WsFederation和本地用户混合身份验证

Question

我试图让我的用户使用Azure AD凭据（使用OWIN WsFederation插件）登录或在MVC 5.1 Web App中使用具有Microsoft ASP.NET身份的本地用户帐户。

使用本地用户登录工作正常，使用联邦帐户登录只能使用一次，而且我需要重新启动我的应用程序以使其再次工作。

我想这个问题是与微软的登录页面无法正确处理

逸岸的响应，使用两个differente浏览器在私人模式和提琴手（铬+ IE），我可以看到我的Cookie被设置在第一请求而不是从不同的浏览器

第一请求

第二请求

制成的后续请求

这是我ConfigureAuth

 public void ConfigureAuth(IAppBuilder app) 
    { 
     AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier; 

     app.CreatePerOwinContext(ApplicationDbContext.Create); 
     app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create); 

     app.SetDefaultSignInAsAuthenticationType("ExternalCookie"); 

     app.UseCookieAuthentication(new CookieAuthenticationOptions 
     { 
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, 
      LoginPath = new PathString("/Account/Login"), 
      AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active, 
     }); 


     // these two lines of code are needed if you are using any of the external authentication middleware 
     app.UseCookieAuthentication(new CookieAuthenticationOptions 
     { 
      AuthenticationType = "ExternalCookie", 
      AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive, 
     }); 


     app.UseWsFederationAuthentication(new Microsoft.Owin.Security.WsFederation.WsFederationAuthenticationOptions() 
     { 
      MetadataAddress = "https://login.windows.net/XXXXXXX.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml", 
      Wtrealm = "https://MYREALM", 

      AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType, 
     }); 

    } 

这是帐户控制

// 
    // POST: /Account/ExternalLogin 
    [HttpPost] 
    [AllowAnonymous] 
    [ValidateAntiForgeryToken] 
    public ActionResult ExternalLogin(string provider, string returnUrl) 
    { 
     // Request a redirect to the external login provider 
     return new ChallengeResult(provider, Url.Action("ExternalLoginCallback", "Account", new { ReturnUrl = returnUrl })); 
    } 


    // GET: /Account/ExternalLoginCallback 
    [AllowAnonymous] 
    public ActionResult ExternalLoginCallback(string returnUrl) 
    { 

     var ctx = Request.GetOwinContext(); 
     var result = ctx.Authentication.AuthenticateAsync("ExternalCookie").Result; 

     if (result != null) //null on request other than the first (!!!) 
     { 
      ctx.Authentication.SignOut("ExternalCookie"); 

      var claims = result.Identity.Claims.ToList(); 
      claims.Add(new Claim(ClaimTypes.AuthenticationMethod, "External Account")); 
      var email = claims.Where(x => x.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name").SingleOrDefault().Value; 
      var ci = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie); 
      ctx.Authentication.SignIn(ci); 
     } 

     return RedirectToLocal(returnUrl); 
    } 

Answer 1

在ConfgureAuth设置AuthenticationMode到被动的一部分。它在我的工作流程中工作，看起来与您的工作流程很相似。

app.UseWsFederationAuthentication(new Microsoft.Owin.Security.WsFederation.WsFederationAuthenticationOptions() 
    { 
     MetadataAddress = "https://login.windows.net/XXXXXXX.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml", 
     Wtrealm = "https://MYREALM", 

     AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType, 
     AuthenticationMode = AuthenticationMode.Passive 
    }); 

http://msdn.microsoft.com/en-us/library/microsoft.owin.security.authenticationmode%28v=vs.113%29.aspx