4

在 .net Web API 中,如何配置 Thinktechture Saml2SecurityTokenHandler 以使用 X509 证书来处理加密的 SAML2 安全令牌(在验证之前对其进行解密)。

Identity Server 通过将 RP 配置为使用证书进行加密来加密令牌。

以下是取自 Thinktechture 示例的工作配置(不处理加密令牌):

  #region IdentityServer SAML
  authentication.AddSaml2(
                issuerThumbprint: Constants.IdSrv.SigningCertThumbprint,
                issuerName: Constants.IdSrv.IssuerUri,
                audienceUri: Constants.Realm,
                certificateValidator: X509CertificateValidator.None,
                options: AuthenticationOptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme),
                scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme));
  #endregion
4

2 回答 2

1

要使用 Web API 启用加密令牌,我发现这很有帮助: http ://www.alexthissen.nl/blogs/main/archive/2011/07/18/using-active-profile-for.aspx

最后,您将看到代码使用 LocalMachine 商店中的 X509 证书在 SecurityTokenHandlerCollection 的 Configuration 属性上设置 ServiceTokenResolver 属性。Configuration 属性是 SecurityTokenHandlerConfiguration,它是ThinkTecture.IdentityModel 源的AuthenticationConfigurationExtensionsCore.cs中 AddSaml2 扩展方法的重载参数之一。以下是我最终得到的。 

var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(Constants.IdSrv.SigningCertThumbprint, Constants.IdSrv.IssuerUri);

var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = GetX509CertificateValidatorSetting();

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2Collection matchingCertificates = certificates.Find(
    X509FindType.FindBySubjectDistinguishedName,
    "CN=RPTokenCertificate", false);
X509Certificate2 certificate = certificates[0];

List<SecurityToken> serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(certificate));
SecurityTokenResolver serviceResolver =
    SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
        serviceTokens.AsReadOnly(), false);
handlerConfig.ServiceTokenResolver = serviceResolver;

authentication.AddSaml2(handlerConfig, 
    AuthenticationOptions.ForAuthorizationHeader(SamlScheme), 
    AuthenticationScheme.SchemeOnly(SamlScheme));

希望能帮助到你。

于 2013-10-14T22:36:19.897 回答
0

从某人那里得到这个答案:

    public ClaimsIdentity DecryptToken(string token)
    {
        XmlReader rdr = XmlReader.Create(new StringReader(token));

        SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration();
        config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("urn:yourRP"));
        config.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
        config.RevocationMode = X509RevocationMode.NoCheck;

        ConfigurationBasedIssuerNameRegistry inr = new ConfigurationBasedIssuerNameRegistry();
        X509Certificate2 cert = new X509Certificate2(pathToSigningCert);
        inr.AddTrustedIssuer(cert.Thumbprint, "STS Name");

        config.IssuerNameRegistry = inr;
        config.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;

        SecurityTokenHandlerCollection handlers = System.IdentityModel.Tokens.SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);

        if (handlers.CanReadToken(rdr))
        {
            var tmpToken = handlers.ReadToken(rdr);
            var claimsIds = handlers.ValidateToken(tmpToken);
            var id = claimsIds.FirstOrDefault();
        }
    }

不确定这是否有帮助。

您使用什么作为发行人名称?您在 IIS 中设置的网站的名称?还是您在 IdentityServer 管理部分的“常规配置”页面的“站点 ID”字段中输入的值?

于 2013-08-30T18:20:01.493 回答