ADSF 3.0令牌续订/取消/验证

时间:2019-03-21 09:52:49

标签: node.js adfs ws-trust

我的目标是使用nodejs创建一个WS-Trust客户端,基本上将SOAP消息发布到https://[adfs_server]/adfs/services/trust/13/UsernameMixed(ADFS 3.0)。

目前,我能够获得有效的令牌,但是其他所有方法都存在问题:续订,取消和验证令牌。

更清楚地说,我能够获得发布以下消息的令牌(SAML1.0,SAML2.0和JWT)(在本例中为POSTMAN,要求提供SAML2.0令牌)。

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
        <a:To s:mustUnderstand="1">https://[adfs_server]/adfs/services/trust/13/UsernameMixed</a:To>
        <a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo>
        <a:MessageID>urn:uuid:{{$guid}}</a:MessageID>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >
            <o:UsernameToken u:Id="uuid-{{$guid}}-1">
                <o:Username>[username]</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[password]</o:Password>
            </o:UsernameToken>
        </o:Security>
    </s:Header>
    <s:Body>
        <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><a:EndpointReference><a:Address>[scope]</a:Address></a:EndpointReference></wsp:AppliesTo>
            <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
            <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
            <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
        </trust:RequestSecurityToken>
    </s:Body>
</s:Envelope>

ADFS的响应是:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</a:Action>
        <a:RelatesTo>urn:uuid:0d610906-4345-43e0-a53f-deb6f0b4cd2f</a:RelatesTo>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2019-03-21T09:28:29.687Z</u:Created>
                <u:Expires>2019-03-21T09:33:29.687Z</u:Expires>
            </u:Timestamp>
        </o:Security>
    </s:Header>
    <s:Body>
        <trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <trust:RequestSecurityTokenResponse>
                <trust:Lifetime>
                    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-03-21T09:28:29.671Z</wsu:Created>
                    <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-03-21T17:28:29.671Z</wsu:Expires>
                </trust:Lifetime>
                <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                        <wsa:Address>https://customer.my.iveco.com/</wsa:Address>
                    </wsa:EndpointReference>
                </wsp:AppliesTo>
                <trust:RequestedSecurityToken>
                    <Assertion ID="_3ffdf898-b0d1-4d4d-aa7e-5a72430cd6b7" IssueInstant="2019-03-21T09:28:29.687Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
                        ...
                    </Assertion>
                </trust:RequestedSecurityToken>
                <trust:RequestedAttachedReference>
                    <SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                        <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_3ffdf898-b0d1-4d4d-aa7e-5a72430cd6b7</KeyIdentifier>
                    </SecurityTokenReference>
                </trust:RequestedAttachedReference>
                <trust:RequestedUnattachedReference>
                    <SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                        <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_3ffdf898-b0d1-4d4d-aa7e-5a72430cd6b7</KeyIdentifier>
                    </SecurityTokenReference>
                </trust:RequestedUnattachedReference>
                <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
                <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
                <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
            </trust:RequestSecurityTokenResponse>
        </trust:RequestSecurityTokenResponseCollection>
    </s:Body>
</s:Envelope>

令牌是<RequestedSecurityToken>元素内的XML元素(SAML 2.0断言)。

我的问题是,当前没有其他与令牌生命周期相关的功能起作用。

例如,这是我为了更新令牌而发布的消息:

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew</a:Action>
        <a:To s:mustUnderstand="1">https://[adfs_server]/adfs/services/trust/13/UsernameMixed</a:To>
        <a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo>
        <a:MessageID>urn:uuid:{{$guid}}</a:MessageID>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" >
            <o:UsernameToken u:Id="uuid-{{$guid}}-1">
                <o:Username>[Username]</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[Password]</o:Password>
            </o:UsernameToken>
        </o:Security>
    </s:Header>
    <s:Body>
        <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew</trust:RequestType>
            <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
            <trust:RenewTarget>
                <Assertion ID="_dabb3d8b-2a5f-4fa9-9236-2284b436b5c9" IssueInstant="2019-03-21T08:46:37.832Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
                        ...
                 </Assertion>
            </trust:RenewTarget>
        </trust:RequestSecurityToken>
    </s:Body>
</s:Envelope>

根据WS-Trust 1.4规范(http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658958),我要做的只是在更新请求中将收到的令牌发布到<RenewTarget>中。

不幸的是,请求始终失败,并出现以下错误:

ID3035:请求无效或格式错误。

我的问题:

  1. ADFS 3.0是否支持WS-Trust 1.4规范中定义的所有方法?
  2. 续订请求中我错了吗?

感谢您的努力!

0 个答案:

没有答案
相关问题
最新问题