我通过SQL db(没有aspnetdb,没有成员身份)为身份验证用户提供了活动的WCF STS服务(已实现microsoft.identity...securitytokenservice)。
配置如下:
<service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract" behaviorConfiguration="srvBehavior">
<endpoint address="" binding="ws2007HttpBinding" bindingConfiguration="ws2007Http" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" >
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
<behavior name="srvBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials useIdentityConfiguration="false">
<serviceCertificate findValue="MySelfSignedCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindByIssuerName"/>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="Always" />
</behavior>
<ws2007HttpBinding>
<binding name="ws2007Http" messageEncoding="Mtom">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" establishSecurityContext="false" negotiateServiceCredential="false"/>
</security>
</binding>
</ws2007HttpBinding>
<protocolMapping>
<add binding="ws2007HttpBinding" scheme="https" bindingConfiguration="ws2007Http" />
<add binding="wsHttpBinding" scheme="http" bindingConfiguration="securityBinding" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false" multipleSiteBindingsEnabled="true" />
和身份
<microsoft.identityModel>
<service>
<securityTokenHandlers>
<remove type="Microsoft.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add type="TokenIssuerExt.CustomUserNameSecurityTokenHandler, TokenIssuerExt" />
</securityTokenHandlers>
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="d7ad4ffb08143745134b95607cde1cb0fdcc0366" />
</serviceCertificate>
<certificateValidation certificateValidationMode="None" />
</service>
依赖方也是wcf服务。配置
<service name="TestService.Service1" behaviorConfiguration="srvBehavior">
<endpoint address="" binding="ws2007FederationHttpBinding" bindingConfiguration="wsFed" contract="TestService.IService1">
</endpoint>
</service>
<ws2007FederationHttpBinding>
<binding name="wsFed" messageEncoding="Text">
<security mode="Message">
<message establishSecurityContext="false" issuedKeyType="SymmetricKey" negotiateServiceCredential="false">
<issuerMetadata address=" https://localhost/TokenIssuer/STS.svc/mex" >
<identity>
<certificateReference x509FindType="FindByThumbprint" findValue="d7ad4ffb08143745134b95607cde1cb0fdcc0366" />
</identity>
</issuerMetadata>
<issuer address="https://localhost/TokenIssuer/STS.svc" binding="ws2007HttpBinding" bindingConfiguration="ws2007Http" >
<identity>
<certificateReference x509FindType="FindByThumbprint" findValue="d7ad4ffb08143745134b95607cde1cb0fdcc0366" />
</identity>
</issuer>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="ws2007Http">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" establishSecurityContext="false" negotiateServiceCredential="false"/>
</security>
</binding>
</ws2007HttpBinding>
<serviceBehaviors>
<behavior name="srvBehavior">
<federatedServiceHostConfiguration />
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
<protocolMapping>
<add binding="ws2007HttpBinding" scheme="http" bindingConfiguration="ws2007Http" />
<add binding="ws2007FederationHttpBinding" scheme="https" bindingConfiguration="wsFed" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false" multipleSiteBindingsEnabled="true" />
和身份
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://localhost/FederationSample/TestService/Service1.svc" />
</audienceUris>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="d7ad4ffb08143745134b95607cde1cb0fdcc0366" name="CustomSTS" />
</trustedIssuers>
</issuerNameRegistry>
<claimsAuthorizationManager type="TestService.CustomClaimsAuthorizationManager, TestService" />
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="d7ad4ffb08143745134b95607cde1cb0fdcc0366" />
</serviceCertificate>
<certificateValidation certificateValidationMode="None" />
<federatedAuthentication>
<cookieHandler requireSsl="false" />
</federatedAuthentication>
</service>
客户端配置与rp的配置相同,但每次调用rp时都会出错。顺便说一句,如果我从这样的代码中调用服务
var identity = new X509CertificateEndpointIdentity(FederationUtilities.LookupCertificate(StoreName.Root, StoreLocation.LocalMachine, "MySelfSignedCert"));
var token = SecurityProxy.RequestSecurityToken(new EndpointAddress(new Uri("https://localhost/TokenIssuer/STS.svc"), identity), new Uri("http://localhost/FederationSample/TestService/Service1.svc"));
rsult = CallService<T>(token, new Uri("http://localhost/FederationSample/TestService/Service1.svc"));
public static SecurityToken RequestSecurityToken(EndpointAddress idpAddress, Uri serviceAddress)
{
var factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), idpAddress)
{
TrustVersion = TrustVersion.WSTrust13,
};
factory.Credentials.UserName.UserName ="admin";
factory.Credentials.UserName.Password = "qDJ9SknUYxYx0JCnIpfY10kzejDm6wQWvTZVtx42SBs=";
factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.Root, X509FindType.FindByIssuerName, "MySelfSignedCert");
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.Root, X509FindType.FindByIssuerName, "MySelfSignedCert");
factory.ConfigureChannelFactory();
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Symmetric,
AppliesTo = new EndpointReference(serviceAddress.AbsoluteUri),
};
var token = factory.CreateChannel().Issue(rst);
return token;
}
public static T CallService<T>(SecurityToken token, Uri serviceAddress)
{
var identity = new X509CertificateEndpointIdentity(FederationUtilities.LookupCertificate(StoreName.Root, StoreLocation.LocalMachine, "MySelfSignedCert"));
var binding = new WS2007FederationHttpBinding("wsFed");
var factory = new ChannelFactory<T>(binding, new EndpointAddress(serviceAddress, identity));
factory.Credentials.SupportInteractive = false;
factory.Credentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.Root, X509FindType.FindByIssuerName, "MySelfSignedCert");
factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.Root, X509FindType.FindByIssuerName, "MySelfSignedCert");
factory.ConfigureChannelFactory();
return factory.CreateChannelWithIssuedToken(token);
}
- 仍然出现错误
rp抛出异常
Content Type application/soap+xml; charset=utf-8 was not supported by service http://localhost/FederationSample/TestService/Service1.svc. The client and service bindings may be mismatched.
和内部异常
The remote server returned an error: (415) Cannot process the message because the content type 'application/soap+xml; charset=utf-8' was not the expected type 'text/xml; charset=utf-8'..
我知道,最受欢迎的原因是邮件版本,但我使用ws2007Http和ws2007FederatedHttp。 afaik,两个绑定都使用soap12
有人能解释一下吗?