因此,我试图从网站使用 WCF 服务,并将网站从 STS 获得的 IClaimsIdentity 传递给该服务。
当我尝试通过 ActAs 通道调用服务方法时,我在客户端上收到以下错误(查看跟踪日志,它永远不会到达服务,并且 STS 正确发送所有令牌):
传出消息的身份检查失败。预期的身份是'身份( http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint )' 用于 'http://localhost/MyWCFHost/MyService.svc' 目标端点。
我有一个自定义的 IssuedTokenForCertificate 绑定,据我所见,所有证书都可以,它应该可以工作,但没有骰子。我很感激另一双眼睛看着我的配置并提供帮助:
使用网站配置:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomBinding_IMyService">
<security defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenForCertificate"
requireDerivedKeys="true" includeTimestamp="true" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSignatureConfirmation="true">
<issuedTokenParameters tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<additionalRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
</trust:SecondaryParameters>
</additionalRequestParameters>
<issuer address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc"
binding="ws2007HttpBinding" bindingConfiguration="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc">
</issuer>
<issuerMetadata address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc/mex" />
</issuedTokenParameters>
<localClientSettings detectReplays="true" />
<localServiceSettings detectReplays="true" />
</security>
<textMessageEncoding />
<httpTransport />
</binding>
</customBinding>
<ws2007HttpBinding>
<binding name="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc">
<security>
<message establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/MyWCFHost/MyService.svc" binding="customBinding"
bindingConfiguration="CustomBinding_IMyService" contract="MyService.IMyService"
name="CustomBinding_IMyService">
<identity>
<!--<certificate encodedValue="AwAAAAEAAAAUAAAAV2ILlfzl9NIHEiGv1rUCSitq8I0gAAAAAQAAAP8BAAAwggH7MIIBaKADAgECAhBTTBmG1HyUkEDVFmVUxfDLMAkGBSsOAwIdBQAwFTETMBEGA1UEAxMKRXRhbmEgUm9vdDAeFw0xMjA5MjExMjE2MDRaFw0zOTEyMzEyMzU5NTlaMB8xHTAbBgNVBAMTFEV0YW5hIFNUUyBFbmNyeXB0aW9uMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0lbzr1b1aNiXGhwKMTO58QbLbbKoUtTRkA4egMlmip1Vm46BnscWAMvXA5kyzuqK6Cw/5bel15i0pZXR4kjByKbSr65V0/ODGrkUHaYb5vT8RzCczYcgzJmPGWawMYYJT8PXLXHkFmZZGXFZhiUBzyNMWh8YH16I/wFtUgmaBAQIDAQABo0owSDBGBgNVHQEEPzA9gBAV68U+Vhoc0Nu9qPJXfJSRoRcwFTETMBEGA1UEAxMKRXRhbmEgUm9vdIIQgnOTDbZVCaJFTK8PPAGynTAJBgUrDgMCHQUAA4GBACHLr32oqkFjKGN/fqk2VnsNNIs9niHQ4Q6UbJ252YWf4wFIz9Ho/+ZdFxC4tSHxa/IMH0kzYpRL5p61Zd8/QeryWCStqvoNPwyapaY3g0Pkm6dy6NJ82kX5eJxLjdJp8MVadPJs4VA7Smf+e9lMMoONAGP07AvzAVhtiYK2yMmH" />-->
<certificateReference findValue="57620B95FCE5F4D2071221AFD6B5024A2B6AF08D" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</identity>
</endpoint>
</client>
</system.serviceModel>
WCF 服务配置:
<system.serviceModel>
<diagnostics>
<messageLogging logMalformedMessages="true" logMessagesAtTransportLevel="true" />
</diagnostics>
<services>
<service name="RPWCFApp.MyService" behaviorConfiguration="MyServiceBehaviour">
<endpoint address="" binding="customBinding" bindingConfiguration="CustomBindingConfiguration_IssuedTokenOverTransport" contract="RPWCFApp.IMyService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehaviour">
<federatedServiceHostConfiguration />
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="81A5DB3796F48B00FAC37CE67D7D8CA43078B996" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<extensions>
<behaviorExtensions>
<add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</behaviorExtensions>
</extensions>
<bindings>
<customBinding>
<binding name="CustomBindingConfiguration_IssuedTokenOverTransport">
<security authenticationMode="IssuedTokenForCertificate" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
<issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<issuer address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc" binding="ws2007HttpBinding" bindingConfiguration="IssuedTokenBinding" />
<issuerMetadata address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc/mex" />
</issuedTokenParameters>
</security>
<textMessageEncoding />
<httpTransport />
</binding>
</customBinding>
<ws2007HttpBinding>
<binding name="IssuedTokenBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Windows" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
</system.serviceModel>