我想这样的事情:
<microsoft.identityModel>
<service>
<serviceCertificate>
<certificateReference filename="App_Data/my.domain.com.crt" />
</serviceCertificate>
</service>
</microsoft.identityModel>
答案 0 :(得分:1)
根据Documentation,没有。要解密SAML令牌,WIF需要访问证书的私有密钥。通过将证书及其私钥放在文件系统上(特别是在IIS管理的文件夹下 - 无论提供哪种保护)通常都是一个坏主意(tm)。通过将证书放在证书库中,您可以更严格地控制和管理对证书的访问。
答案 1 :(得分:1)
你可以,但正如Bobby建议你最好安装在mahcine商店的证书。实际上,当在Windows Azure上使用WIF部署应用程序时,这是一种解决方法,因为它不支持上传证书。这种限制早已不复存在。
答案 2 :(得分:0)
我明白了。在web.config中注释掉这个部分
<!--<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>-->
将此代码添加到global.asax
protected void Application_Start()
{
Microsoft.IdentityModel.Web.FederatedAuthentication.ServiceConfigurationCreated += new EventHandler
<Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs>(AttachCert);
}
protected void AttachCert(object sender, Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs e)
{
var filename = string.Format("{0}\\{1}\\{2}", System.Web.Hosting.HostingEnvironment.ApplicationPhysicalPath, "App_Data\\certificates", "CERTNAME.pfx");
var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(filename, "YOURPASSWORD");
var _configuration = e.ServiceConfiguration;
_configuration.ServiceCertificate = cert;
var certificates = new List<System.IdentityModel.Tokens.SecurityToken> { new System.IdentityModel.Tokens.X509SecurityToken(
_configuration.ServiceCertificate) };
var encryptedSecurityTokenHandler =
(from handler in _configuration.SecurityTokenHandlers
where handler is Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler
select handler).First() as Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler;
_configuration.ServiceTokenResolver = encryptedSecurityTokenHandler.Configuration.ServiceTokenResolver =
System.IdentityModel.Selectors.SecurityTokenResolver.CreateDefaultSecurityTokenResolver(certificates.AsReadOnly(), false);
}