2

我在负载均衡器后面有许多 WIF 应用程序实例,它们使用来自 STS 的声明。我使用了使用 aspnet_regiis.exe 生成的 RSA 密钥容器,并根据此链接添加了事件处理程序,以使用 RSA 加密来拥有共享私钥而不是默认的 DPAPI 加密。我收到“签名无效。数据可能已被篡改”错误。

任何指针都会有所帮助。

编辑:添加身份模型部分

   <microsoft.identityModel>
        <service>
            <audienceUris>
                <add value="https://mysite.com" />
            </audienceUris>
            <federatedAuthentication>
                <wsFederation passiveRedirectEnabled="false" https://mysts.com/sts" realm="https://mysite.com requireHttps="false" />
                <cookieHandler requireSsl="false" />
            </federatedAuthentication>
            <applicationService>
                <claimTypeRequired>
                    <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="false" />
                    <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="false" />
                </claimTypeRequired>
            </applicationService>
            <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
                <trustedIssuers>
                    <add thumbprint="40A1D2622BFBDAC80A38858AD8001E094547369B" name="CN=IdentityTKStsCert" />
                </trustedIssuers>
            </issuerNameRegistry> 
        </service>
    </microsoft.identityModel>

void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
    CspParameters cp = new CspParameters();
    cp.KeyContainerName = "MyRsaKey";
    RSACryptoServiceProvider rcsp = new RSACryptoServiceProvider(cp);
    List<CookieTransform> sessionTransforms =
        new List<CookieTransform>(new CookieTransform[] {
        new DeflateCookieTransform(),
        new RsaEncryptionCookieTransform(rcsp),
        new RsaSignatureCookieTransform(rcsp) });
    SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
    e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}
4

0 回答 0