如何避免“SamlAssertion.NotOnOrAfter条件不满足'错误
最近我一直在使用现有Web应用程序要求的身份验证开始。由于应用程序使用jQuery和放大器;更值得注意的是,AJAX功能,我不得不改变处理程序不尝试重定向的XMLHttpRequest ,而是返回403状态是好办了。
Recently I have started using claim-based authentication on an existing web application. Because the application makes use of jQuery & more notably, the AJAX functions, I have had to alter the handlers not to attempt to redirect the XmlHTTPRequests, and instead return a 403 status which is easier to handle.
下面是 FederatedAuthentication.WSFederationAuthenticationModule.AuthorizationFailed 事件hanlder:
Here is the FederatedAuthentication.WSFederationAuthenticationModule.AuthorizationFailed event hanlder:
protected void WSFederationAuthenticationModule_AuthorizationFailed(object sender, AuthorizationFailedEventArgs e)
{
//WSFederationAuthenticationModule sam = (WSFederationAuthenticationModule)sender;
HttpContext context = HttpContext.Current;
HttpRequest req = context.Request;
HttpResponse resp = context.Response;
if (req == null || resp == null) return;
if ((resp.StatusCode == 302 || resp.StatusCode == 401) && req.Headers["X-Requested-With"] == "XMLHttpRequest")
{
resp.StatusCode = 403;
e.RedirectToIdentityProvider = false;
}
}
我有以下方式实现在AJAX调用和处理响应:
I have the following pattern that implements the AJAX calls and handle the response:
$.ajax({
cache: false,
data: $.param(o),
dataType: "xml",
url: "AJAXCall.ashx",
success: function (data)
{
// Success handler
},
error: function (XMLHttpRequest, textStatus, responseText)
{
if (XMLHttpRequest.status == 403)
{
var retVal = window.showModalDialog("Session.aspx", "", "dialogHeight: 250px; dialogWidth: 250px; edge: Raised; center: Yes; resizable: Yes; status: Yes;");
if (retVal)
{
// Succesful session renewal handler
}
else
{
// Session renewal failure handler
}
}
else
{
// Other errors handler
}
}
});
在'Session.aspx基本上关闭与真正的返回值模态对话框,如果它成功地重定向,给身份提供者和背部。
The 'Session.aspx' basically closes the modal dialog with a return value of true if it successfully redirected to the Identity Provider and back.
但我的问题是,我得到以下错误:
But my problem is that I get the following error:
的ID4223:在SamlSecurityToken被拒绝,因为
SamlAssertion.NotOnOrAfter条件不满足的
这是调用上模拟当前应用程序的用户,显然前一交易日的令牌仍然存在的一个子系统。我在我的应用程序的web.config以下设置:
This is invoked on a subsystem that impersonates the current application user and obviously the token of the previous session still persist. I have the following setting in my application's web.config:
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" persistentCookiesOnPassiveRedirects="true" issuer="https://adfs.example.com/adfs/ls/" realm="https://www.example.com:449/" requireHttps="true" />
<cookieHandler requireSsl="true" />
我如何避免这个错误?任何帮助将不胜感激。
How do I avoid this error? Any help will be greatly appreciated.
下面 FederatedAuthentication.WSFederationAuthenticationModule.SignInError 事件处理方法整理出来的问题:
The following FederatedAuthentication.WSFederationAuthenticationModule.SignInError event handler method sorted out the problem:
protected void WSFederationAuthenticationModule_SignInError(object sender, ErrorEventArgs e)
{
// handle an intermittent error that most often occurs if you are redirected to the STS after a session expired,
// and the user clicks back on the browser - second error very uncommon but this should fix
if (e.Exception.Message.StartsWith("ID4148") ||
e.Exception.Message.StartsWith("ID4243") ||
e.Exception.Message.StartsWith("ID4223"))
{
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
e.Cancel = true;
}
}
这将删除该会话令牌的Cookie的持续,即使之后,用户已经被重定向到STS售后服务会话已过期。
It will delete the Session Token Cookie that persisted, even after the user has been redirected to the STS service after a session has expired.