如何更改 WCF 的 FederationMetadata.xml 文件以进行各种部署?
我们安装的 ADFS 2.0 非常适合我们各种环境中的 MVC 应用程序。我相信它使用“被动身份验证”(我仍在习惯正确的术语) - 如果用户未登录并且 adfs 将用户重定向回我们的 MVC 应用程序,那么它肯定会将用户重定向到我们的 adfs 代理一旦他们登录。
我们现在开始公开一些安全的 Web 服务,并希望利用这个相同的身份验证系统。我的理解是,我想使用 ws2007FederationHttpBinding 作为我的绑定来执行此操作。我相信我的 WCF 的 web.config 已为此进行了所有设置,但我的斗争现在集中在 FederationMetadata.xml 文件上。
查看此文件,我发现一些显然需要更改的内容,例如 entityID="http://localhost/UserServices" 和证书。还有一些东西我不知道它们是什么以及是否需要更改,例如 EntityDescriptor ID="_2b510fe8-98b8...... 和 < ds:SignatureValue>CZe5mEu19/bDNoZrY8f6C559CJ.......。
在哪里可以更好地了解如何针对各种环境管理此文件?我有以下环境托管这些服务,我们将通过某种方式部署这些服务:
- 个人开发人员工作站(目前为 3 个,以后会更多)
- 共享开发环境,供人们根据这些服务编写应用程序,但不一定要修改服务
- QA
- Staging
- 生产(具有不同证书/域/等的 3 个不同环境)
因此,我们有一个相当简化的流程,使用转换和查找/替换某些令牌来管理不同环境中的 web.config 文件,所以我想做同样的事情因此,最终,我所需要的只是了解在为我的各种环境管理此 FederationMetadata.xml 文件时需要进行哪些更改。
我当前的 FederationMetadata.base.xml 文件如下,我相信这是正确的(我只需要名称/角色),我只需要智能地替换各种令牌,例如 ~RootServiceUrlTokenToReplace~,这里:
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="~EntityDescriptorIdTokenToReplace~" entityID="http://~RootServiceUrlTokenToReplace~" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#~ReferenceURITokenToReplace~">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>~DigestValueTokenToReplace~</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>~SignatureValueTokenToReplace~</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>~CertificateTokenToReplace~</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>~CertificateTokenToReplace~</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<fed:ClaimTypesRequested>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
<auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
</fed:ClaimTypesRequested>
<fed:TargetScopes>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://~RootServiceUrlTokenToReplace~</Address>
</EndpointReference>
</fed:TargetScopes>
<fed:ApplicationServiceEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://~RootServiceUrlTokenToReplace~</Address>
</EndpointReference>
</fed:ApplicationServiceEndpoint>
</RoleDescriptor>
</EntityDescriptor>
We have an ADFS 2.0 installation that's working well for our MVC apps in our various environments. I believe it uses "passive authentication" (I'm still getting used to the proper terminology) - it definitely is where it redirects the user to our adfs proxy if the user is not logged in and adfs redirects the user back to our MVC app once they are logged in.
We are now beginning to expose some secured web services and want to tap into this same authentication system. My understanding is that I want to use ws2007FederationHttpBinding as my binding to do this. I believe I have my WCF's web.config all setup for this but my struggle is now centered around the FederationMetadata.xml file.
Looking at this file, I see some things that obviously need to change, such as entityID="http://localhost/UserServices" and the certificate. Then there are some things that I have no clue what they are and if they need to change or not, such as EntityDescriptor ID="_2b510fe8-98b8...... and <ds:SignatureValue>CZe5mEu19/bDNoZrY8f6C559CJ........
Where can I get a better understanding on how I should be managing this file for my various environments? I have the following environments hosting these services that we'll be deploying to one way or another:
- Individual developer workstations (3x for now, more later)
- A shared Dev environment for people writing apps against these services but not necessarily modifying the services
- QA
- Staging
- Production (3 different environments with different certs/domains/etc.)
As such, we have a fairly streamlined process in place managing our web.config files in the different environments using transforms and finding/replacing certain tokens, so I'd like to do the same thing with this xml file. So ultimately, all I'm looking for is some understanding in what changes are necessary when managing this FederationMetadata.xml file for my various environments.
My current FederationMetadata.base.xml file is below and I BELIEVE this is about right (I just need names/roles) and I just need to intelligently replace the various tokens, such as ~RootServiceUrlTokenToReplace~, in here:
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="~EntityDescriptorIdTokenToReplace~" entityID="http://~RootServiceUrlTokenToReplace~" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#~ReferenceURITokenToReplace~">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>~DigestValueTokenToReplace~</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>~SignatureValueTokenToReplace~</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>~CertificateTokenToReplace~</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>~CertificateTokenToReplace~</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<fed:ClaimTypesRequested>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
<auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
</fed:ClaimTypesRequested>
<fed:TargetScopes>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://~RootServiceUrlTokenToReplace~</Address>
</EndpointReference>
</fed:TargetScopes>
<fed:ApplicationServiceEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://~RootServiceUrlTokenToReplace~</Address>
</EndpointReference>
</fed:ApplicationServiceEndpoint>
</RoleDescriptor>
</EntityDescriptor>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
基于 WIF 的应用程序的
FederationMetadata.xml与其提供的基于声明的 Web 服务无关。(指向的 URL)
FederationMetadata.xml由 AD FS 使用,以自动更新要在依赖方信任中使用的信息。例如,AD FS 可以定期查询此 URL,并相应地更新依赖方信任信息。有关 Web 服务(基于声明或其他方式)的信息(即其元数据)作为 WSDL 文档发布。在基于 WCF 的服务中,该 URL 通常如下所示: http://myhost .example.com/appName/serviceName.svc?wsdl。该 WSDL 文档通常不作为物理文件存在,而是由 WCF 自动生成。
A WIF-based application's
FederationMetadata.xmlis not related to the claims-based web services it offers.(A URL pointing to)
FederationMetadata.xmlis used by AD FS, to automatically update the information to be used in a Relying Party Trust. AD FS can for example regularly query this URL, and update the Relying Party Trust information accordingly.The information about a web service (claims-based or otherwise), i.e., its metadata, is published as a WSDL document. In a WCF-based service this is a URL that often looks like this: http://myhost.example.com/appName/serviceName.svc?wsdl. That WSDL document often does not exist as a physical file, but is automatically generated by WCF.
我找到了我的问题的部分答案在此博客文章。我正在进一步研究它,看看这是否能回答我所有的问题。我刚刚找到了。显然,当我将其重新部署到不同的环境时,我确实需要更改我的 EntityID(包含 URL),但 SignatureValue 包含该 URL 的哈希值(以及其他内容?),因此通过修改 URL,我使 SignatureValue 无效,并且需要被重生。显然这FederationMetadata Generator 可以帮助我解决这个问题。
I have found a partial answer to my question in this blog post. I'm looking into it more to discover whether or not this answers all of my questions. I just found it. Apparently I do need to change my EntityID (that contains the URL) as I redeploy this to different environments but the SignatureValue contains a hash of that URL (among other things?) so by modifying the URL, I invalidate the SignatureValue and it needs to be regenereated. Apparently this FederationMetadata Generator can help me with this.