我现在睁大眼睛看了几天,让我的WCF服务验证一个简单的SAML2断言。我正在使用Axis2客户端进行测试,但它也应该支持Java,C ++等。
我只想对令牌进行一些验证: 1.证书颁发者(来自有效发行人名单) 2.证书日期 3.受众群体网址
所以我应该可以进行自定义证书验证。证书在服务器上是未知的,它是SAML断言的一部分。 这是使用的SAML断言:
<saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="_7d8e48d69047d3c3da278b33b8f13485" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>demo.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_7d8e48d69047d3c3da278b33b8f13485">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ds saml" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>SsVSD3gENtKpZTjJBHNovQVXa4o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Mn+FNBrlyWz5nDBViB1+jNnwL/QDAtE0uxgNT/fi6O+e2/eeXggsPYPSQYwv+EeC 8h9lcJ5nzVKknrO2Ny4Ob3UsrmH3YQdj0iaCABb0EMC8tFV1M1taD4USLscUhucd hTl2WQEj/rgCtHzratkBXOlmumTUu+ra8P/1Aef0oO0=</ds:SignatureValue>
<ds:KeyInfo><ds:KeyName>demo.com</ds:KeyName>
<ds:X509Data><ds:X509SubjectName>emailAddress=info@demo.com,CN=demo.com,OU=Development,O=demo,ST=Utrecht,C=NL</ds:X509SubjectName>
<ds:X509Certificate>MI ... mQ= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject><saml:NameID SPProvidedID="lipse" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lipse</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml:Subject>
<saml:Conditions NotOnOrAfter="2011-03-29T09:54:40Z" NotBefore="2011-03-29T09:44:40Z">
<saml:AudienceRestriction><saml:Audience>http://blabla</saml:Audience></saml:AudienceRestriction></saml:Conditions>
</saml:Assertion>
我尝试了wsHttpBinding,wsFederationHttpBinding,ws2007FederationHttpBinding,甚至是customBinding。有无WIF?我不知道了。
我目前正在努力解决这个错误:
SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 2,
Clause[0] = KeyNameIdentifierClause(KeyName = 'risdemo.delftdi.com'),
Clause[1] = X509RawDataKeyIdentifierClause(RawData = MI....mQ=)
)
`. Ensure that the SecurityTokenResolver is populated with the required key.
我的约束力:
<wsHttpBinding>
<binding name="_HTTP">
<security mode="Message">
<transport clientCredentialType="None" proxyCredentialType="None" />
<message clientCredentialType="IssuedToken" negotiateServiceCredential="False"
establishSecurityContext="False"/>
</security>
</binding>
</wsHttpBinding>
ServiceCredentials:
<serviceCredentials>
<issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
<allowedAudienceUris>
<add allowedAudienceUri="http://blabla"/>
</allowedAudienceUris>
</issuedTokenAuthentication>
<serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
WIF:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://blabla"/>
</audienceUris>
<securityTokenHandlers>
<clear />
<add type="ServiceHostConsole.myHandler, ServiceHostConsole"></add>
<!-- <securityTokenHandlerConfiguration saveBootstrapTokens="false">
<issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/>
<certificateValidation>
<certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"/>
</certificateValidation>
<issuerNameRegistry type="ServiceHostConsole.SimpleIssuerRegistery, ServiceHostConsole">
</issuerNameRegistry>
<tokenReplayDetection enabled="false"></tokenReplayDetection>
<audienceUris mode="Always">
<add value="http://blabla"/>
</audienceUris>
</securityTokenHandlerConfiguration> -->
</securityTokenHandlers>
<!-- <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> -->
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck">
<certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole" />
</certificateValidation>
</service>
我真的想覆盖认证验证,就像在此页面上一样:http://msdn.microsoft.com/en-us/library/ms733806.aspx。 但我似乎无法使其工作,没有任何可能的自定义验证击中重写的Validate()函数。
有人至少可以给我一个方向吗?
提前致谢!
此致
Dirco