问题描述
我正在尝试通过 Azure AD 使用 WS-federation 对用户进行身份验证.
I am trying to authenticate user by Azure AD using WS-federation.
我已经实现了多个身份验证方案并使用 Challenge() 将用户重定向到相应的方案.
I've implemented multiple authentication schemes and redirect the user to the respective schemes using Challenge().
return Challenge(new AuthenticationProperties { RedirectUri = "http://localhost:57826/Account/AzureADLogin"}, authenticationScheme);
这可以将我重定向到 Microsoft 登录页面,并在成功登录后将我重定向到操作方法 AzureADLogin().
This can redirect me to the Microsoft login page and after successful login, it redirects me to the action method AzureADLogin().
但不知何故,在 AzureADLogin() 中,我无法在此方法中登录用户身份 (User.Identity.Name).我在回复中收到了空的声明.
But somehow in AzureADLogin(), I could not able to get logged in user identity(User.Identity.Name) in this method. I'm receiving empty claims in the response.
同样在 Azure AD RedirectURIs 中设置为http://localhost:57826/Account/AzureADLogin".
Also in the Azure AD RedirectURIs is set to "http://localhost:57826/Account/AzureADLogin".
Does anyone has idea what I'm doing wrong or missing something?
推荐答案
- 在 Nuget 包管理器中将所有 OWIN 版本更新为 4.1.0
您需要配置应用程序以使用 SystemWebCookieManager.在 startup.cs 中添加它.我把它放在 Configuration(IAppBuilder app) 中的第一行
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ...
CookieManager = new SystemWebCookieManager()
});
在我的 PageAuthorize 类中,如果 System.Web.HttpContext.Current.User.Identity.Name 为空,我会进行 SSO 调用:
公共类 PageAuthorize : AuthorizeAttribute{
public class PageAuthorize : AuthorizeAttribute{
private readonly string[] allowedroles;
public PageAuthorize(params string[] roles)
{
this.allowedroles = roles;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool authorize = false;
if (System.Web.HttpContext.Current.User.Identity.Name=="")
{
System.Web.HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "https://mysite/Home/LoggedIn" }, WsFederationAuthenticationDefaults.AuthenticationType);
authorize = true;
}
else
{
foreach (var role in allowedroles)
{
int intLoginId;
string staffName;
sysRole sysRole;
var _staffService = DependencyResolver.Current.GetService<IStaffService>();
LoginMySelf me = new LoginMySelf(_staffService);
var Login = me.DetermineLogin(out intLoginId, out staffName, out sysRole);
//set session vars
var _sessionManagerService = DependencyResolver.Current.GetService<ISessionManagerService>();
string strSess = _sessionManagerService.SetLoginSessionVars(Login, intLoginId, "SSO", sysRole.RoleName,
staffName, Convert.ToInt32(sysRole.AccessLevelValue));
System.Web.HttpContext.Current.Session["RoleName"] = sysRole.RoleName;
System.Web.HttpContext.Current.Session["StaffName"] = staffName;
if (role == sysRole.RoleName)
{
authorize = true;
}
}
}
return authorize;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
HttpContext.Current.Response.Redirect("~/Home/NotAuthorized");
}
现在 System.Web.HttpContext.Current.User.Identity.Name 总是按预期包含我的用户名.
Now the System.Web.HttpContext.Current.User.Identity.Name always contains my username as expected.
以下是我用来隔离和解决问题的参考资料:-https://github.com/aspnet/AspNetKatana/issues/324-https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
Here are references I used to isolate and fix the problem:-https://github.com/aspnet/AspNetKatana/issues/324-https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
希望这对您和其他人有所帮助.这绝对是令人抓狂的诊断,但修复很简单!
Hope this helps you and others with this. This was absolutely maddening to diagnose but the fix was simple!
这篇关于通过 Azure AD 身份验证对用户进行身份验证时获取 NULL 身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!