使用已颁发的令牌调用WCF服务
我尝试以下几点:使用已颁发的令牌调用WCF服务,wcf,linqpad,ws-trust,Wcf,Linqpad,Ws Trust,我尝试以下几点: WCF客户端调用STS并获取SAML断言 客户机使用SAML断言调用服务 现在,我已经将上述场景实现为三个LinqPad脚本:client.linq、sts.linq(自托管WCF服务)和service.linq(自托管WCF服务)。它们都可以在 我需要一些人帮我把它修好 使用client.linq中的以下代码,我能够调用我的STS并获得SAML断言: SecurityToken GetToken() { var binding = new BasicHttpBin
- WCF客户端调用STS并获取SAML断言
- 客户机使用SAML断言调用服务
client.linq
、sts.linq
(自托管WCF服务)和service.linq
(自托管WCF服务)。它们都可以在
我需要一些人帮我把它修好
使用client.linq
中的以下代码,我能够调用我的STS并获得SAML断言:
SecurityToken GetToken()
{
var binding = new BasicHttpBinding();
var factory = new WSTrustChannelFactory(binding, stsAddress);
factory.TrustVersion = TrustVersion.WSTrustFeb2005;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Symmetric,
AppliesTo = new EndpointReference(serviceAddress)
};
return factory.CreateChannel().Issue(rst);
}
下一步,我将使用以下代码(尝试)调用包含SAML断言的服务:
var binding = new WSFederationHttpBinding(WSFederationHttpSecurityMode.Message);
binding.Security.Message.EstablishSecurityContext = false;
var factory = new ChannelFactory<ICrossGatewayQueryITI38>(
binding,
new EndpointAddress(new Uri(serviceAddress), new DnsEndpointIdentity("LocalSTS"))
);
factory.Credentials.SupportInteractive = false;
factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
var proxy = factory.CreateChannelWithIssuedToken(token);
var response = proxy.CrossGatewayQuery(
Message.CreateMessage(MessageVersion.Soap12WSAddressing10, "urn:ihe:iti:2007:CrossGatewayQuery", "Hello world")
);
var binding=新的WSFederationHttpBinding(WSFederationHttpSecurityMode.Message);
binding.Security.Message.EstablishSecurityContext=false;
var工厂=新工厂(
结合
新端点地址(新Uri(serviceAddress)、新DnsEndpointIdentity(“LocalSTS”))
);
factory.Credentials.SupportInteractive=false;
factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode=
X509CertificateValidationMode.无;
var proxy=factory.CreateChannelWithIssuedToken(令牌);
var response=proxy.CrossGatewayQuery(
Message.CreateMessage(MessageVersion.Soap12WSAddressing10,“urn:ihe:iti:2007:CrossGatewayQuery”,“你好世界”)
);
接下来会发生什么我完全不明白。当我运行脚本时,fiddler正在运行,下面是我看到的:
/STS
的第一个请求(如预期)proxy.CrossGatewayQuery
导致对/Service
的三次调用:
2.1。带有action的SOAP调用http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
2.2。带有action的SOAP调用http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
2.3。最后一个SOAP调用,操作为urn:ihe:iti:2007:CrossGatewayQuery。使用Fiddler,我注意到SOAP安全标头包含步骤1中的SAML断言- 为什么WCF客户端将
和RST/Issue
请求发送到RSTS/Issue
(上述步骤2.1和2.2)/Service
- 我如何配置这些片段来完成我想要的任务,即向STS发送一个请求,然后向服务发送一个请求,传递我从STS获得的SAML断言
- 第一个问题是服务凭证的重新协商
这一变化解决了以下问题:
binding.Security.Message.NegotiateServiceCredential = false
然后服务必须启用WIF配置:
host.Credentials.UseIdentityConfiguration = true;
host.Credentials.IdentityConfiguration = CreateIdentityConfig();
IdentityConfiguration CreateIdentityConfig()
{
IdentityConfiguration identityConfig = new IdentityConfiguration(false);
//AUDIENCE URI
//the token we receive contains this value, so if do not match we fail
identityConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri($"http://{Environment.MachineName}:8000/Service"));
//ISSUER NAME REGISTRY explicit the thumbprint of the accepted certificates, if the token coming in is not signed with any of these certificates then is considered invalid
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerNameRegistry.AddTrustedIssuer("81 5b 06 b2 7f 5b 26 30 47 3b 8a b9 56 bb 9f 9f 8c 36 20 76", "signing certificate sts"); //STS signing certificate thumbprint
identityConfig.IssuerNameRegistry = issuerNameRegistry;
identityConfig.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
return identityConfig;
}
还有其他变化,github repo更新了master
分支中的代码
多亏了支持女士,她帮助我解决了这个问题