如何将ADFS用户添加到`AspNetUsers`中?
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了如何将ADFS用户添加到`AspNetUsers`中?相关的知识,希望对你有一定的参考价值。
我们有一个本地ADFS服务器,我们已经成功地使用它来对Web应用程序上的用户进行“身份验证”。但是,这似乎是通过纯魔术起作用的,并且无法正常运行。
目标
我的目标是在Web应用程序上设置身份并将ADFS添加为外部提供程序。如果用户通过ADFS登录,则将在AspNetUsers中创建一个新的Identity帐户,并将一个条目添加到AspNetUserLogins中,将使用的AD帐户链接到刚刚创建的Identity帐户。
当前行为
现在,我的用户被发送到ADFS页面并登录。返回到我的应用程序后,将调用ExternalLoginCallback函数,loginData设置为NULL,并且if语句退出该方法。由于某种原因,它仍然可以对用户进行身份验证,并且他们具有对该应用程序的完全默认访问权限。身份中没有该用户的记录,我无法为该帐户设置角色或2FA。
问题
如何更改当前正在执行的操作,以使其按预期运行?
代码
Startup.Auth.cs
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Globalization;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using System.Web;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using Owin;
using TexasRelocation.Models;
namespace TexasRelocation
public partial class Startup
private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
private static string reply = ConfigurationManager.AppSettings["ida:Wreply"];
public void ConfigureAuth(IAppBuilder app)
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
);
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
Wtrealm = realm,
MetadataAddress = adfsMetadata,
Wreply = reply,
Notifications = new WsFederationAuthenticationNotifications()
SecurityTokenValidated = notification =>
//string employeeID = "";
string upn = "";
foreach (var claim in notification.AuthenticationTicket.Identity.Claims)
//if (claim.Type == "employeeID")
//
// employeeID = claim.Value;
//
if (claim.Type == ClaimTypes.Upn)
upn = claim.Value;
ClaimsIdentity identity = notification.AuthenticationTicket.Identity;
//identity.AddClaim(new Claim("employeeID", employeeID));
identity.AddClaim(new Claim(ClaimTypes.Upn, upn));
return Task.FromResult(0);
);
AccountController.cs
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using System.Web;
using System.Web.Mvc;
using System.IdentityModel;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.EntityFramework;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin.Security;
using TexasRelocation.Models;
namespace TexasRelocation.Controllers
[Authorize]
public class AccountController : Controller
private ApplicationSignInManager _signInManager;
private ApplicationUserManager _userManager;
private ApplicationRoleManager _roleManager;
ApplicationDbContext context;
public AccountController()
context = new ApplicationDbContext();
public AccountController(ApplicationUserManager userManager, ApplicationSignInManager signInManager, ApplicationRoleManager roleManager)
UserManager = userManager;
SignInManager = signInManager;
RoleManager = roleManager;
public ApplicationSignInManager SignInManager
get
return _signInManager ?? HttpContext.GetOwinContext().Get<ApplicationSignInManager>();
private set
_signInManager = value;
public ApplicationUserManager UserManager
get
return _userManager ?? HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
private set
_userManager = value;
public ApplicationRoleManager RoleManager
get
return _roleManager ?? HttpContext.GetOwinContext().Get<ApplicationRoleManager>();
private set
_roleManager = value;
//
// GET: /Account/Login
[AllowAnonymous]
public ActionResult Login(string returnUrl)
if (User.Identity.IsAuthenticated)
return RedirectToAction("Index", "Home");
ViewBag.ReturnUrl = returnUrl;
return View();
//
// POST: /Account/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
if (!ModelState.IsValid)
return View(model);
// This doesn't count login failures towards account lockout
// To enable password failures to trigger account lockout, change to shouldLockout: true
var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
switch (result)
case SignInStatus.Success:
return RedirectToLocal();
case SignInStatus.LockedOut:
return View("Lockout");
case SignInStatus.RequiresVerification:
return RedirectToAction("SendCode", new ReturnUrl = returnUrl, RememberMe = model.RememberMe );
case SignInStatus.Failure:
default:
ModelState.AddModelError("", "Invalid login attempt.");
return View(model);
//
// POST: /Account/ExternalLogin
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult ExternalLogin(string provider, string returnUrl)
// Request a redirect to the external login provider
return new ChallengeResult(provider, Url.Action("ExternalLoginCallback", "Account", new ReturnUrl = returnUrl ));
// GET: /Account/ExternalLoginCallback
[AllowAnonymous]
public async Task<ActionResult> ExternalLoginCallback(string returnUrl)
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
if (loginInfo == null)
return RedirectToAction("Login");
// Sign in the user with this external login provider if the user already has a login
var result = await SignInManager.ExternalSignInAsync(loginInfo, isPersistent: false);
switch (result)
case SignInStatus.Success:
return RedirectToLocal();
case SignInStatus.LockedOut:
return View("Lockout");
case SignInStatus.RequiresVerification:
return RedirectToAction("SendCode", new ReturnUrl = returnUrl, RememberMe = false );
case SignInStatus.Failure:
default:
// If the user does not have an account, then prompt the user to create an account
ViewBag.ReturnUrl = returnUrl;
ViewBag.LoginProvider = loginInfo.Login.LoginProvider;
return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel Email = loginInfo.Email );
//
// GET: /Account/ExternalLoginFailure
[AllowAnonymous]
public ActionResult ExternalLoginFailure()
return View();
protected override void Dispose(bool disposing)
if (disposing)
if (_userManager != null)
_userManager.Dispose();
_userManager = null;
if (_signInManager != null)
_signInManager.Dispose();
_signInManager = null;
base.Dispose(disposing);
//
// POST: /Account/LogOff
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
//AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
Request.GetOwinContext().Authentication.SignOut();
return RedirectToAction("Login", "Account");
#region Helpers
// Used for XSRF protection when adding external logins
private const string XsrfKey = "XsrfId";
private IAuthenticationManager AuthenticationManager
get
return HttpContext.GetOwinContext().Authentication;
private void AddErrors(IdentityResult result)
foreach (var error in result.Errors)
ModelState.AddModelError("", error);
private ActionResult RedirectToLocal()
return RedirectToAction("Index", "Home");
internal class ChallengeResult : HttpUnauthorizedResult
public ChallengeResult(string provider, string redirectUri)
: this(provider, redirectUri, null)
public ChallengeResult(string provider, string redirectUri, string userId)
LoginProvider = provider;
RedirectUri = redirectUri;
UserId = userId;
public string LoginProvider get; set;
public string RedirectUri get; set;
public string UserId get; set;
public override void ExecuteResult(ControllerContext context)
var properties = new AuthenticationProperties RedirectUri = RedirectUri ;
if (UserId != null)
properties.Dictionary[XsrfKey] = UserId;
context.HttpContext.GetOwinContext().Authentication.Challenge(properties, LoginProvider);
#endregion
答案
通过大量的深入研究,我能够弄清楚我的问题是什么。请参考我的答案here。
以上是关于如何将ADFS用户添加到`AspNetUsers`中?的主要内容,如果未能解决你的问题,请参考以下文章
如何有条件地将多个模型映射到 ASP.NET Core Identity 中的一个表(AspNetUsers)?
如何使用 Fluent API 配置从 AspNetUsers 表到...的一对多关系