通过调用REST API在ADFS 3.0中进行声明转换

时间:2014-07-22 02:28:00

标签: rest asp.net-web-api claims-based-identity adfs claims

我们的企业中有一个ASP.NET Web API(REST服务),它为我们提供了在将令牌传递到应用程序之前我们想要注入adfs令牌的用户的粗粒度声明列表。有没有人知道是否可以使用自定义属性存储进行休息调用(通过从ADFS 3.0中的声明规则语言将param&#39s传递给自定义属性存储)?

对此有任何帮助将不胜感激!

  

谢谢,
  安以轩。

2 个答案:

答案 0 :(得分:2)

我可以从自定义属性存储中进行REST调用。对于那些仍在疑惑的人,可以查看以下代码。

using System;
using System.Collections.Generic;
using System.Text;
using System.IdentityModel;

using Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore;
using System.Net.Http;
using System.Net;

namespace CustomAttributeStores
{
    public class CoarseGrainClaimsAttributeStore : IAttributeStore
    {
        #region Private Members

        private string API_Server = "https://<Server Name>/API/";

        #endregion

        #region IAttributeStore Members

        public IAsyncResult BeginExecuteQuery(string query, string[] parameters, AsyncCallback callback, object state)
        {   
            string result = string.Empty;

            if (parameters == null)
            {
                throw new AttributeStoreQueryFormatException("No query parameter.");
            }

            if (parameters.Length != 1)
            {
                throw new AttributeStoreQueryFormatException("More than one query parameter.");
            }

            string userName = parameters[0];

            if (userName == null)
            {
                throw new AttributeStoreQueryFormatException("Query parameter cannot be null.");
            }

            //Ignore SSL Cert Error
            //TODO: Need to set the SSL cert correctly for PROD Deployment
            ServicePointManager.ServerCertificateValidationCallback +=  (sender, cert, chain, sslPolicyErrors) => true;

            using (var client = new HttpClient())
            {

                //The url can be passed as a query
                string serviceUrl = API_Server  + "GetAdditionalClaim";
                serviceUrl += "?userName=" + userName;

                //Get the SAML token from the API
                result = client
                            .GetAsync(serviceUrl)
                            .Result
                            .Content.ReadAsStringAsync().Result;
                result = result.Replace("\"", "");
            }

            string[][] outputValues = new string[1][];
            outputValues[0] = new string[1];
            outputValues[0][0] = result;

            TypedAsyncResult<string[][]> asyncResult = new TypedAsyncResult<string[][]>(callback, state);
            asyncResult.Complete(outputValues, true);
            return asyncResult;
        }

        public string[][] EndExecuteQuery(IAsyncResult result)
        {
            return TypedAsyncResult<string[][]>.End(result);
        }

        public void Initialize(Dictionary<string, string> config)
        {
            // No initialization is required for this store.
        }

        #endregion
    }
}

答案 1 :(得分:0)

不,您不能使用声明规则语言执行此操作。

这有点像黑客,但你可以把声称写到例如DB然后使用custom attribute store

如果您可以在客户端访问WIF,则可以在那里增加声明,例如Adding custom roles to windows roles in ASP.NET using claims

相关问题
最新问题