陷入身份验证重定向循环 - STS / WIF

时间:2013-09-24 15:56:28

标签: wcf web-config .net-4.5 sts-securitytokenservice ws-federation

使用VS2012 .Net Framework 4.5,我使用身份和访问插件创建了一个带有本地STS的WCF服务应用程序。 我的目标是能够使用浏览器进行身份验证。 到目前为止我做了什么:

  • 添加了WSFAM和SAM模块。
  • 使用Fiddler确保我正确地重定向
  • 确保创建了FedAuth [] cookie。

创建cookie之后(SAM)我将被重定向到STS。这就是我陷入困境的地方。

WCF和Web服务对我来说很新,对不起,如果我详细阐述......

这是我的web.config:

    <?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
    <authentication mode="None" />
    <pages validateRequest="false" />
    <httpRuntime targetFramework="4.5" />
    <compilation debug="true" targetFramework="4.5" />
  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the value below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials useIdentityConfiguration="true">
            <!--Certificate added by Identity and Access Tool for Visual Studio.-->
            <serviceCertificate findValue="CN=localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <protocolMapping>
      <add scheme="http" binding="ws2007FederationHttpBinding" />
    </protocolMapping>
    <bindings>
      <basicHttpBinding>
        <binding name="MyBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfFAMTest.Service1">
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="MyBinding" contract="WcfFAMTest.IService1" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    </modules>
    <directoryBrowse enabled="true" />
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="http://localhost:53655" />
        <add value="http://localhost:53655/Service1.svc" />
      </audienceUris>
      <certificateValidation certificateValidationMode="None" />
      <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
        <trustedIssuers>
          <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" />
        </trustedIssuers>
      </issuerNameRegistry>
    </identityConfiguration>
  </system.identityModel>
  <system.identityModel.services>
    <federationConfiguration>
      <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:15937/wsFederationSTS/Issue" realm="http://localhost:53655" reply="http://localhost:53655" requireHttps="false" />
      <cookieHandler requireSsl="false" />
    </federationConfiguration>
  </system.identityModel.services>
  <appSettings>
    <add key="ida:FederationMetadataLocation" value="http://localhost:15937/wsFederationSTS/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:ProviderSelection" value="localSTS" />
    <add key="ida:EnforceIssuerValidation" value="false" />
  </appSettings>
</configuration>

的Fiddler Fiddler

响应#10108 - 设置FedAuth cookie并重定向到资源 Response #10108 - sets the FedAuth cookies and redirects to the resource 请求#10109 - 使用给定的cookie请求重定向的资源。 Request #10109 - request to the redirected resource, using the given cookies 响应#10109 - 结果401,再次在#10111重定向到STS Response #10109 - Result 401, redirected to STS again at #10111

1 个答案:

答案 0 :(得分:0)

我使用的WCF Web服务不支持这些模块。切换到ASP.Net Web应用程序,配置相同,工作正常。