您的位置: 首页  >  技术问答  >  如何从应用程序池标识(对于配置的用户)获取SAML令牌?

如何从应用程序池标识(对于配置的用户)获取SAML令牌?

分类: 技术问答 2022-05-01 15:48:30
问题描述:

有没有办法为应用程序池标识用户(已配置的用户)获取SAML令牌?如何从应用程序池标识(对于配置的用户)获取SAML令牌?

当我们在%systemroot%\ System32 \ Inetsrv \ config路径下的applicationHost.config中配置应用程序池dentity存储配置项(用户名&密码)时。

当应用程序启动时,它会选择用户名和加密的密码进行验证。成功验证后,它是否会遵循基于令牌的身份验证以进行后续调用,或者始终会进行基本验证?

如果它的令牌基于那么我怎么能得到应用程序池标识用户的SAML令牌后的第一个响应?

如果有任何链接请让我知道。

在此先感谢。

答1:使用阿达尔流量获得JWT令牌登录的用户,

if (!AdfsConfiguration.IsInitialized) throw new SecurityException(Constants.AdfsConfigurationInitilizationExceptionMessage); 
if (string.IsNullOrEmpty(AdfsConfiguration.AdfsAuthorityUrl)) throw new SecurityException(Constants.AdfsConfigurationAdfsAuthorityUrlInitilizationExceptionMessage); 

try 
{ 
    var authenticationContext = new AuthenticationContext(string.Format(AdfsConfiguration.AdfsAuthorityUrl, AdfsConfiguration.AdfsInstance, AdfsConfiguration.Resource), false); 

    var asyncRequest = authenticationContext.AcquireTokenAsync(AdfsConfiguration.Resource, AdfsConfiguration.ClientId, new Uri(AdfsConfiguration.RedirectUri), new PlatformParameters(PromptBehavior.Auto)); 
    var accessToken = asyncRequest.Result.AccessToken; 
    return accessToken; 
} 
catch (Exception exp) 
{ 
    var additionalInfo = $" additionalInfo : [authenticationContext : {string.Format(AdfsConfiguration.AdfsAuthorityUrl, AdfsConfiguration.AdfsInstance, AdfsConfiguration.Resource)}]"; 
    throw new SecurityException($"AdfsAuthorization.GetAdfsOAuthJwtAccessTokenForWinAppUserUsingAdal is failed, {additionalInfo}", exp); 
}

答2:通过验证码流来获得JWT令牌登录的用户或应用程序池标识用户。

第1步:从ADFS服务器验证码

 var authUrl = string.Format(AdfsConfiguration.AdfsAuthUrl, AdfsConfiguration.AdfsInstance, AdfsConfiguration.ClientId, AdfsConfiguration.Resource, AdfsConfiguration.UrlEncodedRedirectUri); 
     var authCode = ""; 

     try 
     { 
      do 
      { 
       var result = await Client.GetAsync(authUrl); 
       await result.Content.ReadAsStringAsync(); 
       IEnumerable<string> values; 
       if (result.Headers.TryGetValues("location", out values)) 
       { 
        foreach (string s in values) 
        { 
         if (s.Contains("code=")) 
         { 
          authUrl = ""; 
          authCode = s.Substring(s.IndexOf("code=", StringComparison.Ordinal) + 5); 
         } 
         else 
         { 
          authUrl = s; 
         } 
        } 
       } 
       else 
       { 
        authUrl = ""; 
       } 
      } while (!string.IsNullOrEmpty(authUrl)); 

      return authCode; 
     } 
     catch (Exception exp) 
     { 
      var additionalInfo = $"additionalInfo : [authUrl: {authUrl}]"; 
      throw new SecurityException($"AdfsAuthorization.GetAuthCodeForWinAppUserAsync is failed, {additionalInfo}", exp); 
     }

第2步:通行证验证码从ADFS服务器获取JWT令牌

 if (!AdfsConfiguration.IsInitialized) throw new SecurityException(Constants.AdfsConfigurationInitilizationExceptionMessage); 

     var client = new WebClient(); 
     try 
     { 
      if (AdfsConfiguration.UseProxy == "Y") 
      { 
       var proxyObject = new WebProxy("Proxy", 80) { Credentials = CredentialCache.DefaultNetworkCredentials }; 
       client.Proxy = proxyObject; 
      } 

      //Uri address = new Uri(String.Format("https://{0}/adfs/oauth2/token/", AdfsInstance)); 
      Uri address = new Uri(string.Format(AdfsConfiguration.AdfsTokenServiceUrl, AdfsConfiguration.AdfsInstance)); 

      Uri redirectAddress = new Uri(AdfsConfiguration.RedirectUri); 

      NameValueCollection values = new NameValueCollection 
      { 
       {"client_id", AdfsConfiguration.ClientId}, 
       {"grant_type", "authorization_code"}, 
       {"code", code}, 
       {"redirect_uri", redirectAddress.ToString()} 
      }; 

      byte[] responseBytes = client.UploadValues(address, "POST", values); 

      string response = System.Text.Encoding.UTF8.GetString(responseBytes); 

      return response; 

     } 
     catch (Exception exp) 
     { 
      var additionalInfo = $" additionalInfo : [address: {string.Format(AdfsConfiguration.AdfsTokenServiceUrl, AdfsConfiguration.AdfsInstance) }, redirect Uri :{AdfsConfiguration.RedirectUri}]"; 
      throw new SecurityException($"AdfsAuthorization.GetAdfsOAuthTokenByAuthCode is failed, {additionalInfo}", exp); 
     } 
     finally 
     { 
      client.Dispose(); 
     }

至获取SAML断言的应用程序池标识或注销用户:

 string rpLoginUrl = string.Format(SapConfiguration.AdfsSignInUrl, SapConfiguration.AdfsInstance, HttpUtility.UrlEncode(GetSapTokenServiceUrl)); 
     string htmlContent; 

     try 
     { 
      do 
      { 
       var result = await Client.GetAsync(rpLoginUrl); 
       htmlContent = await result.Content.ReadAsStringAsync(); 
       IEnumerable<string> values; 
       if (result.Headers.TryGetValues("location", out values)) 
       { 
        foreach (string s in values) 
        { 
         if (s.StartsWith("/")) 
         { 
          rpLoginUrl = rpLoginUrl.Substring(0, rpLoginUrl.IndexOf("/adfs/ls", StringComparison.Ordinal)) + s; 
         } 
         else 
         { 
          rpLoginUrl = s; 
         } 
        } 
       } 
       else 
       { 
        rpLoginUrl = ""; 
       } 
      } while (!string.IsNullOrEmpty(rpLoginUrl)); 
     } 
     catch (Exception exp) 
     { 
      var additionalInfo = $" additionalInfo : [rpLoginUrl: {rpLoginUrl}]"; 
      throw new SecurityException($"SapAuthorization.GetSamlResponseForProcessIdentityAsync is failed, {additionalInfo}", exp); 
     } 

     var reg = new Regex("SAMLResponse\\W+value\\=\\\"([^\\\"]+)\\\""); 
     var matches = reg.Matches(htmlContent); 
     string lastMatch = null; 
     foreach (Match m in matches) 
     { 
      lastMatch = m.Groups[1].Value; 
     } 

     return lastMatch;

相关推荐