您好，所以我一直在嘗試在我的 MVC6 Web 應用程序上實現WS-Fed SSO，我已經閱讀了一些關於身份驗證的內容，所有這些都是為了確定我的要求。我必須使用 WsFederationAuth，所以 oauth 和 saml 協議都不適合我。

**編輯：**在@Pinpoint 建議之後，我嘗試使用 owin 中間件來實現連接，但我將使用完整的框架 DNX451 而不是 DNXCore，但這是在等待 Vnext 支持 ws-fed 時的事情。

精確 適配器擴展：

public static class AppBuilderExtensions
   {
#if !DNXCORE50
       public static IApplicationBuilder UseOwinAppBuilder(this IApplicationBuilder app,
           Action<IAppBuilder> configuration)
       {
           if (app == null)
           {
               throw new ArgumentNullException(nameof(app));
           }

           if (configuration == null)
           {
               throw new ArgumentNullException(nameof(configuration));
           }


           return app.UseOwin(setup => setup(next =>
           {
               var builder = new AppBuilder();
               var lifetime = (IApplicationLifetime) app.ApplicationServices.GetService(typeof (IApplicationLifetime));

               var properties = new AppProperties(builder.Properties);
               properties.AppName = app.ApplicationServices.GetApplicationUniqueIdentifier();
               properties.OnAppDisposing = lifetime.ApplicationStopping;
               properties.DefaultApp = next;

               configuration(builder);

               return builder.Build<Func<IDictionary<string, object>, Task>>();
           }));
       }
#endif
   }

在 startup.cs ：

   #if !DNXCORE50
           app.UseOwinAppBuilder(owin =>
           {
               owin.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
               {
                   MetadataAddress =
                       "https://mysite.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml",
                   Wtrealm = "http://localhost:62569/",
                   SignInAsAuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType,
                   AuthenticationType = "adfs",
                   SecurityTokenHandlers = new SecurityTokenHandlerCollection
                   {
                       new EncryptedSecurityTokenHandler
                       {
                           Configuration = new SecurityTokenHandlerConfiguration
                           {
                               IssuerTokenResolver = new X509CertificateStoreTokenResolver(StoreName.My,
                                   StoreLocation.LocalMachine)
                           }
                       },
                       new Saml2SecurityTokenHandler
                       {
                           CertificateValidator = X509CertificateValidator.None,
                           
                       }
                   }
               });
           });
#endif

我能感覺到我離解決方案越來越近了，但還沒有完成。我在處理令牌時遇到了麻煩（在對 adfs 進行身份驗證之後）

我使用 afaiu 令牌收到此錯誤：

SecurityTokenValidationException：IDX10201：沒有一個 SecurityTokenHandlers 可以讀取“securityToken”：

