我正在尝试使用端到端安全模式设置为TransportWithMessageCredential的WS2007HttpRelayBinding。我使用IssuedToken作为凭据类型。我从调用服务的ADFS 2.0中获得令牌。我在本地wcf跟踪日志中获得以下内容
找不到"Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken"令牌类型的令牌验证器。根据当前安全设置,不能接受该类型的令牌。
更新:
这就是我配置服务主机的方式
ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
serviceConfiguration.ServiceCertificate = GetServiceCertificateWithPrivateKey();
serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry("localhost");
serviceConfiguration.SaveBootstrapTokens = true;
serviceConfiguration.SecurityTokenHandlers.AddOrReplace(new Saml2SecurityTokenHandler());
serviceConfiguration.SecurityTokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://mynamespace.servicebus.windows.net/Service1/"));
FederatedServiceCredentials.ConfigureServiceHost(host, serviceConfiguration);
host.Open();
能否验证是否在中添加了Microsoft.IdentityModel.Tokens.Saml2SecurityTokenHandler
<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler" />
</securityTokenHandlers>
编辑:还要确保验证证书配置。
编辑:也许这也将有助于MSDN WCF论坛
绑定安全元素被设置为查找SAML 1.1令牌。在构造"CustomBinding"元素之后,我向服务器添加了以下代码
IssuedSecurityTokenParameters issuedTokenParameters =
myBinding.Elements.Find<TransportSecurityBindingElement>().EndpointSupportingTokenParameters.Endorsing[0] as IssuedSecurityTokenParameters;
issuedTokenParameters.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
Alexey的答案非常适合修改web.config/app.config。除此之外,您还可以在代码中配置令牌处理程序(示例来自How to:Authenticate with a Username and Password to a WCF Service Protected by ACS文章(learn.microsoft.com)-How to:Authenticate with an User Name and Password):
//
// This must be called after all WCF settings are set on the service host so the
// Windows Identity Foundation token handlers can pick up the relevant settings.
//
ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
// Accept ACS signing certificate as Issuer.
serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry( GetAcsSigningCertificate().SubjectName.Name );
// Add the SAML 2.0 token handler.
serviceConfiguration.SecurityTokenHandlers.AddOrReplace( new Saml2SecurityTokenHandler() );