使用SustainSys在IdentityServer3中配置多个SAML2实例

时间:2018-10-19 18:50:23

标签: identityserver3 kentor-authservices sustainsys-saml2

在IdentityServer3中,我已经根据SustainSys使用documentation库配置了多个基于SAML2的外部提供程序实例。
我可以使用它,但是我对SPOptions.EntityID又是Audience Uri有疑问。 (这不是外部提供商提供给我们的EntityID,而是我需要提供给外部提供商的EntityID)

Audience Uri是否对每个实例都是唯一的?

可以说,我在生产中配置了2个SAML2提供程序实例(Okta和Azure AD),然后基于提供的示例code,对于特定环境,Audience Uri不会是唯一的。

下面是我的基于示例代码的代码。 (为简洁起见,我删除了几行) 

public class Startup
{        
    public void Configuration(IAppBuilder app)
    {
        app.Map("/identity", idsrvApp =>
        {
            var identityServerOptions = new IdentityServerOptions
            {                    
                AuthenticationOptions = new AuthenticationOptions()
                {         
                    EnableAutoCallbackForFederatedSignout = true,
                    EnableSignOutPrompt = false
                }
                .Configure(ConfigureExternalIdentityProviders)                    
            };
            idsrvApp.UseIdentityServer(identityServerOptions);
        });            
    }

    private void ConfigureExternalIdentityProviders(IAppBuilder app, string signInAsType)
    {           
        // Add okta
        AddSAML2Idp(
            app,                
            signInAsType,
            "https://id.mydomain.com/identity/Saml2", //audienceURI
            "okta", //idpname
            "okta", //caption
            "https://www.okta.com/exk4yxtgy7ZzSDp8e0h7", // externalEntityID
            "https://dev-490944.oktapreview.com/app/exk4yxtgy7ZzSDp8e0h7/sso/saml/metadata"); // metadataLocation

        // Add Azure AD
        AddSAML2Idp(app,                
            signInAsType,
            "https://id.mydomain.com/identity/Saml2", //audienceURI
            "azuread", //idpname
            "Azure ad", //caption
            "https://sts.windows.net/xxxxx-fb1d-40c4-xxxxx-xxxxxxxx/", //externalEntityID
            "https://login.microsoftonline.com/xxxx-fb1d-40c4-40c4-xxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxx-xxxx-xxxx-xxxx-xxxxxx"); //metadataLocation
    }      

    private void AddSAML2Idp(IAppBuilder app, string signInAsType,string audienceURI, string idpname, string caption, string externalEntityID, string metadataLocation)
    {
        var authenticationOptions = new Saml2AuthenticationOptions(false)
        {
            SPOptions = new SPOptions
            {
                EntityId = new EntityId(audienceURI),                     
                ModulePath = string.Format("/{0}", idpname)
            },
            SignInAsAuthenticationType = signInAsType,
            AuthenticationType = idpname,
            Caption = caption
        };

        UseIdSrv3LogoutOnFederatedLogout(app, authenticationOptions);

        authenticationOptions.SPOptions.ServiceCertificates.Add(LoadCertificateFromWindwosStore());

        var identityProvider = new IdentityProvider(new EntityId(externalEntityID), authenticationOptions.SPOptions)
        {                
            MetadataLocation = metadataLocation,
            LoadMetadata = true 
        };

        authenticationOptions.IdentityProviders.Add(identityProvider);

        app.UseSaml2Authentication(authenticationOptions);
    }

对于okata 

Audience Uri: https://id.mydomain.com/identity/Saml2
ACS Uri: https://id.mydomain.com/identity/okta/acs

Azure AD 

Audience Uri: https://id.mydomain.com/identity/Saml2
ACS Uri: https://id.mydomain.com/identity/azuread/acs

请注意,两个实例的受众uri相同。

对于每个实例,它应该是唯一的:

https://id.mydomain.com/identity/okta   
https://id.mydomain.com/identity/azuread

1 个答案:

答案 0 :(得分:0)

从逻辑上讲,两个实例是两个不同的SAML2服务提供者,并且应具有不同的实体ID。但是,因为您没有将它们都暴露在同一个上游Idp中,所以没关系。

相关问题
最新问题