我可以禁用请求安全令牌响应的加密并且只管理签名吗?
我正在根据 WIF SDK 的演示创建一个扩展 Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService 的自定义 STS,但我无法设法设置不使用加密。
我可以禁用请求安全令牌响应的加密并且只管理签名吗?
我正在根据 WIF SDK 的演示创建一个扩展 Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService 的自定义 STS,但我无法设法设置不使用加密。
我创建了一个 CustomSecurityHandler 并覆盖了它的 GetEncryptingCredentials 方法,该方法返回 null 值,如下所示,它可以工作:
public class MyCustomSecurityTokenHandler : Saml11SecurityTokenHandler
{
public MyCustomSecurityTokenHandler(): base() {}
protected override EncryptingCredentials GetEncryptingCredentials(SecurityTokenDescriptor tokenDescriptor)
{
return null;
}
}
然后在 SecurityTokenService 类中,我覆盖 GetSecurityTokenHandler 返回之前创建的自定义类:
protected override SecurityTokenHandler GetSecurityTokenHandler(string requestedTokenType)
{
MyCustomSecurityTokenHandler tokenHandler = new MyCustomSecurityTokenHandler();
return tokenHandler;
}
我刚刚在 Visual Studio 中运行了“添加 STS 引用”向导,选择了创建新 STS 的选项。该工具生成的模板确实添加了对令牌加密的支持,但如果没有提供证书,则它被禁用:(我保留了所有默认注释)
protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request )
{
ValidateAppliesTo( request.AppliesTo );
//
// Note: The signing certificate used by default has a Distinguished name of "CN=STSTestCert",
// and is located in the Personal certificate store of the Local Computer. Before going into production,
// ensure that you change this certificate to a valid CA-issued certificate as appropriate.
//
Scope scope = new Scope( request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials );
string encryptingCertificateName = WebConfigurationManager.AppSettings[ "EncryptingCertificateName" ];
if ( !string.IsNullOrEmpty( encryptingCertificateName ) )
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use.
scope.EncryptingCredentials = new X509EncryptingCredentials( CertificateUtil.GetCertificate( StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName ) );
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.
scope.TokenEncryptionRequired = false;
}
// Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed.
// In this template, we have chosen to set this to the AppliesToAddress.
scope.ReplyToAddress = scope.AppliesToAddress;
return scope;
}