如何在可互操作的 WCF 服务中验证 SAML2.0 断言

【问题标题】:How to validate SAML2.0 Assertion in interoperable WCF-service如何在可互操作的 WCF 服务中验证 SAML2.0 断言
【发布时间】:2011-03-31 15:39:50
【问题描述】:

我现在花了几天时间,让我的 WCF 服务验证一个简单的 SAML2 断言。我正在使用 Axis2 客户端对其进行测试,但它也应该支持 Java、C++ 等。

我只想对令牌进行一些验证: 1. 证书颁发者(来自有效颁发者列表) 2. 证书日期 3. 观众网址

所以我应该能够进行自定义证书验证。该证书在服务器上是未知的,它是 SAML 断言的一部分。 这是使用的 SAML 断言:

<saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="_7d8e48d69047d3c3da278b33b8f13485" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>demo.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> 
<ds:Reference URI="#_7d8e48d69047d3c3da278b33b8f13485"> 
<ds:Transforms> 
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">     <ec:InclusiveNamespaces PrefixList="ds saml" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
  </ds:Transform> 
</ds:Transforms> 
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>     <ds:DigestValue>SsVSD3gENtKpZTjJBHNovQVXa4o=</ds:DigestValue> 
</ds:Reference> 
</ds:SignedInfo>  
<ds:SignatureValue>Mn+FNBrlyWz5nDBViB1+jNnwL/QDAtE0uxgNT/fi6O+e2/eeXggsPYPSQYwv+EeC 8h9lcJ5nzVKknrO2Ny4Ob3UsrmH3YQdj0iaCABb0EMC8tFV1M1taD4USLscUhucd hTl2WQEj/rgCtHzratkBXOlmumTUu+ra8P/1Aef0oO0=</ds:SignatureValue> 
<ds:KeyInfo><ds:KeyName>demo.com</ds:KeyName>
<ds:X509Data><ds:X509SubjectName>emailAddress=info@demo.com,CN=demo.com,OU=Development,O=demo,ST=Utrecht,C=NL</ds:X509SubjectName>
<ds:X509Certificate>MI ... mQ= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject><saml:NameID SPProvidedID="lipse" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lipse</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml:Subject>
<saml:Conditions NotOnOrAfter="2011-03-29T09:54:40Z" NotBefore="2011-03-29T09:44:40Z">
<saml:AudienceRestriction><saml:Audience>http://blabla</saml:Audience></saml:AudienceRestriction></saml:Conditions>
</saml:Assertion>

我尝试了 wsHttpBinding、wsFederationHttpBinding、ws2007FederationHttpBinding,甚至还有 customBinding。有或没有 WIF?我不知道了。

我目前正在努力解决这个错误:

SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 2,
Clause[0] = KeyNameIdentifierClause(KeyName = 'risdemo.delftdi.com'),
Clause[1] = X509RawDataKeyIdentifierClause(RawData = MI....mQ=)
)
`. Ensure that the SecurityTokenResolver is populated with the required key.

我的绑定:

<wsHttpBinding>
    <binding name="_HTTP">
      <security mode="Message">
        <transport clientCredentialType="None" proxyCredentialType="None" />
        <message clientCredentialType="IssuedToken" negotiateServiceCredential="False"
          establishSecurityContext="False"/>
      </security>
    </binding>
</wsHttpBinding>

ServiceCredentials:

<serviceCredentials>
        <issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
          <allowedAudienceUris>
            <add allowedAudienceUri="http://blabla"/>
          </allowedAudienceUris>
        </issuedTokenAuthentication>
        <serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
          storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
      </serviceCredentials>

WIF:

<microsoft.identityModel>
<service>
  <audienceUris>
    <add value="http://blabla"/>
  </audienceUris>
  <securityTokenHandlers>
    <clear />
    <add type="ServiceHostConsole.myHandler, ServiceHostConsole"></add>
    <!-- <securityTokenHandlerConfiguration saveBootstrapTokens="false">
      <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/>
      <certificateValidation>
        <certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"/>
      </certificateValidation>
      <issuerNameRegistry type="ServiceHostConsole.SimpleIssuerRegistery, ServiceHostConsole">
      </issuerNameRegistry>
      <tokenReplayDetection enabled="false"></tokenReplayDetection>
      <audienceUris mode="Always">
        <add value="http://blabla"/>
      </audienceUris>
    </securityTokenHandlerConfiguration>  -->   
  </securityTokenHandlers>
  <!-- <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> -->
  <certificateValidation certificateValidationMode="None" revocationMode="NoCheck">
    <certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole" />
  </certificateValidation>
</service>

我真的很想覆盖认证验证,例如在此页面上:http://msdn.microsoft.com/en-us/library/ms733806.aspx。 但我似乎无法让它工作,所有可能的自定义验证都没有击中被覆盖的 Validate() 函数。

请问有谁可以给​​我指路吗?

提前致谢!

问候,

目录

【问题讨论】:

    标签: wcf interop saml wif


    【解决方案1】:

    开箱即用的 WIF 验证不起作用?从表面上看,WIF 似乎应该在没有任何自定义/扩展的情况下完成所有这些工作。检查 WIF SDK 示例或 Web 服务示例 here

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2012-03-07
      • 2013-08-10
      • 2012-06-27
      • 1970-01-01
      • 1970-01-01
      • 2012-02-27
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode