如何为各种部署更改我的 WCF 的 FederationMetadata.xml 文件? [英] How do I change my WCF's FederationMetadata.xml file for various deployments?

问题描述

我们有一个 ADFS 2.0 安装，它适用于我们各种环境中的 MVC 应用程序.我相信它使用被动身份验证"(我仍然习惯于正确的术语) - 如果用户未登录，它肯定会将用户重定向到我们的 adfs 代理，并且 adfs 将用户重定向回我们的 MVC 应用程序一旦他们登录.

We have an ADFS 2.0 installation that's working well for our MVC apps in our various environments. I believe it uses "passive authentication" (I'm still getting used to the proper terminology) - it definitely is where it redirects the user to our adfs proxy if the user is not logged in and adfs redirects the user back to our MVC app once they are logged in.

我们现在开始公开一些安全的 Web 服务，并希望利用相同的身份验证系统.我的理解是我想使用 ws2007FederationHttpBinding 作为我的绑定来做到这一点.我相信我已经为此设置了所有 WCF 的 web.config，但我现在的努力集中在 FederationMetadata.xml 文件上.

We are now beginning to expose some secured web services and want to tap into this same authentication system. My understanding is that I want to use ws2007FederationHttpBinding as my binding to do this. I believe I have my WCF's web.config all setup for this but my struggle is now centered around the FederationMetadata.xml file.

看着这个文件，我看到一些明显需要改变的东西，比如entityID="http://localhost/UserServices" 和证书.然后还有一些我不知道它们是什么以及它们是否需要更改的东西，例如 EntityDescriptor ID="_2b510fe8-98b8...... 和 <ds:SignatureValue>CZe5mEu19/bDNoZrY8f6C559CJ........

Looking at this file, I see some things that obviously need to change, such as entityID="http://localhost/UserServices" and the certificate. Then there are some things that I have no clue what they are and if they need to change or not, such as EntityDescriptor ID="_2b510fe8-98b8...... and <ds:SignatureValue>CZe5mEu19/bDNoZrY8f6C559CJ........

我在哪里可以更好地了解我应该如何为我的各种环境管理这个文件?我有以下托管这些服务的环境，我们将以一种或另一种方式部署这些服务:

Where can I get a better understanding on how I should be managing this file for my various environments? I have the following environments hosting these services that we'll be deploying to one way or another:

1. 个人开发者工作站(现在是 3 倍，以后会更多)
2. 一个共享的开发环境，供人们针对这些服务编写应用程序，但不一定要修改这些服务
3. 质量保证
4. 分期
5. 生产(具有不同证书/域/等的 3 种不同环境)

因此，我们有一个相当简化的流程来管理我们在不同环境中使用转换和查找/替换某些标记的 web.config 文件，所以我想对这个 xml 文件做同样的事情.因此，最终，我所寻找的只是了解在为我的各种环境管理此 FederationMetadata.xml 文件时需要进行哪些更改.

As such, we have a fairly streamlined process in place managing our web.config files in the different environments using transforms and finding/replacing certain tokens, so I'd like to do the same thing with this xml file. So ultimately, all I'm looking for is some understanding in what changes are necessary when managing this FederationMetadata.xml file for my various environments.

我当前的 FederationMetadata.base.xml 文件在下面，我相信这是正确的(我只需要名称/角色)，我只需要智能地替换各种令牌，例如 ~RootServiceUrlTokenToReplace~，在这里:

My current FederationMetadata.base.xml file is below and I BELIEVE this is about right (I just need names/roles) and I just need to intelligently replace the various tokens, such as ~RootServiceUrlTokenToReplace~, in here:

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="~EntityDescriptorIdTokenToReplace~" entityID="http://~RootServiceUrlTokenToReplace~" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#~ReferenceURITokenToReplace~">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>~DigestValueTokenToReplace~</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>~SignatureValueTokenToReplace~</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <X509Data>
        <X509Certificate>~CertificateTokenToReplace~</X509Certificate>
      </X509Data>
    </KeyInfo>
  </ds:Signature>
  <RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
    <KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>~CertificateTokenToReplace~</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <fed:ClaimTypesRequested>
      <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
      <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
    </fed:ClaimTypesRequested>
    <fed:TargetScopes>
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
        <Address>http://~RootServiceUrlTokenToReplace~</Address>
      </EndpointReference>
    </fed:TargetScopes>
    <fed:ApplicationServiceEndpoint>
      <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
        <Address>http://~RootServiceUrlTokenToReplace~</Address>
      </EndpointReference>
    </fed:ApplicationServiceEndpoint>
  </RoleDescriptor>
</EntityDescriptor>

推荐答案

基于 WIF 的应用程序的 FederationMetadata.xml 与其提供的基于声明的 Web 服务无关.

A WIF-based application's FederationMetadata.xml is not related to the claims-based web services it offers.

(指向的 URL)FederationMetadata.xml 由 AD FS 使用，用于自动更新要在依赖方信任中使用的信息.例如，AD FS 可以定期查询此 URL，并相应地更新依赖方信任信息.

(A URL pointing to) FederationMetadata.xml is used by AD FS, to automatically update the information to be used in a Relying Party Trust. AD FS can for example regularly query this URL, and update the Relying Party Trust information accordingly.

有关 Web 服务(基于声明或其他)的信息，即其元数据，作为 WSDL 文档发布.在基于 WCF 的服务中，这是一个通常如下所示的 URL:http://myhost.example.com/appName/serviceName.svc?wsdl.该 WSDL 文档通常不作为物理文件存在，而是由 WCF 自动生成.

The information about a web service (claims-based or otherwise), i.e., its metadata, is published as a WSDL document. In a WCF-based service this is a URL that often looks like this: http://myhost.example.com/appName/serviceName.svc?wsdl. That WSDL document often does not exist as a physical file, but is automatically generated by WCF.

这篇关于如何为各种部署更改我的 WCF 的 FederationMetadata.xml 文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！