我试图了解使用WCF,Claims和ADFS 3.0开发框架所需的内容。内部用户将针对Active Directory进行身份验证,外部用户针对SQL Server表进行身份验证,并且授权存储在实现组和权限的数据库表中。我正在使用WCF而不是Web Api或OWIN创建API。
我对使用Identity Server或第三方产品不感兴趣,我只是想知道如何创建自定义安全令牌服务以从我的成员资格表中读取并通过我的组和权限表设置声明。
我找不到任何关于此的信息。 Visual Studio 2015中没有Identity和Access控件,似乎没有使用WCF,仅使用Web Api,OWIN和MVC?
答案 0 :(得分:3)
当我正在开发声称感知的WCF应用程序时,我运行了这个link,让我了解它是如何工作的。唯一与您的需求不太相似的是它不是ADFS 3.0。
我认为您不能同时/同时将ADFS用于内部用户,而将SQL用于外部“like membership”。我所知道的是,您可以信任其他公司的ADFS作为其他身份提供商。
如果您指的是如何构建声明感知WCF,这里有一些可用的链接。
尽管如此,link仍然有效支持.Net 4.5& 4.6和WIF已经是框架的一部分,不像以前需要安装WIF。
以下是我的WCF服务配置的片段:
绑定
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" negotiateServiceCredential="false">
<issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex"/>
<issuer address="https://<asfs aserver>:9643/adfs/services/trust/13/usernamemixed"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
身份配置
<system.identityModel>
<identityConfiguration name="serviceidentity">
<audienceUris mode="Never">
<add value="https://localhost/FedSecurity/"/>
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://<asfs aserver>:9643/adfs/services/trust">
<keys >
<add thumbprint="8D6BF173ERERERFDFE9CE9CD0FB57FB57A5D68403EA88" name="http://<asfs aserver>:9643/adfs/services/trust" />
</keys>
<validIssuers>
<add name="http://<asfs aserver>:9643/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
我的WCF客户端的片段配置
<system.serviceModel>
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false">
<issuer address="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed"
binding="ws2007HttpBinding" bindingConfiguration="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed" />
<issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex" />
<tokenRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</trust:SecondaryParameters>
</tokenRequestParameters>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/FedSecurity/CloudService.svc"
binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007FederationHttpBinding"
contract="CloudBeta.ICloudSevice" name="ws2007FederationHttpBinding" />
</client>
</system.serviceModel>
其他信息:
我希望这些信息可以帮到你!
答案 1 :(得分:1)
这篇文章似乎有一个良好的开端,http://southworks.com/blog/2007/03/11/the-holly-grail-of-enterprise-soa-security/
这是我在我的MVC应用程序中使用的代码(不是WCF,但许多需要完成的事情是相同的)
var claims = new List<Claim>()
{
new Claim(ClaimTypes.Name, result.UserName),
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", result.Email),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider",
result.Email),
new Claim("UserId", result.Id.ToString(CultureInfo.InvariantCulture)),
new Claim("UserName", result.UserName),
new Claim("FirstName", result.FirstName)
};
//load claims from database here
claims.AddRange(result.Roles.Select(role => new Claim(ClaimTypes.Role, role.Name)));
var id = new ClaimsIdentity(claims, "Forms");
var cp = new ClaimsPrincipal(id);
var token = new SessionSecurityToken(cp)
{
IsPersistent = false
};
Session["authToken"] = token;
var sam = FederatedAuthentication.SessionAuthenticationModule;
sam.WriteSessionTokenToCookie(token);