gpt4 book ai didi

c# - 将 ACS 与 ADFS 作为 STS 实现

转载 作者:行者123 更新时间:2023-11-30 15:06:27 25 4
gpt4 key购买 nike

我们正在尝试使用 ACS 示例 4(来自 http://claimsid.codeplex.com/)作为我们的 ADFS 项目的模板。我们对 ADFS 身份验证服务的被动请求没有问题。在该示例中,联合提供程序是一个自定义 STS,该示例工作正常。

现在我们希望用我们自己的 ADFS 替换自定义联合提供程序(示例中的 Adatum FP)。

我们现在的设置如下(命名空间隐藏)

  • ServiceClient:控制台应用程序,调用服务
  • 服务:WCF Web 服务,返回字符串的单一方法。这是默认的[示例中的 Ordertracking.Services]
  • Services.Authentication:我们的自定义身份提供程序。这是默认设置 [示例中的 Litware.SimulatedIssuer]
  • ADFS:我们的联合提供者 [FederationProvider.Adatum in例子]

ServiceClient 想要调用服务,并且从配置中知道它必须从 IP (Services.Authentication) 获取 token 。然后将 token 传递给 ADFS,后者验证 token 并将新 token 发送回 ServiceClient。客户端将 FP token 传递给服务,服务(作为 ADFS 的依赖方)根据 ADFS 验证 token ,并执行服务方法。

问题:

用 ADFS 替换示例中的 STS,似乎破坏了集成。我们似乎正确地从 IP 取回了 token ,但在将 IP token 传递给 ADFS 时遇到了问题。看来我们的受众 Uri 有问题,但我们添加了

https://'adfs fqdn'/adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256

客户端异常我们通过此 InnerException 在客户端中获得 MessageSecurityException内部异常 {“ID3242:安全 token 无法通过身份验证或授权。”

[System.ServiceModel.FaultException]: {"ID3242: The security token could not be authenticated or authorized."}
Data: {System.Collections.ListDictionaryInternal}
HelpLink: null
InnerException: null
Message: "ID3242: The security token could not be authenticated or authorized."
Source: null
StackTrace: null
TargetSite: null

ADFS 调试日志

<TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Error">
<Description>Handled exception.</Description>
<AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain>
<Exception>
<ExceptionType>Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</ExceptionType>
<Message>ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris. Audience: 'https://<adfs fqdn>/adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256'</Message>
<StackTrace>
at Microsoft.IdentityModel.Tokens.SamlSecurityTokenRequirement.ValidateAudienceRestriction(IList`1 allowedAudienceUris, IList`1 tokenAudiences) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2Conditions conditions, Boolean enforceAudienceRestriction) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISSaml2TokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityModel.Tokens.WrappedSaml2SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token) at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token) at Microsoft.IdentityModel.Tokens.WrappedSamlSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token) at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token) at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp;amp; usedTokenAuthenticator) at
....
</StackTrace>
</Exception>
</TraceRecord>

我们已将受众 uri 添加到我们的 IP Web.config 中:

<audienceUris mode="Always">
<add value="https://<adfs fqdn>/adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256" />
</audienceUris>

如有必要,我们可以发布其他配置文件和 ADFS 配置的屏幕截图。

最佳答案

这需要一些工作,但我们最终解决了问题。我们没有配置它,而是在代码中建立了连接。我想我们可能在客户端配置中的某处出错了。

对尝试此操作的任何人的一些建议 - 首先在代码中建立连接。 XML 配置有点难用。

我们在 leastprivilege.com 上找到了一些示例代码

private static SecurityToken GetIdPToken()
{

var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
"https://systemidp.dk/Issuer.svc");
factory.TrustVersion = TrustVersion.WSTrust13;

factory.Credentials.UserName.UserName = "LITWARE\\rick";
factory.Credentials.UserName.Password = "thisPasswordIsNotChecked";

var rst = new RequestSecurityToken
{
RequestType = WSTrust13Constants.RequestTypes.Issue,
AppliesTo = new EndpointAddress("https://adfsfqdn/adfs/services/trust"),
KeyType = WSTrust13Constants.KeyTypes.Symmetric,
ReplyTo = "https://adfsfqdn/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/"
};
factory.ConfigureChannelFactory();
var channel = factory.CreateChannel();
return channel.Issue(rst);
}

private static SecurityToken GetRSTSToken(SecurityToken idpToken)
{
var binding = new IssuedTokenWSTrustBinding();
binding.SecurityMode = SecurityMode.TransportWithMessageCredential;

var factory = new WSTrustChannelFactory(
binding,
"https://adfsfqdn/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/");
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;

var rst = new RequestSecurityToken
{
RequestType = WSTrust13Constants.RequestTypes.Issue,
AppliesTo = new EndpointAddress("https://services.dk/WebService.svc"),
KeyType = WSTrust13Constants.KeyTypes.Symmetric
};

factory.ConfigureChannelFactory();
var channel = factory.CreateChannelWithIssuedToken(idpToken);
return channel.Issue(rst);
}

使用 token 创建 WCF 调用

var ipdtoken = GetIdPToken();
var stsToken = GetRSTSToken(ipdtoken);
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
var factory = new ChannelFactory<IWebService>(binding, "https://services.dk/WebService.svc");

factory.ConfigureChannelFactory();
factory.Credentials.SupportInteractive = false;

var serviceChannel = factory.CreateChannelWithIssuedToken(stsToken);

var s = serviceChannel.GetUserInformation();

关于c# - 将 ACS 与 ADFS 作为 STS 实现,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/7819473/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com