情况是这样的:
- 我有一个来自 STS 的安全令牌,格式为 a
GenericXmlSecurityToken(我也有它的 SAML 断言元素)。 - 我需要使用此安全令牌来调用第 3 方服务,该服务除了
WS2007FederationHttpBinding可以执行的操作外,还需要在请求中添加一些额外内容。 - 实际的 SOAP 请求,除了 SOAP 安全标头中的 SAML 断言元素外,还必须包含签名元素(来自 namespace
http://www.w3.org/2000/09/xmldsig#),它对时间戳元素和带有 SAML 断言的主体元素进行签名。 WS2007FederationHttpBinding,以及许多自定义绑定变体无法在具有值类型的签名中包含键引用元素http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID(因此,SAML 断言)。- 我能从它们中得到的最多(via
ProtectTokens= true)是一个签名的 SAML 断言元素,但仅此而已。
基本上,我需要在请求中得到的是:
<soapenv:Header>
<wsse:Security>
<saml:Assertion="" AssertionID = "ID_56eecf2a-a143-4ec9-ab85-479d8602122f">
...
</saml:Assertion>
<WSU:Timestamp>
...
</WSU:Timestamp>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="#rsa-sha1"/>
<!--Body signature-->
<ds:Reference URI="#id">
<ds:Transforms>
< ds: Transform Algorithm = "xml-exc-c14n #" />
</ds:Transforms>
<ds:DigestMethod Algorithm="#sha1"/>
<ds:DigestValue >
di3JiPJM90D3P62ChO1d4Sy12 + 4 =
</ds:DigestValue DigestValue>
</ds:Reference>
<!--Timestamp element signature-->
<ds:Reference URI = "#Timestamp" >
<ds:Transforms>
<ds:Transform Algorithm = "xml-exc-c14n #" />
</ds:Transforms>
<ds:DigestMethod Algorithm="#sha1"/>
< ds:DigestValue>C+GkwwH5RuXocsD0iphwUvmQpj0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>kq+FG6qqdx...==</ds:SignatureValue>
<!--Key reference, pointing back to the SAML assertion element-->
<!--This is the actual problem. Didn't manage to add this at all.-->
<ds:KeyInfo>
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0 #SAMLAssertionID">
ID_56eecf2a-a143-4ec9-ab85-479d8602122f</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id">
...
</soapenv:Body>
但是,我不知道如何配置WS2007FederationHttpBinding(或自定义绑定)以添加签名。
我现在正在使用的内容:
/**
*
* Federation binding stuff
*
*/
var federationBinding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
federationBinding.Security.Message.EstablishSecurityContext = false;
federationBinding.Security.Message.IssuedKeyType = SecurityKeyType.AsymmetricKey;
federationBinding.Security.Message.NegotiateServiceCredential = false;
federationBinding.Security.Message.IssuedTokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";
federationBinding.Security.Message.AlgorithmSuite = SecurityAlgorithmSuite.Basic256;
/**
*
* Custom binding, the one actually used by the channel
*
*/
var binding = new CustomBinding(federationBinding.CreateBindingElements());
binding.Elements.Remove(binding.Elements.FirstOrDefault(i => i is TextMessageEncodingBindingElement));
var messageSecurity = (TransportSecurityBindingElement)binding.Elements.FirstOrDefault(i => i is TransportSecurityBindingElement);
//Remove it, I add another one later
binding.Elements.Remove(messageSecurity);
//Security element configuration
var secBinding = new AsymmetricSecurityBindingElement()
{
MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10,
ProtectTokens = true,
SecurityHeaderLayout = SecurityHeaderLayout.Lax,
IncludeTimestamp = true,
EnableUnsecuredResponse = true,
DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256
};
secBinding.InitiatorTokenParameters = new IssuedSecurityTokenParameters(
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID");
secBinding.RecipientTokenParameters = new IssuedSecurityTokenParameters(
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID");
secBinding.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
除此之外,我还尝试使用 a TransportSecurityBindingElement,结果相同:我可以在请求中获取令牌,但不能获取签名。
欢迎任何关于此的想法/提示。