我必须编写一个依赖于 WSO2 身份服务器颁发的 SAML2 令牌的 .NET WCF 服务。来自 wst:secondaryparameters 的所有内容(例如声明)都由 WSO2 安全令牌服务验证。我无法做到这一点,因为 WSO2 似乎忽略了辅助参数。如果我直接在 RequestSecurityToken 下请求声明,则它们在 RSTR 中得到正确验证。
这是我使用 Soap-UI 创建的示例 RST,用于测试目的:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header/>
<soap:Body>
<wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
<wsp:AppliesTo>
<wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>https://example.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:SecondaryParameters>
<wst:Claims wst:Dialect="http://wso2.org">
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/givenname"/>
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/emailaddress"/>
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/username"/>
</wst:Claims>
</wst:SecondaryParameters>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
...以及 WSO2 STS 收到的 RSTR - 缺少要求的索赔:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-75" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2021-06-10T09:59:22.813Z</wsu:Created>
<wsu:Expires>2021-06-10T10:04:22.813Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#urn:uuid:EB6235F9B55E496D821623319162707" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="urn:uuid:EB6235F9B55E496D821623319162707" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>https://example.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2021-06-10T09:59:22.703Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2021-06-10T10:04:22.703Z</wsu:Expires>
</wst:Lifetime>
<wst:RequestedSecurityToken>
<saml2:Assertion ID="urn:uuid:EB6235F9B55E496D821623319162707" IssueInstant="2021-06-10T09:59:22.703Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://sts.example.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#urn:uuid:EB6235F9B55E496D821623319162707">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Ty9kARjgU99DnLmK5g8UQeP0ekM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>RPZEPn9oJeQLKE/Fk0jqRUaTnlOvpwcL6iuPKnSi0MbUNf6sbZBC1jmrz8YfLm5XYUpfxQTXv7Xm
9Ck5B61dXevke/MiiZhHViSGeRhumPyLmNGTyMTZMuKEUs/J+xAtjCOgGM7vo6QfILooYfGMBoP+
u22ITTyjiTDwShTGaj9E54FvtO3AAjA27LDNZu2gM8eDdNKKvS6wfq32WVsoNBRaJ3sjC0fshlp7
eBljJhovQ7/Ll8/4PeriaQtXagp9Xsn56nEW8iEBzFQUg9ViVqnr5Jk5GhfbfhXOYRTmZvDBFdRO
r9D4bH97BGbkmRH4+Ha0AtpjO2JdSaPIBQq61Q==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDYDCCAkigAwIBAgIEDUzx7TANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJMSzELMAkGA1UE
CBMCV1MxCzAJBgNVBAcTAlNMMQ0wCwYDVQQKEwRXc28yMQswCQYDVQQLEwJJczEVMBMGA1UEAxMM
c3RzLm11a2kuY29tMB4XDTIxMDYwNzEzNDc0NloXDTIxMDkwNTEzNDc0NlowWjELMAkGA1UEBhMC
TEsxCzAJBgNVBAgTAldTMQswCQYDVQQHEwJTTDENMAsGA1UEChMEV3NvMjELMAkGA1UECxMCSXMx
FTATBgNVBAMTDHN0cy5tdWtpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJR3
QeuRdQwidvlyKPi+CPWIpp6qmS0LIxlNSJpmu+e1al5Et6WtNPBKra/d2viKZ19HIhBgk6DVduyG
TnWBW+Dqu1pJ4+6Ks4jxnr8ofB7vr9dUHNxXqNW/HkLiDhMH4GxbcSlG3/7r3bgTBRYHHwxMFoHA
PJ6KaFFYGvfyBhdrprtbqlFJZ5pUfGlAZCdNFu5ES6F+ZEMLbUQv5nv5JsdxbH8X3lTkf7cHYfMP
ucC5mspJMcZWFpZ/AbaT8hQiNY9LalcFYaP/nwymxPXRWn/s/8SODHtcLm27JQPgNFTJK9jr9dBp
SDZubcqFTvECQYZrXwFuR/gS+yufQxf5yqMCAwEAAaMuMCwwHQYDVR0OBBYEFKNHL3ppD1CNxUYe
APM/KYoNahSSMAsGA1UdDwQEAwIEEDANBgkqhkiG9w0BAQsFAAOCAQEAVgSqQC3hQvbmJFMx+S8B
YiRSkWvARFusBTU6oZVLvwbxGYUqKnoUGJKEYvnmJA6bKOvWFOafX22elYFOMNLF8HxY4zjYyZMn
a+RCg00nH7Wgl8GGXtYc7MsUfaVdD5kUxBuiADUTeJQf+kjd3MIZ9gvIAE9/XSENa+6n3/jiPJcY
6xTXfov+FB7sM3aE5R8Fy1Jwmry5Sr+TdpTQ9w0jZkjWH/ED8SB/OxiPH8tQ26dTkabpokJiL6cc
kAOpOfAOPqtclWaMRm12Qwg2yL1kAXbzw5/eDyGlJYd2Y6QFt7dBW1mS+XrGqcsewt7PDtnSEa8U
lNF13dcErg3bnzaJsQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-06-10T09:59:22.703Z" NotOnOrAfter="2021-06-10T10:04:22.703Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://example.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-06-10T09:59:22.754Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</soapenv:Body>
</soapenv:Envelope>
如何从 WSO2 STS 正确请求 WS-Trust 1.4 中指定的辅助参数?