如何在可互操作的 WCF 服务中验证 SAML2.0 断言
我花了几天时间让我的 WCF 服务验证一个简单的 SAML2 断言。我正在使用 Axis2 客户端对其进行测试,但它也应该支持 Java、C++ 等。
我只想对令牌进行一些验证: 1. 证书颁发者(来自有效颁发者列表) 2. 证书日期 3. 受众 URL
所以我应该能够进行自定义证书验证。该证书在服务器上未知,它是 SAML 断言的一部分。 这是使用的 SAML 断言:
<saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="_7d8e48d69047d3c3da278b33b8f13485" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>demo.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_7d8e48d69047d3c3da278b33b8f13485">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ds saml" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>SsVSD3gENtKpZTjJBHNovQVXa4o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Mn+FNBrlyWz5nDBViB1+jNnwL/QDAtE0uxgNT/fi6O+e2/eeXggsPYPSQYwv+EeC 8h9lcJ5nzVKknrO2Ny4Ob3UsrmH3YQdj0iaCABb0EMC8tFV1M1taD4USLscUhucd hTl2WQEj/rgCtHzratkBXOlmumTUu+ra8P/1Aef0oO0=</ds:SignatureValue>
<ds:KeyInfo><ds:KeyName>demo.com</ds:KeyName>
<ds:X509Data><ds:X509SubjectName>[email protected],CN=demo.com,OU=Development,O=demo,ST=Utrecht,C=NL</ds:X509SubjectName>
<ds:X509Certificate>MI ... mQ= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject><saml:NameID SPProvidedID="lipse" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lipse</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml:Subject>
<saml:Conditions NotOnOrAfter="2011-03-29T09:54:40Z" NotBefore="2011-03-29T09:44:40Z">
<saml:AudienceRestriction><saml:Audience>http://blabla</saml:Audience></saml:AudienceRestriction></saml:Conditions>
</saml:Assertion>
我尝试了 wsHttpBinding、wsFederationHttpBinding、ws2007FederationHttpBinding,甚至是 customBinding。有或没有WIF?我不知道了。
我目前正在努力解决此错误:
SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 2,
Clause[0] = KeyNameIdentifierClause(KeyName = 'risdemo.delftdi.com'),
Clause[1] = X509RawDataKeyIdentifierClause(RawData = MI....mQ=)
)
`. Ensure that the SecurityTokenResolver is populated with the required key.
我的绑定:
<wsHttpBinding>
<binding name="_HTTP">
<security mode="Message">
<transport clientCredentialType="None" proxyCredentialType="None" />
<message clientCredentialType="IssuedToken" negotiateServiceCredential="False"
establishSecurityContext="False"/>
</security>
</binding>
</wsHttpBinding>
ServiceCredentials:
<serviceCredentials>
<issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
<allowedAudienceUris>
<add allowedAudienceUri="http://blabla"/>
</allowedAudienceUris>
</issuedTokenAuthentication>
<serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
WIF:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://blabla"/>
</audienceUris>
<securityTokenHandlers>
<clear />
<add type="ServiceHostConsole.myHandler, ServiceHostConsole"></add>
<!-- <securityTokenHandlerConfiguration saveBootstrapTokens="false">
<issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/>
<certificateValidation>
<certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"/>
</certificateValidation>
<issuerNameRegistry type="ServiceHostConsole.SimpleIssuerRegistery, ServiceHostConsole">
</issuerNameRegistry>
<tokenReplayDetection enabled="false"></tokenReplayDetection>
<audienceUris mode="Always">
<add value="http://blabla"/>
</audienceUris>
</securityTokenHandlerConfiguration> -->
</securityTokenHandlers>
<!-- <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> -->
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck">
<certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole" />
</certificateValidation>
</service>
我真的很想覆盖认证验证,如本页所示: http:// /msdn.microsoft.com/en-us/library/ms733806.aspx。 但我似乎无法让它工作,所有可能的自定义验证都没有达到覆盖的 Validate() 函数。
有没有人至少可以给我一个方向?
提前致谢!
问候,
迪尔科
I'm scratching my eyes out for a couple of days now, to get my WCF-service validate a simple SAML2 Assertion. I'm testing it with an Axis2 client, but it should support Java, C++, etc, too.
I only want to do a few validations on the token:
1. Certificate issuer (from a list of valid issuers)
2. Certificate date
3. Audience URL
So I should be able to do a custom certificate validation. The certificate is not known on the server, it is part of the SAML assertion.