<Assertion ID="_851fc402-2e9c-4ff8-a743-7d65612255b9" IssueInstant="2015-06-22T16:16:03.852Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
   <Issuer>https://mysite.accesscontrol.windows.net/</Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:SignedInfo>
           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
           <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
           <ds:Reference URI="#_851fc402-2e9c-4ff8-a743-7d65612255b9">
               <ds:Transforms>
                   <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                   <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
               <ds:DigestValue>xZdzOnNIG5Ia***********t0feMWIZMLnY=</ds:DigestValue>
           </ds:Reference>
       </ds:SignedInfo>
       <ds:SignatureValue>KmuScnZBdxyaAJrfLgB9AYheUdR*****************************Xs4o8R+eMCPdWNsDjhLu500UlCgitYerjpLTTyRRdwvFo8T7LlsXO2yjv3dx83Yn+GthE+FswNRH07yIHF5wo5+/TAwiVzg+9SDbK+Nj84PdLMxwIfALAebf4/ECdpqkWvt2ligzFoQckEgZMRepOcAVfBxfELyJSUDAjnpfJCrlCQip0nykC+5R37X00flIlB563p48veeLIt0JaUdG4bwtQ8OCMg1KeD5gYix9p4E3TQ7QovN0HDoWTurLK/0H01IS73fIe6/k6DBA==</ds:SignatureValue>
       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
           <X509Data>
               <X509Certificate>MIIDSjCCAjagAwIBAgIQrcBhMtovuJ**********************MDExLzAtBgNVBAMTJm1hcmdvY29uc2VpbC5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE1MDYxNjA4MTYzOFoXDTIwMDUzMTIyMDAwMFowMTEvMC0GA1UEAxMmbWFyZ29jb25zZWlsLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpeZseXX1IYTABUOPr7nfIAXc7cXAI0k+vR3qEbvy0UxEhYAkAocQR2qUTPQ8D1v4lPp59tnHKBGJ0eHt9DYm/SyKkfHsWfqsysZx5NHXSJIhy/SgHwpd8b2q1NKxqBRLrdJKyAua+WWza4p/HMFjEVoN/upZtngSqxUKO/oYqy6m7smkz8vwjzpJR8tyqN881XBQzvryiF/i3ZPFQqlCT9263TMcAGPpym9uvxHzFPPx3u8IDz3AQydyHeViaJhiXGic0VEcm6LMn3JLOYqAzJnv8z89NdpsL4ynv1ekytt/8yyza3CnsU1E4tFDj1HU3785aFZ1xm6wr1MUK9VOTAgMBAAGjZjBkMGIGA1UdAQRbMFmAEN1alzwM3lJSHdh4LFl7uxmhMzAxMS8wLQYDVQQDEyZtYXJnb2NvbnNlaWwuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQrcBhMtovuJ9MilbEjMjS7TAJBgUrDgMCHQUAA4IBAQAsQ5jNKvS2fLtqs9oB6DGTXdI5nAli5UyvZUQlnfnMvgYjJKrZu79iMe9iu88cmtwZVifG14SRbVdTjUOzngIWAJ5KAQk5t//wSkwgAS+U6AFYI/mee9NLEvOEhrRbpGUP0oL504OZ9zTDeXmGu2FybRB2TvdTKLaeVsBvwqgP33QFkcuPK50fCGC1l3SecIeyWL5fsiw/2+GuTKHjCaeRqnYBgDTINptc9PGayLPBTjs4UPzbccmaYyuanmTAMZGU0iRoGJYet2uAasT52QvWZqD0NUZbWyR1N8CBf5EIW2S/TrpoOBYNgZQU5n9PRJjTBhESHXjfa8RipC8RXU9o</X509Certificate>
           </X509Data>
       </KeyInfo>
   </ds:Signature>
   <Subject>
       <NameID>***********</NameID>
       <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
   </Subject>
   <Conditions NotBefore="2015-06-22T16:16:03.836Z" NotOnOrAfter="2015-06-22T17:16:03.836Z">
       <AudienceRestriction>
           <Audience>http://localhost:62569/</Audience>
       </AudienceRestriction>
   </Conditions>
   <AttributeStatement>
       <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
           <AttributeValue>********************</AttributeValue>
       </Attribute>
       <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
           <AttributeValue>************</AttributeValue>
       </Attribute>
       <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
           <AttributeValue>G****l</AttributeValue>
       </Attribute>
       <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
           <AttributeValue>L****s</AttributeValue>
       </Attribute>
       <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
           <AttributeValue>https://sts.windows.net/7102feaa-34af-4756-85ce-b0f69766d78d/</AttributeValue>
       </Attribute>
       <Attribute Name="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider">
           <AttributeValue>https://sts.windows.net/7102feaa-34af-4756-85ce-b0f69766d78d/</AttributeValue>
       </Attribute>
   </AttributeStatement>
   <AuthnStatement AuthnInstant="2015-06-22T14:26:14.020Z">
       <AuthnContext>
           <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
       </AuthnContext>
   </AuthnStatement>
</Assertion>

如您所知，WS-Federation 中間件尚未移植到 ASP.NET 5，但不要驚慌，它肯定是：https ://twitter.com/blowdart/status/610526268908535808

同時，您可以在帶有微型IAppBuilder/IApplicationBuilder適配器的 ASP.NET 5 應用程序中使用 OWIN/Katana 3 WS-Federation 中間件（例如：https ://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect .Server/blob/vNext/samples/Mvc/Mvc.Server/Extensions/AppBuilderExtensions.cs#L50），但當然，它不會與dnxcore50.

如果您有最新的 ADFS 版本，您還可以考慮切換到 O​​Auth2。

引用自：https://stackoverflow.com/questions/30914895