为了准备我的应用程序以使用ADFS,我必须使用联合 现在我们有一个服务器和一个使用WIF进行安全联合服务的解决方案,有一个客户端使用这些服务,我们和STS一起使用了用户名密码来识别用户。
一切正常,我的所有声明都正确生成,我可以在我的应用中使用它们。
现在我们必须使用ADFS以及我们的内部IdentityProvider,我只需要将我的sts分成两部分,一个由客户端调用并由服务器信任的“联合提供者”和负责认证的部分 为此,我只需在FederationProvider中的CustomSecurityTokenHandler中添加以下代码
UserNameSecurityToken userNameTokenFromRP = token as UserNameSecurityToken;
WSTrustChannelFactory stsClient = new WSTrustChannelFactory("IdentityConfiguration");
stsClient.Credentials.UserName.UserName = userNameTokenFromRP.UserName;
stsClient.Credentials.UserName.Password = userNameTokenFromRP.Password;
IWSTrustChannelContract stsProxy = stsClient.CreateChannel();
RequestSecurityToken rst = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue, WSTrust13Constants.KeyTypes.Symmetric);
rst.AppliesTo = new System.ServiceModel.EndpointAddress("http://localhost:8010/FederationProvider.svc");
rst.Claims.Add(new RequestClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", false));
rst.Issuer = new System.ServiceModel.EndpointAddress("http://localhost:8020/IdentityProvider.svc");
rst.Lifetime = new Lifetime(DateTime.Now, DateTime.Now + new TimeSpan(0, 30, 0));
rst.TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.OasisWssSaml11TokenProfile11;
RequestSecurityTokenResponse rstr;
var stsToken = stsProxy.Issue(rst, out rstr);
这在我的Web.config文件中:
<client>
<endpoint name="IdentityConfiguration" address="http://localhost:8020/IdentityProvider.svc"
binding="ws2007HttpBinding" bindingConfiguration="SecurityTokenBinding"
contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract">
<identity>
<certificate encodedValue="MyEncodedValue" />
</identity>
</endpoint>
</client>
在身份方面,我会像以前一样继续产生我的主张 我遇到的问题是在我的RSTR中令牌为空且tokenXML是加密的,我不明白在这种情况下如何使用联合?
如果有人可以帮助我?
感谢您的阅读
安格
答案 0 :(得分:0)
最后,我明白了缺少什么
我必须创建一个安全令牌处理程序和一个令牌解析器
GenericXmlSecurityToken augmentedToken = (GenericXmlSecurityToken) stsToken;
var tokenReader = new StringReader(augmentedToken.TokenXml.OuterXml);
var reader = XmlReader.Create(tokenReader);
SecurityTokenHandlerCollection handlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2 certificate = certificates.Find(X509FindType.FindByThumbprint, "MyThumbprint", true)[0];
List<SecurityToken> serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(certificate));
SecurityTokenResolver serviceResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false);
handlers.Configuration.ServiceTokenResolver = serviceResolver;
handlers.Configuration.AudienceRestriction.AllowedAudienceUris.
Add(new Uri("http://localhost:8010/FederationProvider.svc"));
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("Thumbprint", "http://localhost:8020/IdentityProvider.svc");
handlers.Configuration.IssuerNameRegistry = registry;
var samlToken = handlers.ReadToken(reader);
IClaimsIdentity identity = handlers.ValidateToken(samlToken)[0];
它工作正常,代码来自alexthissen