我尝试以下内容:
- WCF客户端调用STS并获取SAML主张
- 客户使用SAML主张调用服务
现在,我已将上述方案实现为三个LINQPAD脚本:client.linq,sts.linq(自托管WCF服务)和service.linq(自托管WCF服务)。它们都可以在https://github.com/codeape2/wcf_sts
我需要一些帮助才能工作。
使用client.linq中的以下代码,我可以致电我的STS并获得SAML断言:
SecurityToken GetToken()
{
var binding = new BasicHttpBinding();
var factory = new WSTrustChannelFactory(binding, stsAddress);
factory.TrustVersion = TrustVersion.WSTrustFeb2005;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Symmetric,
AppliesTo = new EndpointReference(serviceAddress)
};
return factory.CreateChannel().Issue(rst);
}
下一步,我使用以下代码(尝试)使用SAML断言来调用我的服务:
var binding = new WSFederationHttpBinding(WSFederationHttpSecurityMode.Message);
binding.Security.Message.EstablishSecurityContext = false;
var factory = new ChannelFactory<ICrossGatewayQueryITI38>(
binding,
new EndpointAddress(new Uri(serviceAddress), new DnsEndpointIdentity("LocalSTS"))
);
factory.Credentials.SupportInteractive = false;
factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
var proxy = factory.CreateChannelWithIssuedToken(token);
var response = proxy.CrossGatewayQuery(
Message.CreateMessage(MessageVersion.Soap12WSAddressing10, "urn:ihe:iti:2007:CrossGatewayQuery", "Hello world")
);
接下来会发生什么,我完全不明白。运行脚本时,我有提琴手在运行,这就是我看到的:
- 第一个请求
/STS(如预期) proxy.CrossGatewayQuery导致三个呼叫/Service:2.1。带有动作
的肥皂调用http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue2.2。带有动作
的肥皂调用http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue2.3。带有操作
urn:ihe:iti:2007:CrossGatewayQuery的最终肥皂调用。使用提琴手,我注意到肥皂安全标头包括第一步的SAML主张。
最终呼叫导致服务中的SOAP故障:无法验证消息中的至少一个安全令牌。保存的提琴手请求/响应日志在这里:https://drive.google.com/file/d/0b-uzllvbjjb2s050txrhveo2vmc/view?usp = sharing
如果有人可以启发我关于以下情况的启发,我将非常感谢:
- 为什么WCF客户端将
RST/Issue和RSTS/Issue请求发送到/Service(上面的步骤2.1和2.2)? - 我该如何配置这些零件以完成我想做的事情,即将一个请求发送到STS,然后将一个请求发送到服务,并通过我从STS获得的SAML断言。
第一个问题是对服务凭据进行谈判。
这种变化得到了解决:
binding.Security.Message.NegotiateServiceCredential = false
然后该服务必须启用WIF配置:
host.Credentials.UseIdentityConfiguration = true;
host.Credentials.IdentityConfiguration = CreateIdentityConfig();
IdentityConfiguration CreateIdentityConfig()
{
IdentityConfiguration identityConfig = new IdentityConfiguration(false);
//AUDIENCE URI
//the token we receive contains this value, so if do not match we fail
identityConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri($"http://{Environment.MachineName}:8000/Service"));
//ISSUER NAME REGISTRY explicit the thumbprint of the accepted certificates, if the token coming in is not signed with any of these certificates then is considered invalid
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerNameRegistry.AddTrustedIssuer("81 5b 06 b2 7f 5b 26 30 47 3b 8a b9 56 bb 9f 9f 8c 36 20 76", "signing certificate sts"); //STS signing certificate thumbprint
identityConfig.IssuerNameRegistry = issuerNameRegistry;
identityConfig.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
return identityConfig;
}
还有其他更改,GitHub Repo已更新了在master分支中起作用的代码。
感谢MS支持,他带我解决了这个问题。