我需要调用使用SAML对用户进行身份验证的外部Web服务。我引用了this code example来创建saml请求。
这是期望的SAML请求段(注意X509Data节点):
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>{removed}</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>{removed}</dsig:SignatureValue>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>{removed}</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>{removed}</dsig:X509IssuerName>
<dsig:X509SerialNumber>{removed}</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>{removed}</dsig:X509SubjectName>
<dsig:X509SKI>{removed}</dsig:X509SKI>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
以下是我现在制作的SAML请求细分:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>{removed}</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>{removed}</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>removed</X509Certificate>
</X509Data>
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>{removed}</X509IssuerName>
<X509SerialNumber>{removed}</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
以下是在SAML断言上方创建的关键代码:
public static SamlAssertion CreateX509Assertion(X509Certificate2 cert)
{
List<string> confirmationMethods = new List<string>(1);
confirmationMethods.Add("urn:oasis:names:tc:SAML:1.0:cm:bearer");
SamlSubject samlSubject = new SamlSubject("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", null, "admin", confirmationMethods, null, null);
SamlAuthenticationStatement samlAuthenticationStatement = new SamlAuthenticationStatement(samlSubject, "urn:oasis:names:tc:SAML:1.0:am:password", DateTime.Now, null, null, null);
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAuthenticationStatement);
DateTime issueInstant = DateTime.UtcNow;
SamlAssertion samlAssertion = new SamlAssertion("SAML-9KTXIL9ap20ntAzPdjYdEg22", "www.site.com",
issueInstant,
new SamlConditions(issueInstant, issueInstant + new TimeSpan(0, 5, 0)),
null,
samlSubjectStatements
);
SecurityKeyIdentifier ski = new SecurityKeyIdentifier();
// Here is the problem!!!
X509RawDataKeyIdentifierClause secClause = new X509RawDataKeyIdentifierClause(cert);
X509IssuerSerialKeyIdentifierClause x509Clause = new X509IssuerSerialKeyIdentifierClause(cert);
ski.Add(secClause);
ski.Add(x509Clause);
X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(cert);
samlAssertion.SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, ski);
return samlAssertion;
}
您可以看到,使用上面的代码将在KeyInfo节点中生成分离的X509Data。我需要将它们放在同一个KeyInfo节点中。有没有办法做到这一点?