0

目前,我可以通过首先通过 WS-Trust 端点使用证书凭证从 STS 建立安全令牌,然后在通道工厂上调用 CreateChannelWithIssuedToken() 来建立带有 IssuedToken 的 WCF 通道。请参阅如何使用 Thinktecture IdentityServer 指定证书作为 wsTrustChannel 的凭据

但是,不要这样做:

var securityToken = GetMeASecurityTokenFromTheSts();
var myServiceChannelFactory = new ChannelFactory<IMyService>();
myServiceChannelFactory.CreateChannelWithIssuedToken(securityToken);

理想情况下,我只想这样做(并让安全令牌的颁发者根据传递的证书自动颁发令牌)。

var myClient = new MyServiceClient();

我的问题是 - 可以像下面这样配置绑定来指定 ThinkTecture IdentityServer STS 是安全令牌的颁发者吗?

<bindings>
  <ws2007FederationHttpBinding>
    <binding name="WS2007FederationHttpBinding">
      <security mode="TransportWithMessageCredential">
        <message issuedKeyType="BearerKey" issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
          <issuer address="https://mymachine/myidserver/issue/wstrust/mixed/certificate">
            <identity>
              <certificateReference storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="XXXXXXXXXXXXXXXXXXXXXXXXX"/>
            </identity>
          </issuer>
          <issuerMetadata address="https://mymachine/myidserver/FederationMetadata/2007-06/FederationMetadata.xml" />
          <tokenRequestParameters>
            <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</trust:TokenType>
              <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
              <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
                xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                  xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
              </trust:Claims>
              <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
              <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
            </trust:SecondaryParameters>
          </tokenRequestParameters>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
</bindings>

如果是这样 - 我在配置这部分绑定时遇到了很多麻烦:

<issuer address="https://mymachine/myidserver/issue/wstrust/mixed/certificate">
    <identity>
        <certificateReference storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="XXXXXXXXXXXXXXXXXXXXXXXXX"/>
    </identity>
</issuer>

我的主要困惑是:issuer config 元素似乎将绑定、行为和端点都封装在一个元素中。可以配置绑定 - 显然必须配置,因为上面的 issuer 元素抱怨没有配置绑定。但是如何为颁发者通道指定 SSL 证书,因为这是一个行为配置,并且似乎没有任何方法可以为颁发者端点设置行为。

4

2 回答 2

1

使用仅配置方法确实存在将令牌生命周期绑定到代理生命周期的问题。此外,您在 IdentityServer 中配置的领域 (appliesTo) 必须与 WCF 服务的物理 URL 相匹配。两者都不实用,更推荐使用“手动” WSTrustChannelFactory 方法。

也就是说 - svcutil(或“添加服务参考”)为您创建所有必要的客户端配置。您只需要确保在 WCF 服务配置中指向 IdentityServer 的 MEX 端点,例如:

<bindings>
      <ws2007FederationHttpBinding>
        <binding>
          <security mode="TransportWithMessageCredential">
            <message establishSecurityContext="false"
                     issuedKeyType="BearerKey">
              <issuerMetadata address="https://identity.thinktecture.com/idsrvsample/issue/wstrust/mex" />
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>

https://github.com/thinktecture/Thinktecture.IdentityServer.v2/blob/master/samples/MVC%20and%20WCF%20RP%20(SAML)/Web/Web.config

...顺便说一句,MEF 问题已解决。

于 2014-03-17T17:14:58.043 回答
0

您可以为颁发者设置绑定配置。证书的使用将在 MyServiceClient 行为中设置。我没有测试过这个配置,但它可以工作。

这是您修改后的配置

<bindings>
    <ws2007FederationHttpBinding>
        <binding name="WS2007FederationHttpBinding">
            <security mode="TransportWithMessageCredential">
                <message issuedKeyType="BearerKey" issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
                    <issuer address="https://mymachine/myidserver/issue/wstrust/mixed/certificate" binding="ws2007HttpBinding" 
                  bindingConfiguration="issuerBindingConfig">
                    </issuer>
                    <issuerMetadata address="https://mymachine/myidserver/FederationMetadata/2007-06/FederationMetadata.xml" />
                    <tokenRequestParameters>
                        <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                            <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</trust:TokenType>
                            <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
                            <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
            xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                                <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
              xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                            </trust:Claims>
                            <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                            <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                        </trust:SecondaryParameters>
                    </tokenRequestParameters>
                </message>
            </security>
        </binding>
    </ws2007FederationHttpBinding>

    <ws2007HttpBinding>
        <!--SWACA RAWS Client authentication binding-->
        <binding name="issuerBindingConfig">
            <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="None" />
                <message clientCredentialType="Certificate" establishSecurityContext="false" />
            </security>
        </binding>
    </ws2007HttpBinding>
</bindings>


<endpointBehaviors>
    <behavior name="MyServiceClient">
        <clientCredentials supportInteractive="false">
            <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="XXXXXXXXXXXXXXXXXXXXXXXXX" />
        </clientCredentials>
    </behavior>
</endpointBehaviors>

但是请记住,如果您这样做,那么每个new MyServiceClient()人实际上都会从 STS 请求一个令牌。当我们在系统中使用这种方法时,我们在IdentityServer 中遇到了一些MEF 线程安全问题。

于 2014-03-17T08:07:49.917 回答