问题:
SAML2使用Thinkturi和WCF
宰父深
我正在使用Thinkt的标识服务器和WCF服务设置一个SAML2 STS。这个想法是让Thinktuck提供然后在WCF服务中使用的断言。
现在,我让它在SAML 11断言中运行得很好-urn: oasis:名称: tc: SAML: 1.0:断言
断言是这样的:
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_4e06770b-7fa0-425f-a4f3-263710f135d7" Issuer="https://localhost:123" IssueInstant="2014-01-18T16:16:38.099Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
- <saml:Conditions NotBefore="2014-01-18T16:16:37.662Z" NotOnOrAfter="2014-01-18T16:26:37.662Z">
- <saml:AudienceRestrictionCondition>
<saml:Audience>https://localhost:44300/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
- <saml:AttributeStatement>
- <saml:Subject>
- <saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>...
现在,要求是使用SAML2,而不是以前的版本。因此,在Thinktree中更改Token类型很简单,新的Assertion生成很好,并且被客户端选中也很好。
新的SAML2断言:
<Assertion ID="_f9c48402-857a-4cc3-8525-1af307ef3a01" IssueInstant="2014-01-18T16:32:18.038Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://localhost:123</Issuer>
- <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
- <SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
- <Reference URI="#_f9c48402-857a-4cc3-8525-1af307ef3a01">
- <Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>Nib1Bs9jy13unYShm08EcncqFsOS5IwVuWQ4tGoe4Pg=</DigestValue>
</Reference>
</SignedInfo> ...
但是当我们尝试通过传递新的asertion来消耗WCF时,我们会得到异常:
- XmlException:无法从值类型为“”的BinarySecretSecurityToken的“urn:oasis:names:tc:SAML:2.0:Assertion”命名空间的“断言”元素中读取令牌。如果预期此元素有效,请确保将安全性配置为使用指定名称、命名空间和值类型的令牌
以下是WCF网站的摘录:
...
<services>
<service name="testsys.RFD.FormManager.RFDFormManagerService" behaviorConfiguration="testsys.RFD.FormManagerBehavior">
<endpoint address="" binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007FederationHttpBinding" contract="FormManager_PortType" />
</service>
</services>
<protocolMapping>
<!--<add scheme="http" binding="ws2007FederationHttpBinding" />
<add scheme="http" binding="ws2007FederationHttpBinding" />-->
<add binding="ws2007FederationHttpBinding" scheme="https" />
<add binding="wsHttpBinding" scheme="https" />
</protocolMapping>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ILoggerService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxBufferSize="65536" maxReceivedMessageSize="65536" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true" messageEncoding="Text">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="BearerKey">
<!-- issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"-->
<issuerMetadata address="https://localhost:123/adfs/services/trust/mex" />
</message>
</security>
</binding>
<binding name="">
<security mode="TransportWithMessageCredential">
<message>
<issuerMetadata address="https://localhost:123/adfs/services/trust/mex" />
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<wsHttpBinding>
<binding name="RFD_Binding_HTTP" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None">
<extendedProtectionPolicy policyEnforcement="Never" />
</transport>
<message negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
<binding name="wsHttpBinding_IRFDFormManager" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
<binding name="HttpBinding_IRFDFormManager" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="None" />
</binding>
<binding name="WSHttpBinding_IRESTFormManager">
<security mode="None" />
</binding>
</wsHttpBinding>
...
<behavior name="testsys.RFD.FormManagerBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" httpsGetUrl="https://localhost:44300/RFDFormManager.svc" />
<serviceDebug includeExceptionDetailInFaults="true" />
<useRequestHeadersForMetadataAddress />
<serviceCredentials>
<serviceCertificate findValue="65A34BC197C2E1334D971613521D53D3B5B807FF" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
<issuedTokenAuthentication certificateValidationMode="None">
<!-- The X.509 certificate CN=localhost chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider -->
<allowedAudienceUris>
<add allowedAudienceUri="https://localhost:44300/" />
</allowedAudienceUris>
</issuedTokenAuthentication>
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="Always" />
<serviceSecurityAudit auditLogLocation="Application" suppressAuditFailure="true" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" />
</behavior>
...
