Question

我需要使用自定义数据创建SAML令牌。

MSDN有一个很好看的例子，但它没有编译......

有人有smt阅读有关工作样本的信息吗？

或者只是向Assertion集合添加新声明？我需要在federationmetadata中描述它们吗？我还应该做些什么？很高兴看到任何帮助。

Answer 1

我记得其中一个ACS样本中有一些自定义SAML令牌生成代码。这将是一个很好的起点。您可以下载它here，查找OAuth2CertificateSample，SelfSignedSaml2TokenGenerator.cs。代码如下所示：

/// <summary>
/// Creates a SAML assertion signed with the given certificate.
/// </summary>
public static Saml2SecurityToken GetSamlAssertionSignedWithCertificate(String nameIdentifierClaim, byte[] certificateWithPrivateKeyRawBytes, string password)
{
    string acsUrl = string.Format(CultureInfo.InvariantCulture, "https://{0}.{1}", SamplesConfiguration.ServiceNamespace, SamplesConfiguration.AcsHostUrl);

    Saml2Assertion assertion = new Saml2Assertion(new Saml2NameIdentifier(nameIdentifierClaim));

    Saml2Conditions conditions = new Saml2Conditions();
    conditions.NotBefore = DateTime.UtcNow;
    conditions.NotOnOrAfter = DateTime.MaxValue;
    conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(new Uri(acsUrl, UriKind.RelativeOrAbsolute)));
    assertion.Conditions = conditions;

    Saml2Subject subject = new Saml2Subject();
    subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.Bearer));
    subject.NameId = new Saml2NameIdentifier(nameIdentifierClaim);
    assertion.Subject = subject;

    X509SigningCredentials clientSigningCredentials = new X509SigningCredentials(
            new X509Certificate2(certificateWithPrivateKeyRawBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));

    assertion.SigningCredentials = clientSigningCredentials;

    return new Saml2SecurityToken(assertion);
}

此外，身份验证过程不要求在联合元数据中描述已发布的声明。在联合元数据中发布的声明只是令牌消费者关于他们应该在发布的令牌中找到什么的提示。

创建自定义SAML令牌

1 个答案: