在我们的asp.net MVC5网站中,我们针对多个ADFS服务器进行身份验证。其中一个请求我们签署(并且最好加密)我们的请求。
我们正在使用OWIN和UseWsFederationAuthentication扩展方法为每个ADFS服务器设置选项(见下文)。
var adfsLoginProviderOptions = new WsFederationAuthenticationOptions
{
MetadataAddress = adfsLoginProvider.MetadataUrl,
Wtrealm = AppSettings.FirstAgendaWtRealm,
AuthenticationMode = AuthenticationMode.Passive,
AuthenticationType = adfsLoginProvider.Name,
CallbackPath = new PathString("/adfs/callback"),
UseTokenLifetime = true
};
app.UseWsFederationAuthentication(adfsLoginProviderOptions);
我的问题是,我没有看到设置请求签名和加密的明显选项,我似乎无法找到其他人。
答案 0 :(得分:1)
我做了一些研究,发现了以下内容。
我需要注册到SecurityTokenHandlers:
他们注册如下:
var adfsLoginProviderOptions = new WsFederationAuthenticationOptions
{
MetadataAddress = adfsLoginProvider.MetadataUrl,
Wtrealm = "http://[your-realm]",
AuthenticationMode = AuthenticationMode.Passive,
AuthenticationType = adfsLoginProvider.Name,
UseTokenLifetime = false,
CallbackPath = new PathString("/adfs/callback/" + adfsLoginProvider.ID.ToString()),
TokenValidationParameters = new TokenValidationParameters
{
AuthenticationType = adfsLoginProvider.Name
},
SecurityTokenHandlers = new SecurityTokenHandlerCollection
{
new EncryptedSecurityTokenHandler(new X509CertificateStoreTokenResolver(StoreName.My,StoreLocation.LocalMachine)),
new SamlSecurityTokenHandler
{
CertificateValidator = X509CertificateValidator.None,
Configuration = new SecurityTokenHandlerConfiguration()
{
AudienceRestriction = audienceRestriction,
IssuerNameRegistry = issuerRegistry
}
}
},
};
EncryptedSecurityTokenHandler实现如下:
public class EncryptedSecurityTokenHandler : System.IdentityModel.Tokens.EncryptedSecurityTokenHandler, ISecurityTokenValidator
{
public EncryptedSecurityTokenHandler(SecurityTokenResolver securityTokenResolver)
{
Configuration = new SecurityTokenHandlerConfiguration
{
ServiceTokenResolver = securityTokenResolver
};
}
public override bool CanReadToken(string securityToken)
{
return base.CanReadToken(new XmlTextReader(new StringReader(securityToken)));
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
// Read token will decrypt it and look for another SecurityTokenHandler in the same collection to do the actual validation
validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
if (ContainingCollection != null)
{
var identities = ContainingCollection.ValidateToken(validatedToken);
var principal = new ClaimsPrincipal(identities.First());
return principal;
}
return new ClaimsPrincipal(base.ValidateToken(validatedToken));
}
public int MaximumTokenSizeInBytes { get; set; }
}
SamlSecurityTokenHandler:
public class SamlSecurityTokenHandler : System.IdentityModel.Tokens.SamlSecurityTokenHandler, ISecurityTokenValidator
{
public override bool CanReadToken(string securityToken)
{
return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
out SecurityToken validatedToken)
{
validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
var identities = ValidateToken(validatedToken);
var newIdentities = identities.Select(d => new ClaimsIdentity(d.Claims, "ExternalCookie"));
var claimsPrincipal = new ClaimsPrincipal(newIdentities);
return claimsPrincipal; ;
}
public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
{
var identities = base.ValidateToken(token);
return identities
}
public int MaximumTokenSizeInBytes { get; set; }
}
受众限制是应用程序的领域:
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
audienceRestriction.AllowedAudienceUris.Add(new Uri(http://[your-realm]));
IssuerRegistry是发行人签署证书的注册表:
var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerRegistry.AddTrustedIssuer(adfsLoginProvider.SigningCertThumbprint, adfsLoginProvider.Issuer);