如何在可互操作的WCF服务中验证SAML2.0断言
为了让我的WCF服务验证一个简单的SAML2断言,我花了几天的时间来抓紧时间。我用AxIS2客户端进行测试,但是它也应该支持java、C++等。 我只想对令牌执行一些验证: 1.证书颁发者(来自有效颁发者列表) 2.证书日期 3.受众URL 因此,我应该能够进行自定义证书验证。服务器上不知道该证书,它是SAML断言的一部分。 这是使用的SAML断言:如何在可互操作的WCF服务中验证SAML2.0断言,wcf,interop,saml,wif,Wcf,Interop,Saml,Wif,为了让我的WCF服务验证一个简单的SAML2断言,我花了几天的时间来抓紧时间。我用AxIS2客户端进行测试,但是它也应该支持java、C++等。 我只想对令牌执行一些验证: 1.证书颁发者(来自有效颁发者列表) 2.证书日期 3.受众URL 因此,我应该能够进行自定义证书验证。服务器上不知道该证书,它是SAML断言的一部分。 这是使用的SAML断言: <saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="
<saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="_7d8e48d69047d3c3da278b33b8f13485" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>demo.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_7d8e48d69047d3c3da278b33b8f13485">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ds saml" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>SsVSD3gENtKpZTjJBHNovQVXa4o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Mn+FNBrlyWz5nDBViB1+jNnwL/QDAtE0uxgNT/fi6O+e2/eeXggsPYPSQYwv+EeC 8h9lcJ5nzVKknrO2Ny4Ob3UsrmH3YQdj0iaCABb0EMC8tFV1M1taD4USLscUhucd hTl2WQEj/rgCtHzratkBXOlmumTUu+ra8P/1Aef0oO0=</ds:SignatureValue>
<ds:KeyInfo><ds:KeyName>demo.com</ds:KeyName>
<ds:X509Data><ds:X509SubjectName>emailAddress=info@demo.com,CN=demo.com,OU=Development,O=demo,ST=Utrecht,C=NL</ds:X509SubjectName>
<ds:X509Certificate>MI ... mQ= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject><saml:NameID SPProvidedID="lipse" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lipse</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml:Subject>
<saml:Conditions NotOnOrAfter="2011-03-29T09:54:40Z" NotBefore="2011-03-29T09:44:40Z">
<saml:AudienceRestriction><saml:Audience>http://blabla</saml:Audience></saml:AudienceRestriction></saml:Conditions>
</saml:Assertion>
我的装订:
<wsHttpBinding>
<binding name="_HTTP">
<security mode="Message">
<transport clientCredentialType="None" proxyCredentialType="None" />
<message clientCredentialType="IssuedToken" negotiateServiceCredential="False"
establishSecurityContext="False"/>
</security>
</binding>
</wsHttpBinding>
服务凭据:
<serviceCredentials>
<issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
<allowedAudienceUris>
<add allowedAudienceUri="http://blabla"/>
</allowedAudienceUris>
</issuedTokenAuthentication>
<serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
.
但我似乎无法让它工作,所有可能的CustomValidation都没有命中重写的Validate()函数
有人能至少给我一个方向吗
提前谢谢
问候,
Dirco开箱即用的WIF验证不起作用?表面上看,WIF应该在没有任何定制/扩展的情况下完成所有这些工作。检查WIFSDK示例或Web服务示例
<serviceCredentials>
<issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
<allowedAudienceUris>
<add allowedAudienceUri="http://blabla"/>
</allowedAudienceUris>
</issuedTokenAuthentication>
<serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://blabla"/>
</audienceUris>
<securityTokenHandlers>
<clear />
<add type="ServiceHostConsole.myHandler, ServiceHostConsole"></add>
<!-- <securityTokenHandlerConfiguration saveBootstrapTokens="false">
<issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/>
<certificateValidation>
<certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"/>
</certificateValidation>
<issuerNameRegistry type="ServiceHostConsole.SimpleIssuerRegistery, ServiceHostConsole">
</issuerNameRegistry>
<tokenReplayDetection enabled="false"></tokenReplayDetection>
<audienceUris mode="Always">
<add value="http://blabla"/>
</audienceUris>
</securityTokenHandlerConfiguration> -->
</securityTokenHandlers>
<!-- <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> -->
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck">
<certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole" />
</certificateValidation>
</service>