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
<securityTokenHandlers>
<add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</securityTokenHandlers>
<audienceUris>
<!-- <add value="https://localhost:44300/" />-->
<add value="https://localhost:44300/" />
</audienceUris>
<!--Commented by Identity and Access VS Package-->
<!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="https://localhost:123"><keys><add thumbprint="7C399B2EA330F507902C81280E77407242FF6916" /></keys><validIssuers><add name="https://localhost:123" /></validIssuers></authority></issuerNameRegistry>-->
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<!--<certificateValidation certificateValidationMode="None" />-->
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<!--<add thumbprint="7C399B2EA330F507902C81280E77407242FF6916" name="https://localhost:123" />-->
<add thumbprint="65A34BC197C2E1334D971613521D53D3B5B807FF" name="https://localhost:123" />
<add thumbprint="15abb1aef64def860ca543f54fc8dee222d49b86" name="https://localhost:123" />
</trustedIssuers>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />
<!--revocationMode="NoCheck" should not be used to prod.-->
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<!--<wsFederation passiveRedirectEnabled="true" issuer="https://localhost:123/issue/wsfed" realm="https://localhost:44300" reply="https://localhost:44300" requireHttps="false" />-->
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost:123/issue/wsfed" realm="https://localhost:44300/" reply="https://localhost:44300/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
...
那么我们做错了什么?
共有1个答案
卫开济
我不想麻烦去检查你的WCF配置——特别是因为它的大部分与问题无关。
您不需要在WCF做任何“特殊”的事情就可以使用SAML2令牌——遵循这个简单的示例——然后重新集成到您的应用程序中:
http://least privilege . com/2012/11/16/wcf-and-identity-in-net-4-5-external-authentic ation-with-ws-trust/
类似资料:
-
我正在寻找使用SAML2令牌的单点登录(SSO),我必须使用ADF。我不能用WIF。 为了理解SSO、SAML2和ADFS,我在Google上搜索了很多,现在我有一些疑问,但我没有得到。 场景:应用程序asp.netMVC应用程序1。App-A(Windows身份验证):托管并使用ADFS。2. APP-B(表单身份验证):使用存储在DB中的UID和PWD对用户进行身份验证。 我是否需要一个中间应
-
我在试图理解如何完成这项任务时遇到了一些问题: 1)现有的带有数据库身份验证的简单webapp。(简单的自定义代码) 2)将简单的webapp转换为使用SAML2身份验证的外部IDP(例如google apps(?)) 我相信条款是把我的webapp变成SAML2的服务提供商(SP ),向IDP注册我的SP。 但我一开始就卡住了,我希望包括apache shiro,或Spring Security
-
我们正在尝试将我们的应用程序升级到spring boot 2.0,在升级过程中,我们遇到了错误java。lang.ClassCastException:org。opensaml。果心xml。模式。impl。XSAnyBuilder无法强制转换为组织。opensaml。xml。XMLObjectBuilder。经过大量研究,我们发现,我们遇到了麻烦,因为我们在类路径(2和3)中有两个opensaml
-
我试图使用Spring Security(5.3.3. RELEASE)在Spring Boot应用程序中处理SAML2身份验证。Spring Boot应用程序是SP,谷歌办公套件将是IDP。 在我的Mavenpom.xml文件中,我有: 在我的代码中,我有: 问题是,我需要一个签名密钥,但行抛出一个异常,因为您必须将一个传递到该构造函数中,以便将其用于类型。但是,如果我使用该凭据进行验证,应用程
-
我正在努力实现一个登录功能,以在Spring Boot中保护REST API,我正在努力让用户名/密码JWT身份验证和SAML2身份验证同时工作。我最优先考虑的配置是不管发生什么都能工作的配置。目标是将SAML提供程序用作具有内部身份验证流的服务的替代身份提供程序,然后向用户授予JWT,无论他们使用SAML还是应用程序的登录名。 我将遵循SAML的这个示例,并构建了一个用户名/密码JWT授权,该授
-
我正在努力使我的Spring Boot(v.2.0.1)应用程序与SSO提供程序一起工作。当我尝试点击登录页面时,我得到以下错误: 在此过程中,某些entityID丢失并创建了这些错误。我似乎无法追踪这是怎么发生的。