C# 将ACS和ADF作为STS实现
我们正在尝试使用ACS样本4(来自)作为我们ADFS项目的模板。 我们对ADFS认证服务的被动请求没有问题。在这个示例中,联合提供者是一个定制的STS,这个示例运行良好 现在,我们希望用我们自己的ADF替换自定义联合提供程序(示例中的Adatum FP) 我们现在的设置如下(名称空间隐藏)C# 将ACS和ADF作为STS实现,c#,.net,wcf,adfs,acs,C#,.net,Wcf,Adfs,Acs,我们正在尝试使用ACS样本4(来自)作为我们ADFS项目的模板。 我们对ADFS认证服务的被动请求没有问题。在这个示例中,联合提供者是一个定制的STS,这个示例运行良好 现在,我们希望用我们自己的ADF替换自定义联合提供程序(示例中的Adatum FP) 我们现在的设置如下(名称空间隐藏) ServiceClient:控制台应用程序,呼叫服务 服务:WCF Webservice,返回字符串的单个方法。这是默认设置 [示例中的Ordertracking.Services] 身份验证:我们的自定义
- ServiceClient:控制台应用程序,呼叫服务
- 服务:WCF Webservice,返回字符串的单个方法。这是默认设置 [示例中的Ordertracking.Services]
- 身份验证:我们的自定义身份提供程序。这是默认值[示例中的Litware.SimulatedIssuer]
- ADFS:我们的联合提供者[FederationProvider.Adatum in [示例]
<TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Error">
<Description>Handled exception.</Description>
<AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain>
<Exception>
<ExceptionType>Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</ExceptionType>
<Message>ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris. Audience: 'https://<adfs fqdn>/adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256'</Message>
<StackTrace>
at Microsoft.IdentityModel.Tokens.SamlSecurityTokenRequirement.ValidateAudienceRestriction(IList`1 allowedAudienceUris, IList`1 tokenAudiences) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2Conditions conditions, Boolean enforceAudienceRestriction) at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISSaml2TokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityModel.Tokens.WrappedSaml2SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token) at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token) at Microsoft.IdentityModel.Tokens.WrappedSamlSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token) at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token) at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator) at
....
</StackTrace>
</Exception>
</TraceRecord>
已处理异常。
Microsoft.IdentityServer.ServiceHost.exe
Microsoft.IdentityModel.Tokens.AudienceEurivalizationFailedException,Microsoft.IdentityModel,版本=3.5.0.0,区域性=中性,PublicKeyToken=31bf3856ad364e35
ID1038:AudienceRestrictionCondition无效,因为AudienceUris中不存在指定的受众。观众:'https:///adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256'
在Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(IList`1 allowedAudienceUris,IList`1 TokenAudienceRestriction)的Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateConditions(Saml2条件,布尔强制AudienceRestriction)位于Microsoft.IdentityServer.Service.Tokens.MSISSaml2TokenHandler.ValidateToken(SecurityToken token)的Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token token)位于Microsoft.IdentityModel.Tokens.WrappedSaml2SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token token token)在System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)at Microsoft.IdentityModel.Tokens.WrappedSamlSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token token token)位于System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader阅读器、SecurityTokenResolver tokenResolver、IList`1 AllowedTokenAuthenticator、SecurityTokenAuthenticator和usedTokenAuthenticator)处
....
我们已将访问群体uri添加到IP Web.config中:
<audienceUris mode="Always">
<add value="https://<adfs fqdn>/adfs/services/Trust/13/IssuedTokenMixedSymmetricBasic256" />
</audienceUris>
如有必要,我们可以发布额外的配置文件和ADFS配置的屏幕截图 IP上的audienceUri配置看起来不错。我认为ADFS是导致ID3242故障的原因。您能否检查以确保您的IP在ADFS服务器上的Claim Provider Trusts下配置正确
如果您手头有IP的联合元数据,您也可以尝试在ADFS中重新创建它。这需要一些工作,但我们最终解决了问题。我们没有配置它,而是在代码中构建了连接。我想我们可能在客户端配置的某个地方出错了 对任何尝试此方法的人的一些建议-首先在代码中构建连接。XML配置更难使用 我们在leastprivilege.com上找到了一些示例代码
private static SecurityToken GetIdPToken()
{
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
"https://systemidp.dk/Issuer.svc");
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "LITWARE\\rick";
factory.Credentials.UserName.Password = "thisPasswordIsNotChecked";
var rst = new RequestSecurityToken
{
RequestType = WSTrust13Constants.RequestTypes.Issue,
AppliesTo = new EndpointAddress("https://adfsfqdn/adfs/services/trust"),
KeyType = WSTrust13Constants.KeyTypes.Symmetric,
ReplyTo = "https://adfsfqdn/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/"
};
factory.ConfigureChannelFactory();
var channel = factory.CreateChannel();
return channel.Issue(rst);
}
private static SecurityToken GetRSTSToken(SecurityToken idpToken)
{
var binding = new IssuedTokenWSTrustBinding();
binding.SecurityMode = SecurityMode.TransportWithMessageCredential;
var factory = new WSTrustChannelFactory(
binding,
"https://adfsfqdn/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/");
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
var rst = new RequestSecurityToken
{
RequestType = WSTrust13Constants.RequestTypes.Issue,
AppliesTo = new EndpointAddress("https://services.dk/WebService.svc"),
KeyType = WSTrust13Constants.KeyTypes.Symmetric
};
factory.ConfigureChannelFactory();
var channel = factory.CreateChannelWithIssuedToken(idpToken);
return channel.Issue(rst);
}
使用令牌创建WCF调用
var ipdtoken = GetIdPToken();
var stsToken = GetRSTSToken(ipdtoken);
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
var factory = new ChannelFactory<IWebService>(binding, "https://services.dk/WebService.svc");
factory.ConfigureChannelFactory();
factory.Credentials.SupportInteractive = false;
var serviceChannel = factory.CreateChannelWithIssuedToken(stsToken);
var s = serviceChannel.GetUserInformation();
var ipdtoken=GetIdPToken();
var stsToken=GetRSTSToken(ipdtoken);
var binding=新的WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext=false;
var factory=新的ChannelFactory(绑定)https://services.dk/WebService.svc");
ConfigureChannelFactory();
factory.Credentials.SupportInteractive=false;
var serviceChannel=factory.CreateChannelWithIssuedToken(stsToken);
var s=serviceChannel.GetUserInformation();
对尝试此操作的人的一些建议-首先在代码中构建连接。XML配置更难使用。这是我在整个WIF旅程中找到的最好的建议。
var ipdtoken = GetIdPToken();
var stsToken = GetRSTSToken(ipdtoken);
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
var factory = new ChannelFactory<IWebService>(binding, "https://services.dk/WebService.svc");
factory.ConfigureChannelFactory();
factory.Credentials.SupportInteractive = false;
var serviceChannel = factory.CreateChannelWithIssuedToken(stsToken);
var s = serviceChannel.GetUserInformation();