活动客户端 - 使用idp令牌从资源合作伙伴adfs获取令牌

时间:2013-05-02 08:23:07

标签: c# wcf saml claims-based-identity adfs2.0

我正在尝试使用以下方案编写控制台应用程序: 客户端首先从身份提供者请求令牌,然后使用此令牌从资源STS请求新令牌 使用以下链接:http://leastprivilege.com/2010/10/28/wif-adfs-2-and-wcfpart-6-chaining-multiple-token-services/

我管理从Idp获取令牌但未管理从资源STS获取令牌。

这是我的代码:

    string RPRealm = "https://service.contoso.com/";
    string RSTSRealm = "http://fsweb.contoso.com/adfs/services/trust";
    string IdPstsEndpoint = "https://IdpAdfs.domain.com/adfs/services/trust/13/kerberosmixed";
    string RSTSEndpoint = "https://fsweb.contoso.com/adfs/services/trust/13/IssuedTokenMixedSymmetricBasic256";

    private static SecurityToken GetIdPToken(string rstsRealm, string IdPstsEndpoint)
    {
        using (var factory = new WSTrustChannelFactory(
                new KerberosWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                new EndpointAddress(new Uri(IdPstsEndpoint))))
        {
            WSTrustChannel channel = null;
            factory.TrustVersion = TrustVersion.WSTrust13;
            try
            {
                var rst = new RequestSecurityToken
                {
                    RequestType = WSTrust13Constants.RequestTypes.Issue,
                    AppliesTo = new EndpointAddress(rstsRealm),
                    KeyType = WSTrust13Constants.KeyTypes.Bearer,
                };

                channel = (WSTrustChannel)factory.CreateChannel();
                RequestSecurityTokenResponse rstr;
                SecurityToken token = channel.Issue(rst, out rstr);
                return token;
            }
            finally
            {
                if (channel != null)
                {
                    channel.Abort();
                }

                factory.Abort();
            }
        }
    }


private static SecurityToken GetRSTSToken(SecurityToken IdPToken, string RSTSEndpoint, string RPRealm)
{
   var binding = new WS2007FederationHttpBinding();
   binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
   binding.Security.Message.EstablishSecurityContext = false;
   binding.Security.Mode = WSFederationHttpSecurityMode.TransportWithMessageCredential;

    using (var factory = new WSTrustChannelFactory(
           binding,
            new EndpointAddress(new Uri(RSTSEndpoint))))
    {
        var rst = new RequestSecurityToken
        {
            RequestType = WSTrust13Constants.RequestTypes.Issue,
            AppliesTo = new EndpointAddress(RPRealm),
            KeyType = WSTrust13Constants.KeyTypes.Bearer,
        };
        factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        factory.TrustVersion = TrustVersion.WSTrust13;
        factory.Credentials.SupportInteractive = false;
        factory.ConfigureChannelFactory();


        var channel = factory.CreateChannelWithIssuedToken(IdPToken);
        RequestSecurityTokenResponse rstr;
        SecurityToken token = channel.Issue(rst, out rstr);
        return token;
    }
}

我收到此错误: 响应消息的内容类型text / html与绑定的内容类型不匹配(application / soap + xml; charset = utf-8) 什么是我的代码? 提前致谢

1 个答案:

答案 0 :(得分:2)

ADFS不支持其联合endoints上的承载令牌。换句话说,在第一跳上,您需要在RST上指定KeyTypes.Symmetric。