如何为“依赖方信任"创建联合身份验证元数据XML.和“索赔提供者信托";适用于ADFS 2.0 [英] How to create federation metadata XML for "Relying Party Trust" and "Claims Provider Trusts" for ADFS 2.0

查看:156
本文介绍了如何为“依赖方信任"创建联合身份验证元数据XML.和“索赔提供者信托";适用于ADFS 2.0的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们的一个Web应用程序想与 ADFS 2.0 服务器连接以获取凭据令牌并基于该凭据检查用户角色. ADFS服务器管理员要求我们给他们一个联合身份验证元数据XML文件,以便他们创建依赖方信任关系.我用谷歌搜索,仅找到如何使用URL下载ADFS服务器的联合元数据XML-https:// [adfs服务器名称] /federationmetadata/2007-06/federationmetadata.xml 但是找不到用于创建用于创建"依赖方信任"和"索赔提供者信任"的联盟元数据XML 的指南.有用于创建这些元数据文件的工具吗?请分享一些有关如何创建的想法.

One of our web app would like to connect with ADFS 2.0 server to get credential token and check the user roles based on that. The ADFS server admin asked us to give them a federation metadata XML file to let them create Relying Party Trusts. I googled and only find how to download the ADFS server's federation metadata XML using URL - https://[adfs server name]/federationmetadata/2007-06/federationmetadata.xml But could didn't find any guide to create a federation metadata XML for creating "Relying Party Trust" and "Claims Provider Trusts". Is there a tools for creating those metadata files? Please share some idea for how to create.

谢谢

Lu

回答我自己的问题:

我在 WindowsIdentityFoundation-SDK-4.0 中的http://www.microsoft.com/zh-cn/download/details.aspx?id=4451 即可做到.

推荐答案

实际上URL是

https://server/federationmetadata/2007-06/federationmetadata.xml

没有我知道的工具.

您可以使用 Microsoft.IdentityModel. Protocols.WSFederation.Metadata 类或参考动态生成联合元数据.

看看 在.

Have a look at "Thinktecture.IdentityServer.v2 / src / Libraries / Thinktecture.IdentityServer.Protocols / FederationMetadata" over at Thinktecture.IdentityServer.v2.

或者如果您的应用程序使用WIF,则它位于元数据目录中.

Or if your application uses WIF it's in the metadata directory.

更新:

在WIF中,除非您希望对令牌进行加密,否则不需要证书.对于ADFS而言,这更多,因为它必须对令牌和应用程序进行签名.需要公钥进行验证.

In WIF, unless you want to the token to be encrypted, you don't need the certificate. That's more for the ADFS side as it has to sign the token and the app. needs the public key to verify.

示例: 

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_5b6cd05c-a5e3-470d-a2fc-6c6f66633d1b" entityID="http://localhost/app/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <RoleDescriptor xsi:type="fed:ApplicationServiceType" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <fed:ClaimTypesRequested>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
        </fed:ClaimTypesRequested>
        <fed:TargetScopes>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost/app/</Address>
            </EndpointReference>
        </fed:TargetScopes>
        <fed:PassiveRequestorEndpoint>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost/app/</Address>
            </EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
</EntityDescriptor>

其中localhost \ app \必须是您应用程序的URL.注意斜杠!

where localhost\app\ needs to be your app's URL. Note end slash!

这篇关于如何为“依赖方信任"创建联合身份验证元数据XML.和“索赔提供者信托";适用于ADFS 2.0的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