我试图将2 ADFS实例链接在一起。我们有一个由一个ADF和用户保护的应用程序,该应用程序也在另一个广告中,该应用程序也使用ADF来保护应用程序。现在,我试图访问一个由一个ADF保护的应用程序,向其他ADF中的用户提供。
在ADF中具有AD中的用户,我已经建立了一个新的依赖性,该公司是其他ADFS实例。
在保护我已经设置的索赔提供商信托的应用程序的ADF中,我通过指向具有Active Directory用户的ADFS实例的元数据来做到这一点。这似乎在起作用。
现在,当我尝试访问受保护的应用程序时,我会收到SSO证书的证书错误,我单击这些错误,然后将其弹跳到RP ADF和页面显示,并显示了AD验证或ID ADF的选择。实例。我选择刚刚设置的ID ADF,单击"继续",然后将我弹跳到登录页面上。登录后,它将我弹回RP ADFS服务器,然后我有一个带有参考号的错误。当我在事件日志中查找参考号时,我会看到2或3个错误。
第一个是关于吊销列表
在尝试建立索赔提供商信托的证书链'http://dev-sso.xxxxxxx.com/adfs/services/trust'证书'http://dev-sso.xxxxxxxxxxxxxxxxxxxxxxxxxe28c9a5788888888888888888888888888888888888888888888888888888888888888888888888888888888888888.5788C9A578888888888888888888888.PECTIONS
。可能的原因是证书已被撤销,证书链无法按照索赔提供商信托的签名证书撤销设置或证书的验证,不在其有效期内。
第二个是
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
我决定禁用撤销列表检查。我认为这个问题是一个以途中的代理或防火墙,在生产中我们将拥有真实的证书,所以我认为这将不再是问题。
所以不是真正的答案,而是足够继续。