Fatal编程技术网
  • wcf/
  • 如何在可互操作的WCF服务中验证SAML2.0断言

如何在可互操作的WCF服务中验证SAML2.0断言

wcf

如何在可互操作的WCF服务中验证SAML2.0断言,wcf,interop,saml,wif,Wcf,Interop,Saml,Wif,为了让我的WCF服务验证一个简单的SAML2断言,我花了几天的时间来抓紧时间。我用AxIS2客户端进行测试,但是它也应该支持java、C++等。 我只想对令牌执行一些验证: 1.证书颁发者(来自有效颁发者列表) 2.证书日期 3.受众URL 因此,我应该能够进行自定义证书验证。服务器上不知道该证书,它是SAML断言的一部分。 这是使用的SAML断言: <saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="

为了让我的WCF服务验证一个简单的SAML2断言,我花了几天的时间来抓紧时间。我用AxIS2客户端进行测试,但是它也应该支持java、C++等。 我只想对令牌执行一些验证: 1.证书颁发者(来自有效颁发者列表) 2.证书日期 3.受众URL

因此,我应该能够进行自定义证书验证。服务器上不知道该证书,它是SAML断言的一部分。 这是使用的SAML断言:

<saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="_7d8e48d69047d3c3da278b33b8f13485" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>demo.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
<ds:Reference URI="#_7d8e48d69047d3c3da278b33b8f13485"> 
<ds:Transforms> 
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">     <ec:InclusiveNamespaces PrefixList="ds saml" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
  </ds:Transform> 
</ds:Transforms> 
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>     <ds:DigestValue>SsVSD3gENtKpZTjJBHNovQVXa4o=</ds:DigestValue> 
</ds:Reference> 
</ds:SignedInfo>  
<ds:SignatureValue>Mn+FNBrlyWz5nDBViB1+jNnwL/QDAtE0uxgNT/fi6O+e2/eeXggsPYPSQYwv+EeC 8h9lcJ5nzVKknrO2Ny4Ob3UsrmH3YQdj0iaCABb0EMC8tFV1M1taD4USLscUhucd hTl2WQEj/rgCtHzratkBXOlmumTUu+ra8P/1Aef0oO0=</ds:SignatureValue> 
<ds:KeyInfo><ds:KeyName>demo.com</ds:KeyName>
<ds:X509Data><ds:X509SubjectName>emailAddress=info@demo.com,CN=demo.com,OU=Development,O=demo,ST=Utrecht,C=NL</ds:X509SubjectName>
<ds:X509Certificate>MI ... mQ= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject><saml:NameID SPProvidedID="lipse" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lipse</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml:Subject>
<saml:Conditions NotOnOrAfter="2011-03-29T09:54:40Z" NotBefore="2011-03-29T09:44:40Z">
<saml:AudienceRestriction><saml:Audience>http://blabla</saml:Audience></saml:AudienceRestriction></saml:Conditions>
</saml:Assertion>
我的装订:

<wsHttpBinding>
    <binding name="_HTTP">
      <security mode="Message">
        <transport clientCredentialType="None" proxyCredentialType="None" />
        <message clientCredentialType="IssuedToken" negotiateServiceCredential="False"
          establishSecurityContext="False"/>
      </security>
    </binding>
</wsHttpBinding>
服务凭据:

<serviceCredentials>
        <issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
          <allowedAudienceUris>
            <add allowedAudienceUri="http://blabla"/>
          </allowedAudienceUris>
        </issuedTokenAuthentication>
        <serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
          storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
      </serviceCredentials>


.
但我似乎无法让它工作,所有可能的CustomValidation都没有命中重写的Validate()函数

有人能至少给我一个方向吗

提前谢谢

问候,


Dirco
开箱即用的WIF验证不起作用?表面上看,WIF应该在没有任何定制/扩展的情况下完成所有这些工作。检查WIFSDK示例或Web服务示例


<serviceCredentials>
        <issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
          <allowedAudienceUris>
            <add allowedAudienceUri="http://blabla"/>
          </allowedAudienceUris>
        </issuedTokenAuthentication>
        <serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
          storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
      </serviceCredentials>



<microsoft.identityModel>
<service>
  <audienceUris>
    <add value="http://blabla"/>
  </audienceUris>
  <securityTokenHandlers>
    <clear />
    <add type="ServiceHostConsole.myHandler, ServiceHostConsole"></add>
    <!-- <securityTokenHandlerConfiguration saveBootstrapTokens="false">
      <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/>
      <certificateValidation>
        <certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"/>
      </certificateValidation>
      <issuerNameRegistry type="ServiceHostConsole.SimpleIssuerRegistery, ServiceHostConsole">
      </issuerNameRegistry>
      <tokenReplayDetection enabled="false"></tokenReplayDetection>
      <audienceUris mode="Always">
        <add value="http://blabla"/>
      </audienceUris>
    </securityTokenHandlerConfiguration>  -->   
  </securityTokenHandlers>
  <!-- <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> -->
  <certificateValidation certificateValidationMode="None" revocationMode="NoCheck">
    <certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole" />
  </certificateValidation>
</service>