Security 如何使用SAML断言对从c#应用程序到启用WIF的ASP.NET WebApi应用程序的请求进行身份验证
我已经将ThinkTecture identity server设置为STS,设置了一个web api项目,并在visual studio中使用了“身份和访问”工具,并将其指向我的联合元数据,以使用WIF启用联合身份验证。这是web.config的相关部分的外观:Security 如何使用SAML断言对从c#应用程序到启用WIF的ASP.NET WebApi应用程序的请求进行身份验证,security,asp.net-web-api,wif,saml,thinktecture-ident-server,Security,Asp.net Web Api,Wif,Saml,Thinktecture Ident Server,我已经将ThinkTecture identity server设置为STS,设置了一个web api项目,并在visual studio中使用了“身份和访问”工具,并将其指向我的联合元数据,以使用WIF启用联合身份验证。这是web.config的相关部分的外观: <system.identityModel> <identityConfiguration saveBootstrapContext="true"> <audienceUris>
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
<audienceUris>
<add value="http://localhost:41740/" />
</audienceUris>
<securityTokenHandlers>
<add type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<add type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</securityTokenHandlers>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://auth.myserver.com/samples">
<keys>
<add thumbprint="F89C10B505E015774D02E323DEDA32878F794028" />
</keys>
<validIssuers>
<add name="http://auth.myserver.com/samples" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://10.40.40.68/issue/wsfed" realm="http://localhost:41740/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
其中AuthenticationHeader是我从服务器收到的SAML断言。
问题是WebAPI对samle断言没有任何作用——就好像它根本看不到一样,我得到的只是一个重定向到STS的响应
我做错了什么?如何从其他代码中验证和调用受保护的web api方法,而不必切换到JWT等
提前感谢您的帮助
--更新
我已按照@Brock的建议将以下内容添加到我的WebApiConfig.cs中:
public static void Register(HttpConfiguration config)
{
// Cross Origin Resource Sharing
//CorsConfig.RegisterCors(GlobalConfiguration.Configuration);
CorsConfig.RegisterCors(config);
//CorsConfiguration corsConfig = new CorsConfiguration();
//corsConfig.AllowAll();
//var corsHandler = new CorsMessageHandler(corsConfig, config);
//config.MessageHandlers.Add(corsHandler);
// authentication configuration for identity controller
var authentication = CreateAuthenticationConfiguration();
config.MessageHandlers.Add(new AuthenticationHandler(authentication));
// ASP.Net web api uses NewtonSoft Json.net natively,
// the following line forces the web api to use the xml serializer instead of data contract serializer
config.Formatters.XmlFormatter.UseXmlSerializer = true;
log.Debug("Registering Web API Routes");
// register api routes
}
private static AuthenticationConfiguration CreateAuthenticationConfiguration()
{
var authentication = new AuthenticationConfiguration
{
ClaimsAuthenticationManager = new ClaimsTransformer(),
RequireSsl = false,
EnableSessionToken = true
};
#region IdentityServer SAML
authentication.AddSaml2(
issuerThumbprint: "F89C10B505E015774D02E323DEDA32878F794028",
issuerName: "https://10.40.40.68/issue/wsfed",
audienceUri: "http://localhost:41740/",//Constants.Realm,
certificateValidator: System.IdentityModel.Selectors.X509CertificateValidator.None,
options: AuthenticationOptions.ForAuthorizationHeader("SAML"),
scheme: AuthenticationScheme.SchemeOnly("SAML"));
#endregion
#region Client Certificates
authentication.AddClientCertificate(ClientCertificateMode.ChainValidation);
#endregion
return authentication;
}
不过我还是得到了302的回复。我是这样提出请求的:
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
"https://10.40.40.68/issue/wstrust/mixed/username");
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "myusername";
factory.Credentials.UserName.Password = "password";
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
TokenType = Thinktecture.IdentityModel.Constants.TokenTypes.Saml2TokenProfile11,
AppliesTo = new EndpointReference("http://localhost:41740/")
};
var token = factory.CreateChannel().Issue(rst) as System.IdentityModel.Tokens.GenericXmlSecurityToken;
string myToken = token.TokenXml.OuterXml;
HttpClient client = new HttpClient(new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Automatic,
AllowAutoRedirect = false
});
client.SetToken("SAML", myToken);
//client.SetBearerToken(myToken);
