【问题标题】:RequestSecurityToken from STS and post it to my website来自 STS 的 RequestSecurityToken 并将其发布到我的网站
【发布时间】:2013-03-09 23:35:28
【问题描述】:

我的网站实现了基于 AD FS 的身份验证。现在我需要通过客户端以编程方式访问我的网站。我的客户端应该使用当前登录的用户上下文从 ADFS 服务器请求安全令牌。我已经能够使用客户端的用户名和密码成功地从adfs/services/trust/13/usernamemixed 端点请求安全令牌并将其发布到我的网站。

对我不起作用的是使用DefaultNetworkCredentialsadfs/services/trust/13/windowsmixed 端点请求相同的令牌。我收到错误The HTTP request was forbidden with client authentication scheme 'Anonymous'.。我正在使用 Microsoft.IdentityModel SDK(而不是 .NET 4.5 中的 System.IdentityModel)。

这是我的代码的 sn-p。

  factory = new MSWSTrustChannelFactory(
  new Microsoft.IdentityModel.Protocols.WSTrust.Bindings.WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                    stsUrl);

  factory.TrustVersion = TrustVersion.WSTrust13;

  factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;

  var rst = new RequestSecurityToken
  {
      RequestType = RequestTypes.Issue,
      AppliesTo = new EndpointAddress(realm),
      KeyType = KeyTypes.Bearer,
      RequestDisplayToken = true
  };

  MSIWSTrustChannelContract channel = factory.CreateChannel();
  RequestSecurityTokenResponse rstr;
  SecurityToken token = channel.Issue(rst, out rstr);

我对 ADFS 服务器没有任何控制权,也无法从那里调试问题所在。我能做的只是来自客户端。知道我上面的代码出了什么问题吗?非常感谢任何帮助或指示。

【问题讨论】:

    标签: c# wif adfs geneva-framework


    【解决方案1】:

    我认为您需要将消息安全的建立安全上下文设置为 FALSE
    binding.Security.Message.EstablishSecurityContext = false;

    以下代码对我有用。

                WS2007HttpBinding binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
                binding.Security.Message.EstablishSecurityContext = false;               
                binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
                if (isWindowsUser)
                {
                    binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
                    ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/windowsmixed");                    
                }
                else
                {
                    binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
                    ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/usernamemixed");                    
                }
                factory = new WSTrustChannelFactory(binding, ep);
                factory.TrustVersion = TrustVersion.WSTrust13;
    
                    factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;                     
    
    
                var rst = new RequestSecurityToken
                {
                    RequestType = RequestTypes.Issue,
                    AppliesTo = new EndpointReference("urn:adfsmonitor"),
                    KeyType = KeyTypes.Bearer,
                };
                IWSTrustChannelContract channel = factory.CreateChannel();
                GenericXmlSecurityToken genericToken = channel.Issue(rst)
                 as GenericXmlSecurityToken;
                return genericToken.TokenXml.InnerXml.ToString();
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2021-02-20
      • 2019-05-29
      • 2023-03-31
      • 1970-01-01
      • 1970-01-01
      • 2012-01-24
      相关资源
      最近更新 更多