使用 WIF 反序列化来自 RSTR 令牌的声明
我正在构建自己的 STS,它处理不同类型的协议(WS-Federation、OAuth 等)。我在处理 ADFS 2 发布到我的 STS 的 RSTR 令牌时遇到了困难。
我已成功反序列化声明的代码,但是我必须添加部分 microsoft.identityModel 配置部分才能使其正常工作,并且我需要在受信任的人员存储中添加 ADFS 2 签名证书。
我有自己的配置部分,我在其中指定内容,因此使用 microsoft.identityModel 是多余的。
代码:
var request = System.Web.HttpContext.Current.Request;
var message = SignInResponseMessage.CreateFromFormPost(request) as SignInResponseMessage;
var rstr = new WSFederationSerializer().CreateResponse(message, new WSTrustSerializationContext());
var serviceConfig = new ServiceConfiguration();
IClaimsIdentity claimsIdentity = null;
using (var reader = XmlReader.Create(
new StringReader(rstr.RequestedSecurityToken.SecurityTokenXml.OuterXml)))
{
var token = serviceConfig.SecurityTokenHandlers.ReadToken(reader);
claimsIdentity = serviceConfig.SecurityTokenHandlers.ValidateToken(token).FirstOrDefault();
}
return claimsIdentity;
我想避免的必要配置:
<microsoft.identityModel>
<service>
<audienceUris mode="Never">
</audienceUris>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="27d3db77a9716ad370a7e9c632d5b98dcc5b1479" name="https://UrlToAdfs/adfs/ls/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
I am building my own STS which handles different kinds protocols (WS-Federation, OAuth, etc...). I got stuck handling RSTR token which is posted by ADFS 2 to my STS.
The code I have successfully deserializes the claims, however I have to add part of the microsoft.identityModel configuration section in order for it to work and I need to add the ADFS 2 signing certificate in the Trusted People store.
I have my own configuration section where I specify things so using microsoft.identityModel is redundant.
Code:
var request = System.Web.HttpContext.Current.Request;
var message = SignInResponseMessage.CreateFromFormPost(request) as SignInResponseMessage;
var rstr = new WSFederationSerializer().CreateResponse(message, new WSTrustSerializationContext());
var serviceConfig = new ServiceConfiguration();
IClaimsIdentity claimsIdentity = null;
using (var reader = XmlReader.Create(
new StringReader(rstr.RequestedSecurityToken.SecurityTokenXml.OuterXml)))
{
var token = serviceConfig.SecurityTokenHandlers.ReadToken(reader);
claimsIdentity = serviceConfig.SecurityTokenHandlers.ValidateToken(token).FirstOrDefault();
}
return claimsIdentity;
The necessary config that I would like to avoid:
<microsoft.identityModel>
<service>
<audienceUris mode="Never">
</audienceUris>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="27d3db77a9716ad370a7e9c632d5b98dcc5b1479" name="https://UrlToAdfs/adfs/ls/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
</microsoft.identityModel>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在代码中实现此目的的方法是派生您自己的 IssuerNameRegistry 实现并将其应用到您的 STS:
SecurityTokenService.SecurityTokenServiceConfiguration.IssuerNameRegistry
附带说明一下,您是否检查过 Azure 访问控制服务 (http://acs.codeplex .com/)?
The way you would achieve this in code is by deriving your own IssuerNameRegistry implementation and applying it to your STS here:
SecurityTokenService.SecurityTokenServiceConfiguration.IssuerNameRegistry
On a side note, have you checked out the Azure Access Control Service (http://acs.codeplex.com/)?