This is the SAML assertion used:
<saml:Assertion Version="2.0" IssueInstant="2011-03-29T09:44:41Z" ID="_7d8e48d69047d3c3da278b33b8f13485" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>demo.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_7d8e48d69047d3c3da278b33b8f13485">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ds saml" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>SsVSD3gENtKpZTjJBHNovQVXa4o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Mn+FNBrlyWz5nDBViB1+jNnwL/QDAtE0uxgNT/fi6O+e2/eeXggsPYPSQYwv+EeC 8h9lcJ5nzVKknrO2Ny4Ob3UsrmH3YQdj0iaCABb0EMC8tFV1M1taD4USLscUhucd hTl2WQEj/rgCtHzratkBXOlmumTUu+ra8P/1Aef0oO0=</ds:SignatureValue>
<ds:KeyInfo><ds:KeyName>demo.com</ds:KeyName>
<ds:X509Data><ds:X509SubjectName>[email protected],CN=demo.com,OU=Development,O=demo,ST=Utrecht,C=NL</ds:X509SubjectName>
<ds:X509Certificate>MI ... mQ= </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject><saml:NameID SPProvidedID="lipse" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">lipse</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></saml:Subject>
<saml:Conditions NotOnOrAfter="2011-03-29T09:54:40Z" NotBefore="2011-03-29T09:44:40Z">
<saml:AudienceRestriction><saml:Audience>http://blabla</saml:Audience></saml:AudienceRestriction></saml:Conditions>
</saml:Assertion>
I tried the wsHttpBinding, wsFederationHttpBinding, ws2007FederationHttpBinding, even a customBinding. With or without WIF? I don't know anymore.
I'm currently struggling with this error:
SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 2,
Clause[0] = KeyNameIdentifierClause(KeyName = 'risdemo.delftdi.com'),
Clause[1] = X509RawDataKeyIdentifierClause(RawData = MI....mQ=)
)
`. Ensure that the SecurityTokenResolver is populated with the required key.
My Binding:
<wsHttpBinding>
<binding name="_HTTP">
<security mode="Message">
<transport clientCredentialType="None" proxyCredentialType="None" />
<message clientCredentialType="IssuedToken" negotiateServiceCredential="False"
establishSecurityContext="False"/>
</security>
</binding>
</wsHttpBinding>
ServiceCredentials:
<serviceCredentials>
<issuedTokenAuthentication allowUntrustedRsaIssuers="true" revocationMode="NoCheck" certificateValidationMode="Custom" customCertificateValidatorType="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole">
<allowedAudienceUris>
<add allowedAudienceUri="http://blabla"/>
</allowedAudienceUris>
</issuedTokenAuthentication>
<serviceCertificate findValue="e216aeacff5fac720708e5a1966f220cc8b4ce94"
storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
WIF:
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://blabla"/>
</audienceUris>
<securityTokenHandlers>
<clear />
<add type="ServiceHostConsole.myHandler, ServiceHostConsole"></add>
<!-- <securityTokenHandlerConfiguration saveBootstrapTokens="false">
<issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/>
<certificateValidation>
<certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole"/>
</certificateValidation>
<issuerNameRegistry type="ServiceHostConsole.SimpleIssuerRegistery, ServiceHostConsole">
</issuerNameRegistry>
<tokenReplayDetection enabled="false"></tokenReplayDetection>
<audienceUris mode="Always">
<add value="http://blabla"/>
</audienceUris>
</securityTokenHandlerConfiguration> -->
</securityTokenHandlers>
<!-- <issuerTokenResolver type="ServiceHostConsole.CustomTokenResolver, ServiceHostConsole"/> -->
<certificateValidation certificateValidationMode="None" revocationMode="NoCheck">
<certificateValidator type="ServiceHostConsole.CustomX509CertificateValidator, ServiceHostConsole" />
</certificateValidation>
</service>
I'd really like to override the certification validation, like on this page: http://msdn.microsoft.com/en-us/library/ms733806.aspx.
But I can't seem to get it working, none of the possible customvalidations is hitting the overridden Validate() function.
Is there anyone who can at least give me a direction, please?
Thanks in advance!
Regards,
Dirco
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
开箱即用的 WIF 验证不起作用?从表面上看,WIF 应该可以完成所有这些操作,而无需任何自定义/扩展。 此处查看 WIF SDK 示例或 Web 服务示例。
Out of the box WIF validations don't work? On the surface, it looks like WIF should do all these without any customizations/extensions. Check the WIF SDK samples or the Web Services samples here.