不同的 SAML 令牌验证调用具体有什么作用?

发布于 2024-11-05 04:03:24 字数 574 浏览 4 评论 0原文

我正在尝试验证 REST Web 服务中由基于 WIF 的自定义 STS 创建的 SAML 令牌。

有几个函数可以进行验证。一个是SecurityTokenHandlerCollection.ValidateToken(),另一个是SamlSecurityTokenAuthenticator.ValidateToken()

不幸的是,这些类和函数的在线 Microsoft MSDN 帮助毫无价值,并且根本没有描述这些函数正在做什么。

这些函数验证什么以及它们是如何执行的?它们之间有什么区别?他们是否会自动在 Windows 证书存储中查找证书以检查令牌的签名并验证加密的凭据对象?因为我没有在任何地方传递证书名称。或者我需要自己执行其他手动操作来验证令牌吗?

我意识到一个返回一个 ClaimsIdentityCollection ,另一个返回 IAuthorizationPolicy 对象的集合。但这是唯一的区别吗?我不知道。

我可以在网上找到大量有关 STS 和声明甚至验证声明的信息,我正在成功地做到这一点,但我几乎找不到任何有关验证令牌本身以确保它是我创建的信息。

I am trying to validate a SAML token that was created by our WIF-based custom STS inside a REST web service.

There are a couple of functions to do validation. One is SecurityTokenHandlerCollection.ValidateToken() and another is SamlSecurityTokenAuthenticator.ValidateToken().

Unfortunately the online Microsoft MSDN help for these classes and functions is worthless and does not describe at all what it is these functions are doing.

What are these functions validating and how are they doing it? What are the differences between them? Are they automatically looking up the certificate in the Windows Certificate Store to check the signature of the token, and validating the encrypted credentials object? Because I don't pass a certificate name in anywhere. Or are there other manual operations I need to do myself to validate the token?

I realize one returns a ClaimsIdentityCollection and the other returns a collection of IAuthorizationPolicy objects. But is that the only difference? I can't tell.

I can find plenty of information out on the web about the STS and claims and even validating claims, which I am doing successfully, but I can hardly find any information on validating the token itself to make sure it is one I created.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

时光与爱终年不遇 2024-11-12 04:03:24

在大多数情况下,您无需担心令牌验证详细信息。这一切都由 WIF 为您照顾。

但如果您真的想知道,最好的信息来源是 Vittorio 的书: http://rads.stackoverflow.com/amzn/click/com/0735627185" rel="nofollow noreferrer">http:// /www.amazon.com/Programming-Windows%C2%AE-Identity-Foundation-Dev/dp/0735627185

这里有一些详细信息:http://msdn.microsoft.com/en-us/library/ff359114.aspx

另一种好的学习方法是查看扩展旨在处理非 SAML 令牌(例如 SWT)。 此处下载示例并查找 REST 服务。

In most cases you don't need to worry about the token validation details. All this is taken care for you by WIF.

But if you really want to know, the best source of information is Vittorio's book: http://www.amazon.com/Programming-Windows%C2%AE-Identity-Foundation-Dev/dp/0735627185

There are some details here: http://msdn.microsoft.com/en-us/library/ff359114.aspx

Another good way of learning is by looking at the extensions built to handle non-SAML tokens (e.g SWT). Download the samples here and look for the REST services.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文