具有Saml令牌的WCF自定义凭据 [英] WCF custom credentials with Saml token

问题描述

我正在努力实现以下目标:

1.客户呼叫STS.
2. STS返回一个saml令牌
3.客户端调用提供令牌的任何服务.

对于第1步和第2步，我使用常规WCF，没什么特别的，只是序列化从STS返回的saml令牌.

对于步骤3，我使用客户端/服务凭据，令牌管理器，令牌序列化程序，授权请求等...
通过第3步，我正在尝试实现:
1.客户端发送从STS获得的令牌
2.服务通过授权上下文获取令牌

实现此目标的最佳方法是什么?

还有一件事:如何使用config将token参数应用于现有绑定?换句话说，如何通过配置(我不能使用编码)编写以下代码:

Hi,

I am trying to achieve the following:

1. Client calls an STS.
2. STS returns a saml token
3. The client calls any service providing the token.

For steps 1 and 2, I use regular WCF, nothing special, just serializing the saml token returned from the STS.


For step 3 I use client/service credentials, token manager, token serializer, authorization prolicy etc...
With step 3 I am trying to achieve:
1. The client sends the token he got from the STS
2. The service gets the token via the authorization context

What is the best way to achieve this?

One more thing: How do I apply the token parameter to an existing binding using the config? In other words, how do I make the following code but via the config (I can''t use coding):

HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();

      // the message security binding element will be configured to require a credit card
      // token that is encrypted with the service''s certificate 
      SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement();
messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CreditCardTokenParameters());
      X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
      x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never;
      messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;
      return new CustomBinding(messageSecurity, httpTransport);

我正在使用.NET 3.5，不能使用WIF.不幸的是，我不能使用联合身份验证，这不是一个选择，因为该服务是对等服务，并且联合身份验证绑定是客户端服务器.

I am using .NET 3.5, cannot use WIF. Unfortunately, I cannot use federation, this is not an option as the service is peer-to-peer and the federation bindings are client server.

推荐答案

Don''t直接从客户端调用STS，这是服务器的安全性，因此服务器必须定义受信任的STS.这是通过配置中的联合完成的.

客户端在对WCF服务的初始调用中协商与STS联系，然后使用称为spNego的协议从STS获取索赔.如果您不保持对话的进行(或缓冲高速缓存)，则每次调用服务时都会执行此操作.

自从WIF上线以来，情况可能已经发生了变化，但是几年前，一个叫Cibrax的人正在听有关STS的所有事情:
STS方案中的WCF绑定 [

Don''t call the STS directly from the client, it''s the server''s security, so the server must define trusted STSs. This is done through federation in the config.

The client negotiates contacting the STS in an initial call to the WCF Service, it then uses a protocol called spNego to get the Claims from the STS. It does this each time you call the service, if you don''t keep a conversation going (or fudge a cache).

Things might have changed since WIF went live, but a guy called Cibrax was the person to listen to couple of years ago for all things STS:
WCF Binding in STS Scenarios[^]

感谢基思.
不幸的是，我不能使用联合身份验证，这不是一个选择.

我不关心与STS的交互，我不关心客户端服务的交互.

您能否帮助我确定如何通过配置文件(而不是硬编码)实现以下代码:

Thanks Keith.
Unfortunately, I cannot use federation, this is not an option.

I am not concerned about interaction with the STS, I am concerned about the client service interaction.

Can you please help me with determining how to implement the following code via a config file (rather than hard coding):

HttpTransportBindingElement httpTransport = new HttpTransportBindingElement();      // the message security binding element will be configured to require a credit card      // token that is encrypted with the service''s certificate       SymmetricSecurityBindingElement messageSecurity = new SymmetricSecurityBindingElement();messageSecurity.EndpointSupportingTokenParameters.SignedEncrypted.Add(new CreditCardTokenParameters());      X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();      x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.Never;      messageSecurity.ProtectionTokenParameters = x509ProtectionParameters;      return new CustomBinding(messageSecurity, httpTransport);

基思，
联合是一个，我们需要通过tcp进行两种方式的连接.

使用自定义绑定将预定义令牌传递给服务是否如此复杂?

从理论上讲，我只需要将令牌从客户端发送到服务即可.客户端已经具有saml令牌.

Hi Keith,
Federation is one one, We need two way connection over tcp.

Is that such complicated to pass a predefined token to a service, using custom binding?

In theory, I only need to send the token from the client to the service. The client already has the saml token.

这篇关于具有Saml令牌的WCF自定义凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！