我正在使用WCF和WIF 4.5实现需要遵守http://www.projectliberty.org/liberty/content/download/4712/32213/file/Liberty-Basic-SOAP-Binding-1.0_Final.pdf的服务。
规范要求必须使用STR转换。结束消息可能如下所示:
<Assertion ID="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" IssueInstant="2015-05-08T09:07:09.311Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
...
</Assertion>
<o:SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" u:Id="str1" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_f23ef5f3-9efb-40f0-bf38-758d3a9589db</o:KeyIdentifier>
</o:SecurityTokenReference>
如果我使用以下绑定:
var messageSecurity = new AsymmetricSecurityBindingElement();
messageSecurity.AllowSerializedSigningTokenOnReply = true;
messageSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
messageSecurity.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToInitiator);
messageSecurity.RecipientTokenParameters.RequireDerivedKeys = false;
var initiator = new CustomIssuedSecurityTokenParameters("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
messageSecurity.ProtectTokens = true;
initiator.UseStrTransform = true;
initiator.KeyType = SecurityKeyType.AsymmetricKey;
initiator.RequireDerivedKeys = false;
生成的消息是:
<Assertion ID="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" IssueInstant="2015-05-08T09:07:09.311Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
...
</Assertion>
<o:SecurityTokenReference b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" u:Id="_f23ef5f3-9efb-40f0-bf38-758d3a9589db" xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_f23ef5f3-9efb-40f0-bf38-758d3a9589db</o:KeyIdentifier>
</o:SecurityTokenReference>
什么是不对的是SecurityTokenReference元素与Assertion元素的ID相同,这会导致错误:
<Message>The '_f23ef5f3-9efb-40f0-bf38-758d3a9589db' id occurred twice in the message that is supplied for verification.</Message>
<StackTrace>
at System.ServiceModel.Security.ReceiveSecurityHeaderElementManager.VerifyIdUniquenessInSecurityHeader(String id)
查看WCF的源代码告诉我,WCF始终创建SecurityTokenReference,并将Id设置为引用元素的Id。为了解决这个问题,我创建了一个自定义的Paratemers类:
public class CustomIssuedSecurityTokenParameters : IssuedSecurityTokenParameters
{...
protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
{
var clause = base.CreateKeyIdentifierClause(token, referenceStyle);
clause.Id = "";
return clause;
}
}
如果我使用该自定义类,则会弹出另一个错误:
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Saml2AssertionKeyIdentifierClause( Id = '_str1' )
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 1,
TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.IdentityModel.Tokens.Saml2SecurityToken, Parameters=Kombit.Samples.Common.Binding.CustomIssuedSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
TokenType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
KeyType: AsymmetricKey
KeySize: 0
IssuerAddress: null
IssuerMetadataAddress: null
DefaultMessgeSecurityVersion: null
UseStrTransform: True
IssuerBinding: null
ClaimTypeRequirements: none)
)
有人可以告诉我一种让UseStrTransform设置工作的方法吗?我在这里缺少什么?