在IdentityServer3中,我已经根据文档使用SustainSys库配置了基于SAML2的外部提供程序的多个实例。
我让它工作了,但我对SPOptions.EntityID又名Audience Uri有疑问.(这不是外部提供商提供给我们的实体 ID,而是我需要提供给外部提供商的实体 ID(
对于每个实例,此Audience Uri是否是唯一的?
假设我在生产中配置了 SAML2 提供程序(Okta 和 Azure AD(的 2 个实例,然后根据提供的示例代码,对于特定环境,Audience Uri将不是唯一的。
下面是我基于示例代码的代码。(为简洁起见,我删除了几行(
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.Map("/identity", idsrvApp =>
{
var identityServerOptions = new IdentityServerOptions
{
AuthenticationOptions = new AuthenticationOptions()
{
EnableAutoCallbackForFederatedSignout = true,
EnableSignOutPrompt = false
}
.Configure(ConfigureExternalIdentityProviders)
};
idsrvApp.UseIdentityServer(identityServerOptions);
});
}
private void ConfigureExternalIdentityProviders(IAppBuilder app, string signInAsType)
{
// Add okta
AddSAML2Idp(
app,
signInAsType,
"https://id.mydomain.com/identity/Saml2", //audienceURI
"okta", //idpname
"okta", //caption
"https://www.okta.com/exk4yxtgy7ZzSDp8e0h7", // externalEntityID
"https://dev-490944.oktapreview.com/app/exk4yxtgy7ZzSDp8e0h7/sso/saml/metadata"); // metadataLocation
// Add Azure AD
AddSAML2Idp(app,
signInAsType,
"https://id.mydomain.com/identity/Saml2", //audienceURI
"azuread", //idpname
"Azure ad", //caption
"https://sts.windows.net/xxxxx-fb1d-40c4-xxxxx-xxxxxxxx/", //externalEntityID
"https://login.microsoftonline.com/xxxx-fb1d-40c4-40c4-xxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxx-xxxx-xxxx-xxxx-xxxxxx"); //metadataLocation
}
private void AddSAML2Idp(IAppBuilder app, string signInAsType,string audienceURI, string idpname, string caption, string externalEntityID, string metadataLocation)
{
var authenticationOptions = new Saml2AuthenticationOptions(false)
{
SPOptions = new SPOptions
{
EntityId = new EntityId(audienceURI),
ModulePath = string.Format("/{0}", idpname)
},
SignInAsAuthenticationType = signInAsType,
AuthenticationType = idpname,
Caption = caption
};
UseIdSrv3LogoutOnFederatedLogout(app, authenticationOptions);
authenticationOptions.SPOptions.ServiceCertificates.Add(LoadCertificateFromWindwosStore());
var identityProvider = new IdentityProvider(new EntityId(externalEntityID), authenticationOptions.SPOptions)
{
MetadataLocation = metadataLocation,
LoadMetadata = true
};
authenticationOptions.IdentityProviders.Add(identityProvider);
app.UseSaml2Authentication(authenticationOptions);
}
所以对于okata
Audience Uri: https://id.mydomain.com/identity/Saml2
ACS Uri: https://id.mydomain.com/identity/okta/acs
和Azure AD
Audience Uri: https://id.mydomain.com/identity/Saml2
ACS Uri: https://id.mydomain.com/identity/azuread/acs
请注意,这两个实例的受众 uri 相同。
它应该对于每个实例都是唯一的,例如:
https://id.mydomain.com/identity/okta
https://id.mydomain.com/identity/azuread
从逻辑上讲,这两个实例是两个不同的 SAML2 服务提供商,应具有不同的实体 ID。但是,由于您不会将它们都暴露给同一个上游 Idp,因此没关系。