我在负载均衡器后面有许多 WIF 应用程序实例,它们使用来自 STS 的声明。我使用了使用 aspnet_regiis.exe 生成的 RSA 密钥容器,并根据此链接添加了事件处理程序,以使用 RSA 加密来拥有共享私钥而不是默认的 DPAPI 加密。我收到“签名无效。数据可能已被篡改”错误。
任何指针都会有所帮助。
编辑:添加身份模型部分
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://mysite.com" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="false" https://mysts.com/sts" realm="https://mysite.com requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="false" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="false" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="40A1D2622BFBDAC80A38858AD8001E094547369B" name="CN=IdentityTKStsCert" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
CspParameters cp = new CspParameters();
cp.KeyContainerName = "MyRsaKey";
RSACryptoServiceProvider rcsp = new RSACryptoServiceProvider(cp);
List<CookieTransform> sessionTransforms =
new List<CookieTransform>(new CookieTransform[] {
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(rcsp),
new RsaSignatureCookieTransform(rcsp) });
SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}