var resp = client.GetAsync("http://localhost:41740/api/clients", HttpCompletionOption.ResponseContentRead).Result;
Assert.IsTrue(resp.IsSuccessStatusCode);
WebAPIv1没有自动在请求中查找令牌的管道。Thinktecture IdentityModel在其Web API身份验证消息处理程序中提供了此缺失的功能。查看示例文件夹中的示例(特别是AuthenticationConfiguration类和AddSaml2 API):
Web API v1没有自动在请求中查找令牌的管道。Thinktecture IdentityModel在其Web API身份验证消息处理程序中提供了此缺失的功能。查看示例文件夹中的示例(特别是AuthenticationConfiguration类和AddSaml2 API):
非常感谢您的帮助,布罗克。正如您所解释的,我添加了Saml2 AuthenticationHandler,但没有得到任何结果。你知道还有什么我可以试试的吗?我将从STS获得的断言与“正常”登录场景中wsresult post字段中STS发送给RP的断言进行了比较,时间戳和digestValue、SignatureValue等除外。其余的大致相同。我还删除了添加到web.config中的令牌处理程序,但仍然无法获取任何内容。我最终解决了这个问题。问题是WSFederationAuthenticationModule和SessionAuthenticationModule在ThinkTecture IdentityModel身份验证Hnadler访问请求之前重定向了请求。为了解决这个问题,我在“身份和访问”向导中选择了“生成一个控制器来处理身份验证…”,它将身份验证模式设置为Forms并删除授权/拒绝用户=?属性form web.config并将所有未经验证的调用重定向到另一个控制器,但也给其他处理程序一个机会来处理请求并在必要时对其进行验证非常感谢您的帮助Brock。正如您所解释的,我添加了Saml2 AuthenticationHandler,但没有得到任何结果。你知道还有什么我可以试试的吗?我将从STS获得的断言与“正常”登录场景中wsresult post字段中STS发送给RP的断言进行了比较,时间戳和digestValue、SignatureValue等除外。其余的大致相同。我还删除了添加到web.config中的令牌处理程序,但仍然无法获取任何内容。我最终解决了这个问题。问题是WSFederationAuthenticationModule和SessionAuthenticationModule在ThinkTecture IdentityModel身份验证Hnadler访问请求之前重定向了请求。为了解决这个问题,我在“身份和访问”向导中选择了“生成一个控制器来处理身份验证…”,它将身份验证模式设置为Forms并删除授权/拒绝用户=?属性form web.config并将所有未经验证的调用重定向到另一个控制器,但也给其他处理程序一个机会来处理请求并在必要时对其进行身份验证
public static void Register(HttpConfiguration config)
{
// Cross Origin Resource Sharing
//CorsConfig.RegisterCors(GlobalConfiguration.Configuration);
CorsConfig.RegisterCors(config);
//CorsConfiguration corsConfig = new CorsConfiguration();
//corsConfig.AllowAll();
//var corsHandler = new CorsMessageHandler(corsConfig, config);
//config.MessageHandlers.Add(corsHandler);
// authentication configuration for identity controller
var authentication = CreateAuthenticationConfiguration();
config.MessageHandlers.Add(new AuthenticationHandler(authentication));
// ASP.Net web api uses NewtonSoft Json.net natively,
// the following line forces the web api to use the xml serializer instead of data contract serializer
config.Formatters.XmlFormatter.UseXmlSerializer = true;
log.Debug("Registering Web API Routes");
// register api routes
}
private static AuthenticationConfiguration CreateAuthenticationConfiguration()
{
var authentication = new AuthenticationConfiguration
{
ClaimsAuthenticationManager = new ClaimsTransformer(),
RequireSsl = false,
EnableSessionToken = true
};
#region IdentityServer SAML
authentication.AddSaml2(
issuerThumbprint: "F89C10B505E015774D02E323DEDA32878F794028",
issuerName: "https://10.40.40.68/issue/wsfed",
audienceUri: "http://localhost:41740/",//Constants.Realm,
certificateValidator: System.IdentityModel.Selectors.X509CertificateValidator.None,
options: AuthenticationOptions.ForAuthorizationHeader("SAML"),
scheme: AuthenticationScheme.SchemeOnly("SAML"));
#endregion
#region Client Certificates
authentication.AddClientCertificate(ClientCertificateMode.ChainValidation);
#endregion
return authentication;
}
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
"https://10.40.40.68/issue/wstrust/mixed/username");
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "myusername";
factory.Credentials.UserName.Password = "password";
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
TokenType = Thinktecture.IdentityModel.Constants.TokenTypes.Saml2TokenProfile11,
AppliesTo = new EndpointReference("http://localhost:41740/")
};
var token = factory.CreateChannel().Issue(rst) as System.IdentityModel.Tokens.GenericXmlSecurityToken;
string myToken = token.TokenXml.OuterXml;
HttpClient client = new HttpClient(new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Automatic,
AllowAutoRedirect = false
});
client.SetToken("SAML", myToken);
//client.SetBearerToken(myToken);
var resp = client.GetAsync("http://localhost:41740/api/clients", HttpCompletionOption.ResponseContentRead).Result;
Assert.IsTrue(resp.IsSuccessStatusCode);