我一整天都在盯着这一点无济于事,我没有想法。 IP-STS处理登录,然后将其传递给RP-STS,RP-STS用声明填充令牌,然后到网站上。这工作正常。我在IP-STS上有一些WCF功能,例如更改密码/重置密码,需要访问它们。阅读后,我应能够将已经分配的令牌发送到WCF,以确保用户通过身份验证。从我可以看到它发送令牌但不正确,也不是我想要的方式,因为它似乎需要一个用户名。
理想情况我希望它能够获取分配给用户的令牌,而不必重新请求或重新创建任何内容,并且绝对不需要用户名/密码。
我目前得到的错误是: 从另一方收到了无担保或不正确安全的故障。请参阅内部FaultException以获取故障代码和详细信息。
详情: 邮件无法处理。这很可能是因为“http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue”操作不正确,或者因为邮件包含无效或过期的安全上下文令牌,或者因为存在不匹配绑定之间。如果服务因不活动而中止通道,则安全上下文令牌将无效。要防止服务中止空闲会话,请过早增加服务端点绑定的接收超时。
以下是我的网络配置中的相关内容。
客户端web.config
<system.serviceModel>
<bindings>
<customBinding>
<binding name="UsernameBinding"> <security authenticationMode="UserNameForCertificate" requireSecurityContextCancellation ="false" requireSignatureConfirmation="false" messageProtectionOrder ="SignBeforeEncryptAndEncryptSignature" requireDerivedKeys="true">
</security>
<httpTransport/>
</binding>
</customBinding>
<wsFederationHttpBinding>
<binding name="HTTPEndpoint" closeTimeout="00:10:00" openTimeout="00:10:00"
receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true">
<security mode="Message">
<message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false"> <claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />
</claimTypeRequirements>
<issuer address="http://localhost:13422/MembershipService" bindingConfiguration="UsernameBinding" binding="customBinding">
<identity>
<certificateReference findValue="STSTestCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<!-- Credentials configuration -->
<endpointBehaviors>
<behavior name="ServiceBehavior">
<clientCredentials>
<clientCertificate findValue="STSTestCert" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
<serviceCertificate>
<defaultCertificate findValue="STSTestCert" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
<authentication certificateValidationMode="PeerOrChainTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://localhost:13422/MembershipService"
binding="wsFederationHttpBinding" bindingConfiguration="HTTPEndpoint"
contract="MembershipService.IAccountMembershipService" name="HTTPEndpoint" behaviorConfiguration="ServiceBehavior">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</client>
服务方:
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true">
<serviceActivations>
<add relativeAddress="IAccountMembershipService.svc" service="AccountMembershipService" factory="System.ServiceModel.Activation.WebServiceHostFactory" />
</serviceActivations>
</serviceHostingEnvironment>
<bindings>
<wsHttpBinding>
<binding name="federationBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00" closeTimeout="00:10:00" openTimeout="00:10:00">
<security mode="Message">
<message negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
<wsFederationHttpBinding>
<binding name="federationBinding" closeTimeout="00:10:00" openTimeout="00:10:00"
receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true">
<security mode="Message">
<message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false">
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />
</claimTypeRequirements>
<issuer address="http://localhost:13422/MembershipService" bindingConfiguration="UsernameBinding" binding="customBinding">
<identity>
<certificateReference findValue="STSTestCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceCredentials>
<serviceCertificate findValue="CN=STSTestCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<extensions>
<behaviorExtensions>
<!-- This behavior extension will enable the service host to be Claims aware -->
<add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</behaviorExtensions>
</extensions>
<services>
<service behaviorConfiguration="serviceBehavior" name="STS.IP.Models.AccountMembershipService">
<endpoint binding="wsFederationHttpBinding" bindingConfiguration="federationBinding" name="HTTPEndpoint" contract="STS.IP.Infrastructure.IAccountMembershipService" >
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<!-- <endpoint binding="wsHttpBinding" bindingConfiguration="" name="HTTPEndpoint" contract="Aurora.WCFIsAlive.IIsAlive" />-->
</service>
</services>
对于大量的粘贴感到抱歉,但希望有人能发现我的错误! 我只是走错路吗?
答案 0 :(得分:4)
我不知道这是否有任何帮助,但它可能有点相关......您可以重复使用已发布的令牌,这是我以前做过的事情。我的场景是说ASP.NET站点或WCF服务是WIF安全的,但是ASP.NET站点或WCF服务需要调用另一个需要SAML令牌/ WIF的服务,依此类推如果你可以重用令牌将WIF设置为使用bootstraping。只要第二个Web服务信任相同的STS。
http://msdn.microsoft.com/en-us/library/ee517256.aspx#_bootstrap
配置在:
下设置<microsoft.IdentityModel><service><securityTokenHandlers>:
这个值:
<securityTokenHandlerConfiguration saveBootstrapTokens="true" />
答案 1 :(得分:2)
卡片空间一直在弹出... client.ClientCredentials.SupportInteractive = false;
答案 2 :(得分:1)
网站(现在正在工作的依赖方)和IP-STS上的WCF端点是2个不同的应用程序。您不能重复使用相同的令牌。您应该获得IP-STS服务的新令牌(例如续订密码等)
在这种情况下,IP-STS服务在概念上只是另一个依赖方(可能信任自己)。