2

我有以下代码尝试使用 WIF 发出“问题”请求。

当我运行它时,我得到以下异常。是否可以使用带有自定义声明的问题来请求安全令牌?

Additional information: ID3257: RequestSecurityToken contains at least one Claim with a Claim value specified but the RequestClaimCollection.Dialect is set to 'urn:custom_namespace:sts:1_0'. The RequestClaimCollection.Dialect must be set to 'http://docs.oasis-open.org/wsfed/authorization/200706/authclaims' for the value to be serialized out.

编码:

private const string CLAIMS_DIALECT = "urn:custom_namespace:sts:1_0";
private const string REQUEST_CLAIM_TYPE = "urn:custom_namespace:sts:1_0";
private const string REQUEST_CLAIM_VALUE = "urn:oasis:names:tc:SAML2.0:consent:current-explicit";


public System.IdentityModel.Tokens.SecurityToken RequestSecurityToken(string input)
{
    System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);

    WS2007HttpBinding binding = new WS2007HttpBinding();
    binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
    binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;

    var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri(STS_URL)));
    trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;

    trustChannelFactory.Credentials.ClientCertificate.Certificate = GetCertificateBySubjectName(LOCALHOST_CERTIFICATE_SUBJECT_NAME);
    trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
    trustChannelFactory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

    try
    {
        RequestSecurityToken rst = new RequestSecurityToken();

        rst.AppliesTo = new EndpointAddress(new Uri(APPLIES_TO_URL), new X509CertificateEndpointIdentity(GetCertificateBySubjectName(LOGON_SERVICE_CERTIFICATE_SUBJECT_NAME)));
        rst.ActAs = BuildSecurityTokenElementFromInput(input);
        rst.RequestType = RequestTypes.Issue;
        rst.Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5));
        rst.Claims.Dialect = CLAIMS_DIALECT;
        var requestClaim = new RequestClaim(REQUEST_CLAIM_TYPE, false, REQUEST_CLAIM_VALUE);
        rst.Claims.Add(requestClaim);

        WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();

        RequestSecurityTokenResponse rstr = null;

        return channel.Issue(rst, out rstr);
    }
    finally
    {
        trustChannelFactory.Close();
    }
}
4

2 回答 2

0

您想要将请求的声明添加到 RequestSecurityToken。这意味着 STS 应该发行带有特定声明的令牌。基本上不需要它,但如果你确定你必须设置方言。那是真实的。

于 2014-08-01T07:13:13.213 回答
0

我不确定您是否需要更改 rst.Claims.Dialect 才能完成这项工作。如果将其保留为默认值会发生什么?

于 2011-04-27T21:18:57.983 回答