我正在尝试为SAML模拟创建WCF服务。这个想法是WCF服务使用WindowsIdentity(Service for User Logon)和身份委托功能通过ADFS创建委托SAML令牌,该令牌可用于基于IdP启动的SAML登录流在另一个服务中以该用户的身份进行身份验证。
这是我第一次使用.NET,C#和ASP-Web Apps,因此代码或配置(ADFS,IIS,证书等)中可能存在问题
到目前为止,我的想法(重要的代码段)如下:
private static GenericXmlSecurityToken GetServiceTokenForUser(string usernameAtDomain)
{
// Obtain the user Identity token using WindowsIdentityConstructor
WindowsIdentity winId = new WindowsIdentity(usernameAtDomain);
WindowsImpersonationContext ctx = winId.Impersonate();
GenericXmlSecurityToken token = null;
try
{
// via impersonated user,
token = GetServiceTokenForUser();
} finally
{
ctx.Undo();
}
return token;
}
[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
private static GenericXmlSecurityToken GetServiceTokenForUser()
{
EndpointAddress endpoint;
GenericXmlSecurityToken securityToken;
RequestSecurityToken rst;
RequestSecurityTokenResponse rstr;
WindowsWSTrustBinding binding;
WSTrustChannel channel;
WSTrustChannelFactory factory;
//ignores certificates error
ServicePointManager.ServerCertificateValidationCallback = (x, y, z, w) => true;
// use WindowsWSTrustBinding for credentials -> should be the impersonated user
binding = new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential);
endpoint = new EndpointAddress(new Uri(stsEndpoint));
factory = new WSTrustChannelFactory(binding, endpoint);
factory.TrustVersion = TrustVersion.WSTrust13;
rst = new RequestSecurityToken
{
AppliesTo = new EndpointReference(relyingPartyId),
KeyType = KeyTypes.Bearer,
RequestType = RequestTypes.Issue,
TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
};
channel = (WSTrustChannel)factory.CreateChannel();
// retrieve valid SAML security token
SecurityToken issuedToken = channel.Issue(rst, out rstr);
securityToken = issuedToken as GenericXmlSecurityToken;
return securityToken;
}
尝试在仅应返回生成的SAML令牌的端点上运行(目前)时,我当前遇到以下问题:
Unable to load DLL 'security.Dll': Either a required impersonation level was not provided, or the provided impersonation level is invalid. (Exception from HRESULT: 0x80070542)
Server stack trace:
at System.IdentityModel.SafeFreeCredentials.AcquireCredentialsHandle(String package, CredentialUse intent, AuthIdentityEx& authdata, SafeFreeCredentials& outCredential)
at System.IdentityModel.SspiWrapper.AcquireCredentialsHandle(String package, CredentialUse intent, AuthIdentityEx& authdata)
at System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(String package, NetworkCredential credential, Boolean isServer, String[] additionalPackages)
在将各种必要的软件包添加到项目后,例如Microsoft.IdentityModel。
据我了解,该服务无法访问security.dll。但是,系统的security.dll存在于C:\Windows\System32中。
错误Either a required impersonation level was not provided, or the provided impersonation level is invalid提示模拟授权可能有问题。我找到了许多文章,它们通过向服务器的Web.config或客户端的App.config添加某些配置来解决类似的问题,但是尝试调整它们在我的情况下是行不通的(但是很可能没有正确调整配置文件)。
高度赞赏有关此主题的任何帮助!如果您缺少此问题中需要我提供的其他信息,请告诉我。