【问题标题】:An unsecured or incorrectly secured fault was received from the other party.(When working with SAML )从另一方收到不安全或不正确安全的故障。(使用 SAML 时)
【发布时间】:2013-02-04 14:14:33
【问题描述】:

我是 WCF Web 服务的新手。目前我正在使用联合绑定(SAML)开发联合 Web 服务。我在“SAML 令牌提供者”上获取了 MSDN 示例的帮助。但问题是我无法使用该服务,当我使用它时,它抛出“从另一方收到不安全或不正确安全的故障”内部异常为“处理消息中的安全令牌时发生错误。” p>

这是我在服务器端的网络配置文件

 <?xml version="1.0"?>
  <configuration>
   <system.web>
     <compilation debug="true" targetFramework="4.0"/>
   </system.web>
   <system.serviceModel>
     <bindings>
       <wsFederationHttpBinding>
          <binding name="Binding1">
            <security mode="Message" >
              <message negotiateServiceCredential ="false" issuedKeyType ="AsymmetricKey" 
                             issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
              </message>
            </security>
          </binding>
          <!-- Binding that expect SAML tokens with Asymmetric proof keys -->
          <binding name="Binding2">
             <security mode="Message">
                <message negotiateServiceCredential ="false"
                             issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
                </message>
             </security>
          </binding>
       </wsFederationHttpBinding>
    </bindings>
    <services>
    <!--<service name="MobileInterfaceWCFService.MobileService" behaviorConfiguration="MobileInterfacebehavior">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basic_http" contract="MobileInterfaceWCFService.IMobileInterface" />
        </service>
        <service name ="MobileInterfaceWCFService.MobileService" behaviorConfiguration="MobileInterfaceWCFService.Service1Behavior">
            <endpoint address="" binding="wsHttpBinding" contract="MobileInterfaceWCFService.IMobileInterface" bindingName="wsHttpBinding_ITMNetWCFService_ITMMobileSharedWebService" bindingConfiguration="wsHttpBinding_ITMNetWCFService_ITMMobileSharedWebService">
                <identity>
                    <dns value="localhost" />
                </identity>
            </endpoint>
        </service> -->
        <service name ="MobileInterfaceWCFService.MobileService" behaviorConfiguration="MobileInterfaceWCFService.SamlTokenBehavior">
            <endpoint address="" binding="wsFederationHttpBinding" contract="MobileInterfaceWCFService.IMobileInterface" bindingName="Binding1" bindingConfiguration="Binding1">
                <identity>
                    <dns value="localhost" />
                </identity>
            </endpoint>
        </service>
    </services>
    <client>
        <endpoint address="http://host-root/MobileSharedWebService/MobileSharedWebService.svc" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_ITMNetWCFService_ITMMobileSharedWebService" contract="ServiceReference1.ITMMobileSharedWebService" name="wsHttpBinding_ITMNetWCFService_ITMMobileSharedWebService">
            <identity>
                <dns value="localhost"/>
            </identity>
        </endpoint>
    </client>
    <behaviors>
        <serviceBehaviors>
            <behavior name="MobileInterfacebehavior">
                <!--<serviceMetadata httpGetEnabled="true" />-->
            </behavior>
            <behavior name="MobileInterfaceWCFService.Service1Behavior">
                <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
            <!--    <serviceMetadata httpGetEnabled="true"/> -->
                <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                <serviceDebug includeExceptionDetailInFaults="false"/>
            </behavior>

