1. 技术文章
  2. Error - A SignInResponse message may only redirect within the current web application - MVC 2.0 application

Error - A SignInResponse message may only redirect within the current web application - MVC 2.0 application

…衆ロ難τιáo~ 提交于 2019-12-18 10:39:11

问题


I have a situation where we have a MVC 2 application(I tried this with a basic MVC 2 app without any extra stuff, still same problem) and am using adfs 2 for authenticating my users.

So.. Now I get into my application and I get the below.. ID3206: A SignInResponse message may only redirect within the current web application: '/[app]' is not allowed. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: Microsoft.IdentityModel.Protocols.FederationException: ID3206: A SignInResponse message may only redirect within the current web application: '/[app]' is not allowed.

I have read most blogs on this, and posted to one..

    <federatedAuthentication>
            <wsFederation passiveRedirectEnabled="true" issuer="https://auth.[domain]/adfs/ls/" realm="https://[development domain]/[app]/" requireHttps="true" />
            <cookieHandler requireSsl="true" />
          </federatedAuthentication>
<audienceUris>
    <add value="https://[development domain]/[app]/" />
  </audienceUris>
  1. I have the trailing slash on the realm and audienceUris.
  2. I have added what he suggested to Application_BeginRequest – I then copied code to [development domain] as that’s where the certs are.. It just gets stuck in an infinite loop then.
  3. I also have checked my Relying Party on the Geneva server.. The Identifiers and Endpoints(POST) are both https://[development domain]/[app]/ - again with the trailing slash

I think it’s a problem with the fact it’s a MVC application, I have created numerous Claims Aware website and got my claims etc on the default.aspx page. My thinking is that the routing that is involved with the MVC app is somehow posting it back wrong?

any help really apprecaited as Im looking at this for quiet a while now to no avail..

J


回答1:


I've been tearing my hair out on this one. I too have the trailing slash specified in my configuration. Turns out that, in my case, navigating to my app with a trailing slash in the browser like so:

http://localhost/myapp/

will work, whereas

http://localhost/myapp

will not.

If I can dig up some more reasons why this is the case, I will add some more background on why this is happening.




回答2:


I override the RedirectToIdentityProvider on subclass of WSFederationAuthenticationModule. This happens only once before redirecting to the STS. You have to tell the config file to use this class FixedWSFederationAuthenticationModule instead of the defualt WSFederationAuthenticationModule

public class FixedWSFederationAuthenticationModule : WSFederationAuthenticationModule
{
    public override void RedirectToIdentityProvider(string uniqueId, string returnUrl, bool persist)
    {
        //This corrects WIF error ID3206 "A SignInResponse message may only redirect within the current web application:"
        //First Check if the request url doesn't end with a "/"
        if (!returnUrl.EndsWith("/"))
        {
            //Compare if Request Url +"/" is equal to the Realm, so only root access is corrected
            //https://localhost/AppName plus "/" is equal to https://localhost/AppName/
            //This is to avoid MVC urls
            if (String.Compare(System.Web.HttpContext.Current.Request.Url.AbsoluteUri + "/", base.Realm, StringComparison.InvariantCultureIgnoreCase) == 0)
            {
                //Add the trailing slash
                returnUrl += "/";
            }
        }
        base.RedirectToIdentityProvider(uniqueId, returnUrl, persist);
    }
}



回答3:


This code takes care of that (put it in global.asax):

private void Application_BeginRequest(object sender, EventArgs e)
{
//  This corrects WIF error ID3206 "A SignInResponse message may only redirect within the current web application: '/NHP' is not allowed."
//  For whatever reason, accessing the site without a trailing slash causes this error.
if (String.Compare(Request.Path, Request.ApplicationPath, StringComparison.InvariantCultureIgnoreCase) == 0 && !(Request.Path.EndsWith("/")))
Response.Redirect(Request.Path + "/");
}

EDIT:

Another thing to check is the federationAuthentication/wsFederation element in your microsoft.identityModel in Web.config. Verify the issuer and the realm are correct.




回答4:


I'm using Forms authentication with WIF. The forms auth module redirects unauthorized requests to the correct controller and stores the originally requested URL in the ReturnUrl parameter, so I worked around this bug by overriding the GetReturnUrlFromResponse method.

/// <summary>
/// Provides a workaround for a bug in the standard authentication module.
/// </summary>
/// <remarks>
/// This class corrects WIF error ID3206 "A SignInResponse message may only
/// redirect within the current web application..."
/// WSFAM produces the error when the ReturnUrl is the root of the web application,
/// but doesn't have a trailing slash. For instance, "/app" is considered incorrect
/// by WSFAM whereas "/app/" is correct.
/// </remarks>
public class FixedWsFederationAuthenticationModule : System.IdentityModel.Services.WSFederationAuthenticationModule
{
    /// <summary>
    /// Extracts the URL of the page that was originally requested from
    /// the sign-in response.
    /// </summary>
    /// <returns>
    /// The URL of the page that was originally requested by the client.
    /// This is the URL (at the relying party) to which the client should
    /// be redirected following successful sign-in.
    /// </returns>
    /// <param name="request">
    /// The HTTP request that contains a form POST, which contains the
    /// WS-Federation sign-in response message.
    /// </param>
    protected override string GetReturnUrlFromResponse(HttpRequestBase request)
    {
        string returnUrl = base.GetReturnUrlFromResponse(request);

        // First Check if the request url doesn't end with a "/"
        if (!string.IsNullOrEmpty(returnUrl) && !returnUrl.EndsWith("/"))
        {
            // Compare if (return Url +"/") is equal to the Realm path,
            // so only root access is corrected.
            // /AppName plus "/" is equal to /AppName/
            // This is to avoid MVC urls.
            if (string.Compare(
                returnUrl + "/",
                new Uri(Realm).LocalPath,
                StringComparison.InvariantCultureIgnoreCase) == 0)
            {
                // Add the trailing slash.
                returnUrl += "/";
            }
        }

        return returnUrl;
    }
}

To make use of this class, you need to register it in the web.config. Add this element to the system.webServer/modules section, changing the appropriate parts:

<add name="WSFederationAuthenticationModule" type="YOUR_NAMESPACE.FixedWsFederationAuthenticationModule, YOUR_ASSEMBLY" preCondition="managedHandler" />



回答5:


I had this issue when I added STS reference to my web application which by default runs under virtual server on dynamic port. I changed it to run it out of IIS (as with virtual web server, redirection to STS will not happen unless you run it out of IIS / IIS Express) and manually edited by web.config to change audience URIs under Microsoft.IdentityModel configuration.

When I Looked at the FederationMetadata.xml, it was still referring to the old location (with dynamic port). I refreshed my STS Reference by adding it again and it worked.



来源:https://stackoverflow.com/questions/4460720/error-a-signinresponse-message-may-only-redirect-within-the-current-web-applic

标签
c#
asp.net-mvc
federated-identity
adfs2.0
sts-securitytokenservice
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!