如何使用AD FS创建安全的WCF服务

时间:2014-03-25 14:27:51

标签: wcf wif adfs

我尝试使用ADFS在WCF服务上添加基于声明的安全性。我已成功完成Web应用程序(被动联合),但由于缺乏有关该主题的文档,我发现自己陷入困境。

我一直在使用Web.Config文件来使其工作......但是,我似乎只是从一个问题转到另一个问题。这是客户端web.config的安全部分:

   <system.serviceModel>
      <behaviors>
         <endpointBehaviors>
          <behavior>
            <clientCredentials>
              <serviceCertificate>
                <authentication certificateValidationMode="None"/>
              </serviceCertificate>
            </clientCredentials>
          </behavior>
  </endpointBehaviors>
      </behaviors> 
        <bindings>
            <ws2007FederationHttpBinding>
                <binding name="WS2007FederationHttpBinding_IService1">
                    <security mode="Message">
                        <message>
                            <issuer address="https://myIssuer/adfs/services/trust/13/windows" binding="basicHttpsBinding" />
                            <issuerMetadata address="https://myIssuer/adfs/services/trust/mex" />
                            <tokenRequestParameters>
                                <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                                    <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                                    <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
                                    <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
                                    <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
                                    <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
                                    <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                                    <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                                </trust:SecondaryParameters>
                            </tokenRequestParameters>
                        </message>
                    </security>
                </binding>
            </ws2007FederationHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://localhost/Services/Service1.svc"
                binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IService1"
                contract="ServiceRef.XISecurity.IService1" name="WS2007FederationHttpBinding_IService1" />
        </client>
    </system.serviceModel>

我不确定我是否在这里使用正确的绑定类型或端点。当我运行以下代码时:

     Service1Client obj = new Service1Client();
     string str = obj.GetData(5);

我得到以下异常:

  

寻址版本&#39; AddressingNone(http://schemas.microsoft.com/ws/2005/05/addressing/none)&#39;不受支持。

这是我在服务器端的web.config 

<configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
    <add key="ida:FederationMetadataLocation" value="https://myIssuer/FederationMetadata/2007-06/FederationMetadata.xml" />
    <add key="ida:ProviderSelection" value="productionSTS" />
  </appSettings>
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the values below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials useIdentityConfiguration="true">
            <!--Certificate added by Identity and Access Tool for Visual Studio.-->
            <serviceCertificate findValue="CN=localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <protocolMapping>
      <add scheme="http" binding="ws2007FederationHttpBinding" />
      <!--<add binding="basicHttpsBinding" scheme="https" />-->
    </protocolMapping>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="">
          <security mode="Message">
            <message>
              <issuerMetadata address="https://myIssuer/adfs/services/trust/mex" />
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
    <!--
        To browse web app root directory during debugging, set the value below to true.
        Set to false before deployment to avoid disclosing web app folder information.
      -->
    <directoryBrowse enabled="true" />
  </system.webServer>
  <system.identityModel>
    <identityConfiguration>
      <audienceUris>
        <add value="http://localhost:2017/Service1.svc" />
      </audienceUris>
      <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
        <authority name="http://myIssuer/adfs/services/trust">
          <keys>
            <add thumbprint="7502424014D0A1BD87A5DEEF0D1EB13390101F07" />
          </keys>
          <validIssuers>
            <add name="http://myIssuer/adfs/services/trust" />
          </validIssuers>
        </authority>
      </issuerNameRegistry>
      <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
      <certificateValidation certificateValidationMode="None" />
    </identityConfiguration>
  </system.identityModel>
</configuration>

我的第一个问题是:是否有关于如何设置我的web.config文件的一个好的,循序渐进的教程?理想情况下,使用.NET 4.5?

第二个问题:我对使用哪个绑定ADFS端点或绑定感到困惑。这是它目前所设定的内容。

<issuer address="https://myIssuer/adfs/services/trust/13/windows" binding="basicHttpsBinding" />

非常感谢任何帮助。谢谢

1 个答案:

答案 0 :(得分:0)

在回答第二个问题时,您可以在http://technet.microsoft.com/en-us/library/adfs2-help-endpoints(WS.10).aspx找到有关端点的一些信息。端点基本上指定了可用于与ADFS服务器通信的地址。端点类型还会告诉您有关其要求的一些信息,例如您是否需要提供证书或用户名 端点与http://blogs.msdn.com/b/alikl/archive/2011/10/01/how-to-use-ad-fs-endpoints-when-developing-claims-aware-wcf-services-using-wif.aspx处的WIF绑定之间也存在映射。当我使用代码而不是配置文件与端点进行通信时,这对我很有帮助。

相关问题
最新问题