Wcf MessageSecurityException与ACS颁发的令牌和WIF
我使用ACS/服务身份作为临时STS,同时将事情安排妥当。不幸的是,虽然我似乎能够从ACS获得SAML 1.1代币罚款,但当我尝试将其传递到我的WCF服务时,事情就变得疯狂了。据我所知,令牌没有过期(它正在被迅速使用),我不确定它怎么会无效,而且我在日志记录方面所做的任何工作都没有向我显示出任何可能出错的细节。我很想把责任归咎于绑定,因为我以前从未做过正式的WCF/WIF绑定。是否有人看到我使用的客户机/服务器绑定有任何错误(客户机是通过服务引用生成的),或者建议其他调查途径 顺便说一句,服务器和客户端都在同一台开发机器上运行 Web.config:Wcf MessageSecurityException与ACS颁发的令牌和WIF,wcf,wif,Wcf,Wif,我使用ACS/服务身份作为临时STS,同时将事情安排妥当。不幸的是,虽然我似乎能够从ACS获得SAML 1.1代币罚款,但当我尝试将其传递到我的WCF服务时,事情就变得疯狂了。据我所知,令牌没有过期(它正在被迅速使用),我不确定它怎么会无效,而且我在日志记录方面所做的任何工作都没有向我显示出任何可能出错的细节。我很想把责任归咎于绑定,因为我以前从未做过正式的WCF/WIF绑定。是否有人看到我使用的客户机/服务器绑定有任何错误(客户机是通过服务引用生成的),或者建议其他调查途径 顺便说一句,服务器
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
<add key="ida:FederationMetadataLocation" value="--omitted--" />
<add key="ida:ProviderSelection" value="productionSTS" />
</appSettings>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials useIdentityConfiguration="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add scheme="https" binding="ws2007FederationHttpBinding" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<bindings>
<ws2007FederationHttpBinding>
<binding name="">
<security mode="TransportWithMessageCredential">
<message issuedKeyType="BearerKey" issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="true" />
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost:44300/Service1.svc" />
</audienceUris>
<issuerNameRegistry>
<trustedIssuers>
<add name="--omitted--" thumbprint="--omitted--"/>
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None"/>
</identityConfiguration>
</system.identityModel>
</configuration>
此外,我还尝试过:切换到SAML2.0,使用预览JWT令牌处理程序切换到JWT,更改接收超时,将主机时间切换到UTC,显式地将主机与Windows时间服务同步,并在令牌发出后等待五分钟再使用它。MessageSecurityException是正确的:这是一个绑定错误 我把几个代码样本混合在一起,结果被不匹配给咬了。EstablishSecurityContext不仅仅是粉饰,它是绑定的真实部分,并且值必须在服务和客户端之间匹配 我的申请代码如下:
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
binding.Security.Message.EstablishSecurityContext = false; // this line is the problem
<bindings>
<ws2007FederationHttpBinding>
<binding name="">
<security mode="TransportWithMessageCredential">
<message issuedKeyType="BearerKey" issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/> <!-- this line does not match -->
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<bindings>
<ws2007FederationHttpBinding>
<binding name="">
<security mode="TransportWithMessageCredential">
<message issuedKeyType="BearerKey" establishSecurityContext="false"/>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
普雷斯托,它是有效的。对我来说,好像你在两次调用同一个sts服务(端口44300),而第二次调用的应该是51853。让我知道这是不是一个正确的答案。第一个请求是我的Azure ACS命名空间,我的临时STS;我能理解哪里可能会让人困惑。我只是请求一个领域与localhost URL匹配的令牌。它肯定不应该转到51853,因为如果它转到51853,我将通过不安全的传输发送安全令牌。我是说第二个请求,而不是第一个请求。工厂的生产线2。这不是STS。是服务部门在等令牌,我现在拿到了。很抱歉给你一个误导性的线索。那么51853是什么?
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
binding.Security.Message.EstablishSecurityContext = false; // this line is the problem
<bindings>
<ws2007FederationHttpBinding>
<binding name="">
<security mode="TransportWithMessageCredential">
<message issuedKeyType="BearerKey" issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/> <!-- this line does not match -->
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<bindings>
<ws2007FederationHttpBinding>
<binding name="">
<security mode="TransportWithMessageCredential">
<message issuedKeyType="BearerKey" establishSecurityContext="false"/>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>