问题
I downloaded the sample login page from the ACS portal for my application, which is a html file. I then configured my application with WIF, and everything worked perfectly.
Since we need to handle and save an incoming querystring, so that querystring can be used later after the user had been logged in, we needed to move the html login page to a aspx page.
The problem is that when I change the issuer for WIF in the web.config file to the aspx file, it stops working. When it works it looks like this:
<certificateValidation certificateValidationMode="None" />
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:81/acstest/WebSiteAdvancedACSLoginPageCode.html" realm="http://localhost:81/acstest/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
But then when I change it to my aspx page, where I just moved all the code in the html page into, I cant even load the page:
<certificateValidation certificateValidationMode="None" />
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:81/acstest/WebSiteAdvancedACSLoginPageCode.aspx" realm="http://localhost:81/acstest/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
When I then run with the aspx file configured I can see in fiddler that something isn't right, It tries to a get, and keeps getting "object moved to here:" This is the get request:
GET http://localhost:81/acstest/WebSiteAdvancedACSLoginPageCode.aspx?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a81%2facstest%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252facstest%252fWebSiteAdvancedACSLoginPageCode.aspx&wct=2011-11-23T09%3a33%3a30Z HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: sv-SE
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: localhost:81
Cookie: ACSChosenIdentityProvider-10001951=Google
In the end it throws an exception that the querystring is too long. The error and warning of the request:
MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName UrlAuthorization
Notification AUTHORIZE_REQUEST
HttpStatus 401
HttpReason Unauthorized
HttpSubStatus 0
ErrorCode Åtgärden har slutförts. (0x0)
ConfigExceptionInfo
Any feedback or alternativ solution is appretiated.
回答1:
The "issuer" should still be ACS, not your site (unless you implement your own STS, which doesn't look like you want to). Issuer == STS in WIF configuration.
The best candidate to preserve state (e.g. urls, etc) across the token negotiation (which happens through redirects) is through the wctx parameter. You can set this programatically.
Look at the sample #7 from this download: http://www.microsoft.com/download/en/details.aspx?id=27289
Chapter: http://msdn.microsoft.com/en-us/library/hh446534.aspx from this Guide: http://msdn.microsoft.com/en-us/library/ff423674.aspx
The code looks like this (fragment):
var returnUrl = GetReturnUrl(context.RequestContext);
// user is not authenticated and it's entering for the first time
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm)
{
Context = returnUrl.ToString(),
Realm = string.Format("https://localhost/f-shipping.7/{0}", organizationName)
};
context.Result = new RedirectResult(signIn.WriteQueryString());
来源:https://stackoverflow.com/questions/8240124/a-custom-login-page-for-azure-acs-not-working