ITfoxtec.Identity.Saml2 无效 URI 问题

Posted

技术标签:

【中文标题】ITfoxtec.Identity.Saml2 无效 URI 问题【英文标题】:ITfoxtec.Identity.Saml2 Invalid URI Issue 【发布时间】:2021-03-27 04:54:38 【问题描述】:

当我在我的 Okta SAML 实现中使用 <TargetFramework>net462</TargetFramework> 时,这会在 new Saml2AuthnRequest(config); 时抛出一个无效的 URL,但在我第一次尝试在 netcoreapp3.1 上使用此代码时,它工作得非常好。如果我错过了什么,请告诉我。谢谢。

[HttpGet, AllowAnonymous]
    public IActionResult Index(string returnUrl = null)
    
        try
        
            var config = GetSAMLConfig();
            var binding = new Saml2RedirectBinding();
            binding.SetRelayStateQuery(new Dictionary<string, string>   relayStateReturnUrl, returnUrl ?? Url.Content("~/")  );
            var request = new Saml2AuthnRequest(config);
            return binding.Bind(request).ToActionResult();
        
        catch (Exception e)
        
            Console.WriteLine(e);
            throw;
        
    

   private Saml2Configuration GetSAMLConfig()
    
        var config = new Saml2Configuration();
        config.AllowedAudienceUris.Add("Okta_SAML_Example");
        config.CertificateValidationMode = X509CertificateValidationMode.ChainTrust;
        config.RevocationMode = X509RevocationMode.NoCheck;

        var entityDescriptor = new EntityDescriptor();
        entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri("https://---------.okta.com/app/exk2b0b7dibno7rOB5d6/sso/saml/metadata"));
        if (entityDescriptor.IdPSsoDescriptor != null)
        
            config.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
            config.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
        
        else
        
            throw new Exception("IdPSsoDescriptor not loaded from metadata.");
        

        return config;
    

实际异常

System.UriFormatException: Invalid URI: The format of the URI could not be determined.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at ITfoxtec.Identity.Saml2.Configuration.Saml2IdentityConfiguration.GetAudienceRestriction(Boolean audienceRestricted, IEnumerable`1 allowedAudienceUris)
   at ITfoxtec.Identity.Saml2.Configuration.Saml2IdentityConfiguration.GetIdentityConfiguration(Saml2Configuration config)
   at ITfoxtec.Identity.Saml2.Saml2Request..ctor(Saml2Configuration config)
   at ITfoxtec.Identity.Saml2.Saml2AuthnRequest..ctor(Saml2Configuration config)
   at SAMLNet461.Controllers.HomeController.Index(String returnUrl) in D:\REPO\PELICAN\LOCAL\SAML.RND - CompanyAcccounts adjustment\SAML.Demo\SAMLNet461\Controllers\HomeController.cs:line 69
   at lambda_method(Closure , Object , Object[] )
   at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeActionMethodAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeNextActionFilterAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context)
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeInnerFilterAsync>d__13.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeNextResourceFilter>d__23.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow(ResourceExecutedContext context)
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeFilterPipelineAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeAsync>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Builder.RouterMiddleware.<Invoke>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.<Invoke>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.<Invoke>d__7.MoveNext()

【问题讨论】:

【参考方案1】:

代码看起来正确。

可能是 TLS 版本问题。

另一种解决方案是在代码中下载元数据并将元数据字符串添加到ITfoxtec Identity SAML 2.0 库:

var idPMetadataXml = "... downloaded metadata ...";
var entityDescriptor = new EntityDescriptor();
entityDescriptorReadIdPSsoDescriptor(idPMetadataXml);
...

更新:

与观众限制相关的错误接缝:

config.AllowedAudienceUris.Add("Okta_SAML_Example"); 

受众必须是 .NET Framework 应用程序中的 URI。纯文本字符串仅在 .NET Core 和 .NET 5.0 中受支持。

.NET 框架示例:https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebApp

【讨论】:

感谢您的回答,我将在明天早些时候尝试此解决方案,并再次向您更新结果,谢谢。 即使我下载了 XML,我仍然遇到同样的错误。当实例化 new Saml2AuthnRequest(config) 任何其他解决方法时是否会发生错误,或者您可能有 net462 的演示/简单? 感谢您的更新,安德斯您说得对,问题是受众限制我刚刚更新了 Okta 受众限制以拥有一个有效的 URL,然后它就可以工作了,非常感谢。【参考方案2】:

我遇到了同样的问题,它是由“GetAudienceRestriction() 方法”引起的。将发行者名称从“application-name”更改为“https://application-name”有帮助。不要忘记在身份提供者端(Okta、Ping Identity 等)始终更改您的名称。现在不再抛出异常。

【讨论】:

以上是关于ITfoxtec.Identity.Saml2 无效 URI 问题的主要内容,如果未能解决你的问题,请参考以下文章

ITfoxtec.Identity.Saml2 无效 URI 问题

如何读取加密的断言?

itfoxtec-identity-saml2 中的方法 ValidateRelyingParty 从哪里派生?

调用 Saml2PostBinding.Unbind() 时签名无效

如何在 itfoxtec 中支持工件绑定?

InvalidSignatureException:签名无效