WFS 4.5中无法访问ADFS 2.0声明

时间:2012-08-22 15:43:26

标签: c# wcf visual-studio-2012 wif adfs2.0

我一直致力于为外部用户提供POC,以使用带有用户名/密码的ADFS 2.0对WCF服务进行身份验证。

我让客户端配置为使用https:/// adfs / services / trust / 13 / username和TransportWithMessageCredentail的安全模式。把头发拉了几天后,我的身份验证工作正在进行,STS正在发出令牌。当能够发出具有声明的令牌时,我能够在服务器上看到成功事件。但是,一旦我尝试从服务的上下文中访问声明,它就显示为null。我已打开所有跟踪,但我没有看到跟踪文件中列出的任何错误。我在Visual Studio 2012中使用ADFS 2.0和WIF 4.5。

我计划使用后端属性SQL存储来提取信息,因此我计划将所有内容保留在内部,但我发现的每个示例都集成了Azuer ACS。一旦我有了声明,我将在服务的逻辑中决定如何处理呼叫。

有没有人看到我做错了什么或有不同方法的建议。

客户端App.confg

<bindings>
            <customBinding>
                <binding name="WS2007FederationHttpBinding_IDataServices">
                    <security defaultAlgorithmSuite="Default" authenticationMode="SecureConversation"
                        requireDerivedKeys="true" includeTimestamp="true" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                        requireSignatureConfirmation="false" canRenewSecurityContextToken="true">
                        <secureConversationBootstrap defaultAlgorithmSuite="Default"
                            authenticationMode="IssuedTokenForSslNegotiated" requireDerivedKeys="true"
                            includeTimestamp="true" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                            requireSignatureConfirmation="true">
                            <issuedTokenParameters keySize="256">
                                <additionalRequestParameters>
                                    <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                                        <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                                        <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
                                        <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
                                        <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
                                        <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
                                        <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                                        <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                                    </trust:SecondaryParameters>
                                </additionalRequestParameters>
                                <issuer address="https://<adfs>/adfs/services/trust/13/usernamemixed"
                                    binding="ws2007HttpBinding" bindingConfiguration="https://<adfs>/adfs/services/trust/13/usernamemixed" />
                            </issuedTokenParameters>
                            <localClientSettings detectReplays="true" />
                            <localServiceSettings detectReplays="true" />
                        </secureConversationBootstrap>
                        <localClientSettings detectReplays="true" />
                        <localServiceSettings detectReplays="true" />
                    </security>
                    <textMessageEncoding />
                    <httpTransport />
                </binding>
            </customBinding>
            <ws2007HttpBinding>
                <binding name="https://<adfs>/adfs/services/trust/13/usernamemixed">
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="None" />
                        <message clientCredentialType="UserName" establishSecurityContext="false" />
                    </security>
                </binding>
            </ws2007HttpBinding>
        </bindings>
        <client>
            <endpoint address="http://localhost:62838/DataServices.svc" binding="customBinding"
                bindingConfiguration="WS2007FederationHttpBinding_IDataServices"
                contract="ServiceReference1.IDataServices" name="WS2007FederationHttpBinding_IDataServices">
                <identity>
                  <dns value="adfs.server"/>
                </identity>
            </endpoint>
        </client>

服务配置

<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
    <add key="ValidationSettings:UnobtrusiveValidationMode" value="WebForms" />
    <add key="ida:FederationMetadataLocation" value="https://<advs>/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:ProviderSelection" value="productionSTS" />
  </appSettings>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime requestValidationMode="4.5" targetFramework="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <pages controlRenderingCompatibilityVersion="4.5" />
    <machineKey compatibilityMode="Framework45" />

  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="">
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true" />
          <serviceCredentials useIdentityConfiguration="true">
            <clientCertificate>
              <authentication certificateValidationMode="None" revocationMode="NoCheck" />
            </clientCertificate>
            <serviceCertificate findValue="8054B36FA61FB4AA53CD8C6F9575E1192C2B3151" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" minFreeMemoryPercentageToActivateService="0" />
    <protocolMapping>
      <add scheme="http" binding="ws2007FederationHttpBinding" />
    </protocolMapping>
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="">
          <security mode="Message">
            <message>
              <claimTypeRequirements>
                <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
                <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
              </claimTypeRequirements>
              <issuerMetadata address="https://<adfs>/adfs/services/trust/mex" />
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
  </system.serviceModel>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris mode="Never">
      </audienceUris>
      <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
        <trustedIssuers>
          <add thumbprint="8054B36FA61FB4AA53CD8C6F9575E1192C2B3151" name="http://<adfs>/adfs/services/trust" />
        </trustedIssuers>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>
  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel" switchValue="Information, ActivityTracing" propagateActivity="true">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="System.ServiceModel.MessageLogging">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="myUserTraceSource" switchValue="Information, ActivityTracing">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
    </sources>
    <sharedListeners>
      <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="Traces1.svclog" />
    </sharedListeners>
  </system.diagnostics>
</configuration>

服务逻辑

IList<string> Names = new List<string>();



        Names.Add(Thread.CurrentPrincipal.Identity.Name.ToString());  //  returns ""         
        Names.Add(ServiceSecurityContext.Current.PrimaryIdentity.Name.ToString()); //  returns ""
        Names.Add(ServiceSecurityContext.Current.WindowsIdentity.Name.ToString()); //  returns ""

        var principal = ClaimsPrincipal.Current;

        foreach (var claim in principal.Claims)
        {
            Names.Add(claim.Subject.ToString());
        }

        return Names;

客户逻辑

static void Main(string[] args)
    {


        ServiceReference1.DataServicesClient client = new ServiceReference1.DataServicesClient();


        client.ClientCredentials.UserName.UserName = @"UserName";
        client.ClientCredentials.UserName.Password = @"Password";
        client.ChannelFactory.Credentials.SupportInteractive = false;



        var test = client.DoWork("Test");

        ...............

1 个答案:

答案 0 :(得分:1)

经过大量的摆弄和更改安全设置后,我让大家一起玩得很好。

我发现服务web.config中缺少的主要设置是:

serviceAuthorization principalPermissionMode="Always"

大多数其他设置都用于传输和邮件安全性。