如何将WCF配置为在Azure ACS中使用URN格式的自定义域?
如何使用ACS对我的内部托管WCF服务进行WCF客户端身份验证?问题围绕着设置一个自定义领域(我不知道如何设置) 我的ACS的配置类似于,但“领域”的定义如下所示 Azure ACS配置页面摘录如何将WCF配置为在Azure ACS中使用URN格式的自定义域?,wcf,azure,wif,federated-identity,acs,Wcf,Azure,Wif,Federated Identity,Acs,如何使用ACS对我的内部托管WCF服务进行WCF客户端身份验证?问题围绕着设置一个自定义领域(我不知道如何设置) 我的ACS的配置类似于,但“领域”的定义如下所示 Azure ACS配置页面摘录 客户端代码 EndpointAddress serviceEndpointAddress = new EndpointAddress( new Uri( "http://localhost:7000/Service/Default.aspx"),
客户端代码
EndpointAddress serviceEndpointAddress = new EndpointAddress( new Uri( "http://localhost:7000/Service/Default.aspx"),
EndpointIdentity.CreateDnsIdentity( GetServiceCertificateSubjectName() ),
new AddressHeaderCollection() );
ChannelFactory<IStringService> stringServiceFactory = new ChannelFactory<IStringService>(Bindings.CreateServiceBinding("https://agent7.accesscontrol.appfabriclabs.com/v2/wstrust/13/certificate"), serviceEndpointAddress );
// Set the service credentials.
stringServiceFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
stringServiceFactory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();
// Set the client credentials.
stringServiceFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();
string acsCertificateEndpoint = String.Format( "https://{0}.{1}/v2/wstrust/13/certificate", AccessControlNamespace, AccessControlHostName );
ServiceHost rpHost = new ServiceHost( typeof( StringService ) );
rpHost.Credentials.ServiceCertificate.Certificate = GetServiceCertificateWithPrivateKey();
rpHost.AddServiceEndpoint( typeof( IStringService ),
Bindings.CreateServiceBinding( acsCertificateEndpoint ),
"http://localhost:7000/Service/Default.aspx"
);
//
// This must be called after all WCF settings are set on the service host so the
// Windows Identity Foundation token handlers can pick up the relevant settings.
//
ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
serviceConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
// Accept ACS signing certificate as Issuer.
serviceConfiguration.IssuerNameRegistry = new X509IssuerNameRegistry( GetAcsSigningCertificate().SubjectName.Name );
// Add the SAML 2.0 token handler.
serviceConfiguration.SecurityTokenHandlers.AddOrReplace( new Saml2SecurityTokenHandler() );
// Add the address of this service to the allowed audiences.
serviceConfiguration.SecurityTokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add( new Uri( "urn:federation:customer:222:agent:11") );
FederatedServiceCredentials.ConfigureServiceHost( rpHost, serviceConfiguration );
return rpHost;
。。。其中,urn:federation:customer:222:agent:11
是依赖方ID
。。。和http://localhost:7000/Service/Default.aspx
是我希望上述WCF/WIF客户端在进行ACS身份验证后绑定到的位置
问题
如何编辑上面的代码,使客户机和服务器都可以针对某个端口(localhost:700)以及urn:federation:customer:222:agent:11域运行
我想我的服务器代码是正确的;但是,如何在客户端上设置
AudienceRestriction
?实际上还没有尝试,但从阅读来看,标准频道工厂似乎没有合适的挂钩来完成您想要的操作。WSTrustChannelFactory是为WIF&SAML构建的,但我对ACS不够熟悉,无法确定它是否适用。这可能也值得一读。您的服务器端代码看起来不错,但关于标准频道工厂,Sixto是正确的。幸运的是,您可以使用WSTrustChannelFactory自己从ACS请求安全令牌。在示例的上下文中,您的代码如下所示:
//
// Get the token from ACS
//
WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(
Bindings.CreateAcsCertificateBinding(),
new EndpointAddress( acsCertificateEndpoint ) );
trustChannelFactory.Credentials.ClientCertificate.Certificate = GetClientCertificateWithPrivateKey();
