabled = false;
FederatedAuthentication.WSFederationAuthenticationModule.RequireHttps = true;
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.RequireSsl = true;
FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Path = "/";
I am pretty sure that I am not configuring FederatedAuthentication correctly, and I am not sure where to configure it correctly. One thing I notice is that when I set a breakpoint on begin request, and inspect the FederatedAuthentication.WSFederationAuthenticationModule I do not see the properties set on it when the values are not present in the web.config
回答1:
I always manage all my wif config from code, and just use app settings for the rp and sts server names etc. This set up should work for you. btw - This is the set up for a relying party (the sts setup is simpler.)
protected void Application_Start()
{
FederatedAuthentication.FederationConfigurationCreated += FederatedAuthentication_FederationConfigurationCreated;
}
private static void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
//from appsettings...
const string allowedAudience = "http://audience1/user/get";
const string rpRealm = "http://audience1/";
const string domain = "";
const bool requireSsl = false;
const string issuer = "http://sts/token/create;
const string certThumbprint = "mythumbprint";
const string authCookieName = "StsAuth";
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));
var issuingAuthority = new IssuingAuthority(internalSts);
issuingAuthority.Thumbprints.Add(certThumbprint);
issuingAuthority.Issuers.Add(internalSts);
var issuingAuthorities = new List<IssuingAuthority> {issuingAuthority};
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry {IssuingAuthorities = issuingAuthorities};
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler {RequireSsl = false, Name = authCookieName, Domain = domain, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)};
federationConfiguration.CookieHandler = chunkedCookieHandler;
federationConfiguration.WsFederationConfiguration.Issuer = issuer;
federationConfiguration.WsFederationConfiguration.Realm = rpRealm;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
e.FederationConfiguration = federationConfiguration;
回答2:
I ended up going with this
Is it possible to get ACS claims without editing web.config?
This seems to work, and we were already usign a custom Module so it was easy to implement
来源:https://stackoverflow.com/questions/23205559/programatically-configuring-federatedauthentication-element-in-microsoft-identit