            <behavior name="MobileInterfaceWCFService.SamlTokenBehavior">
                <serviceMetadata httpGetEnabled="true"  /> 
                <!-- 
                    The serviceCredentials behavior allows one to define a service certificate.
                    A service certificate is used by a client to authenticate the service and provide message protection.
                    This configuration references the "localhost" certificate installed during the setup instructions.
                    -->
                <serviceCredentials>
                    <!-- Set allowUntrustedRsaIssuers to true to allow self-signed, asymmetric key based SAML tokens -->
                    <issuedTokenAuthentication allowUntrustedRsaIssuers ="false" >
                        <!-- Add Alice to the list of certs trusted to issue SAML tokens -->
                        <knownCertificates>
                            <add storeLocation="LocalMachine" 
                                 storeName="TrustedPeople"
                                 x509FindType="FindBySubjectName"
                                 findValue="Alice"/>
                            </knownCertificates>
                    </issuedTokenAuthentication>
                    <serviceCertificate storeLocation="LocalMachine"
                                        storeName="My"
                                        x509FindType="FindBySubjectName"
                                        findValue="localhost"  />
                </serviceCredentials>
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
</system.serviceModel>
<system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <handlers accessPolicy="Read, Script" />
    <security>
        <authentication>
            <anonymousAuthentication enabled="true" />
            <windowsAuthentication enabled="true" />
        </authentication>
    </security>
    <asp enableParentPaths="true" />
</system.webServer>

<system.diagnostics>
        <sources>
            <source name="System.ServiceModel"
                    switchValue="Information, ActivityTracing"
                    propagateActivity="true">
                <listeners>
                    <add name="traceListener"
                        type="System.Diagnostics.XmlWriterTraceListener"
                        initializeData= "c:\log\Traces.svclog" />
                </listeners>
            </source>
        </sources>
    </system.diagnostics>

     </configuration>

这是我在消费者端的配置文件

<?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.serviceModel>
    <bindings>
        <wsFederationHttpBinding>
         <binding name="Binding1_IMobileInterface"  >
            <security mode="Message">
                <message issuedKeyType="AsymmetricKey"      issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
                    negotiateServiceCredential="false"  >   
                </message>
                </security>
            </binding>
        </wsFederationHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost/WCF_MobileInterface/MobileService.svc"
            binding="wsFederationHttpBinding" bindingConfiguration="Binding1_IMobileInterface"
            contract="ServiceReference1.IMobileInterface" name="Binding1_IMobileInterface">
            <identity>
                <dns value="localhost" />
            </identity>
        </endpoint>
    </client>
</system.serviceModel>
  </configuration>

注意:我已经尝试了所有与 stackoverflow 和 google 上相同类型的错误/问题相关的解决方案,但无法解决问题

任何快速帮助将不胜感激

提前致谢

【问题讨论】:

    标签: c# wcf web-services saml federated-identity


    【解决方案1】:

    我已经解决了我上面提到的错误。我必须在我的wsfederationbinding下添加以下标签

    <allowedAudienceUris>
        <add allowedAudienceUri="http://localhost/WCF_MobileInterface/MobileService.svc"/>
    </allowedAudienceUris>
    

    allowedAudienceuri 属性中提到的 uri 是主机 WCF 服务。

    实际上,当我将以下标记添加到托管 WCF 服务的 Web 配置文件()时,我才知道这是错误,

    <serviceSecurityAudit  auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true" /> 
    

    在映射到我的 wsfederationbinding 的行为标签下,此标签在系统事件查看器的应用程序日志类别中记录确切的错误消息。

    注意:我在服务器和消费者级别启用了跟踪,它没有给出正确的错误消息。但我通过检查事件查看器中的错误日志发现了问题

    希望这可以帮助遇到类似错误的人。

    【讨论】:

    • &lt;allowedAudienceUris&gt; 是添加到令牌发行服务 (STS) 还是添加到由 STS 保护的服务中?我真的在为类似的问题而苦苦挣扎,并且由于我的日志记录状态身份验证成功而无法取得太大进展。 stackoverflow.com/questions/20378081/…
    • @atconway:&lt;allowedAudienceUris&gt; 部分添加了令牌发布服务(STS),主机服务与此无关。 STS 是 Target Service 的网关,如果网关服务或 STS 配置正确,那么目标服务可以很容易地被 Client 应用消费。
    • 如果省略此部分,是否假定允许“全部”?意味着使用它会创建一个“白名单”操作?我很难从 MSDN 文档中看出这一点。
    • &lt;allowedAudienceUris&gt; 标签用于指定 SAML 令牌服务可以访问哪些所有主机服务,它不是客户端 URL 的白名单。您只需要包含您想要向所有客户端公开的主机/目标服务。
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多