RequestSecurityToken rst = new RequestSecurityToken()
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointAddress( new Uri( "urn:federation:customer:222:agent:11" ) ),
KeyType = KeyTypes.Symmetric
};
WSTrustChannel wsTrustChannel = (WSTrustChannel)trustChannelFactory.CreateChannel();
SecurityToken token = wsTrustChannel.Issue( rst );
//
// Call StringService, authenticating with the retrieved token
//
WS2007FederationHttpBinding binding = new WS2007FederationHttpBinding( WSFederationHttpSecurityMode.Message );
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Message.NegotiateServiceCredential = false;
ChannelFactory<IStringService> factory = new ChannelFactory<IStringService>(
binding,
new EndpointAddress(
new Uri( ServiceAddress ),
EndpointIdentity.CreateDnsIdentity(GetServiceCertificateSubjectName()) ) );
factory.ConfigureChannelFactory<IStringService>();
factory.Credentials.SupportInteractive = false;
factory.Credentials.ServiceCertificate.DefaultCertificate = GetServiceCertificate();
IStringService channel = factory.CreateChannelWithIssuedToken<IStringService>( token );
string reversedString = channel.Reverse( "string to reverse" );
//
//从ACS获取令牌
//
WSTrustChannelFactory trustChannelFactory=新WSTrustChannelFactory(
Bindings.CreateAcsCertificateBinding(),
新端点地址(acsCertificateEndpoint));
trustChannelFactory.Credentials.ClientCertificate.Certificate=GetClientCertificateWithPrivateKey();
RequestSecurityToken rst=新的RequestSecurityToken()
{
RequestType=RequestTypes.Issue,
AppliesTo=新端点地址(新Uri(“urn:federation:customer:222:agent:11”),
KeyType=KeyTypes.Symmetric
};
WSTrustChannel WSTrustChannel=(WSTrustChannel)trustChannelFactory.CreateChannel();
SecurityToken令牌=wsTrustChannel.Issue(rst);
//
//调用StringService,使用检索到的令牌进行身份验证
//
WS2007FederationHttpBinding绑定=新的WS2007FederationHttpBinding(WSFederationHttpSecurityMode.Message);
binding.Security.Message.EstablishSecurityContext=false;
binding.Security.Message.NegotiateServiceCredential=false;
ChannelFactory=新的ChannelFactory(
结合
新端点地址(
新Uri(服务地址),
CreateDnsIdentity(GetServiceCertificateSubjectName());
ConfigureChannelFactory();
factory.Credentials.SupportInteractive=false;
factory.Credentials.ServiceCertificate.DefaultCertificate=GetServiceCertificate();
IStringService channel=factory.CreateChannelWithIssuedToken(令牌);
string reversedString=channel.Reverse(“字符串到反向”);
有些答案迟来总比不来好。我一直找不到任何关于以这种方式使用WCF的官方文档,但是在阅读WS-Trust文件和MSDN配置文档时,我提出了以下似乎可行的解决方案
从位于configuration/system.serviceModel/bindings/ws2007FederationHttpbinding/binding/security/message的服务消费客户端配置中。它覆盖令牌请求消息的AppliesTo
元素
<tokenRequestParameters>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>urn:x-Organization:Testing</Address>
</EndpointReference>
</wsp:AppliesTo>
</tokenRequestParameters>
urn:x-组织:测试
在服务的配置中添加相同的代码段,将导致服务引用实用程序将其包含在服务客户端的trust:SecondaryParameters
元素中。必须将其移动到父元素tokenRequestParameters
中才能正常工作。问题是……@Eugenio-更新并澄清了代码!这是非常值得的+145个代表点。如果我想在连锁店中获得另一个信任,需要做什么?例如,从ADF到ACS再到RP?或者ACS到ACS到RP?在这种情况下,您仍然可以使用wstrust通道来获取令牌,除非您将使用IssuedTokenStrustBinding,并将其指向ACS的已颁发令牌端点(这取决于是否为v2/wstrust/13/issuedtoken对称、v2/wstrust/13/issuedtoken不对称或v2/wstrust/13/issuedtoken承载)。然后,将绑定的IssuerBinding和IssuerAddress属性配置为指向ADFS证书端点。搜索IssuedTokenStrustBinding将产生大量代码示例。一旦您从ACS获得了令牌,其余的看起来都一样。