使用STS(使用WIF?)发布Kerberos令牌 [英] Kerberos token issuance with a STS (with WIF ?)
问题描述
我想为用户构建一个向用户发出 Kerberos令牌的自定义STS(使用各种方法进行用户身份验证) )。
I would like to build a custom STS that issues a Kerberos token to the user (user authentication is done with various methods).
我发现了各种STS 使用 Kerberos令牌并经常发出SAML断言的例子,但到目前为止,我发现很少有关于STS的信息发出Kerberos令牌。我刚刚发现这个Microsoft文档
这里 说"A security"令牌服务(STS) [...]可以发出Kerberos,RSA,X.509,SAML 1.1和SAML 2令牌,或者它可以发出自定义令牌"。
I've found various examples of STS consuming a Kerberos token and often issuing a SAML assertion, but so far I have found very little information about STS issuing a Kerberos token. I've just found this Microsoft documentation here saying "A security token service (STS) [...] can issue Kerberos, RSA, X.509, SAML 1.1, and SAML 2 tokens, or it can issue custom tokens".
您是否了解有关使用基于WIF的STS发布Kerberos令牌的任何信息?也许是代码或技术信息的例子?
Do you know any information about Kerberos token issuance with a WIF-based STS? Maybe an example with code or technical information?
基本上,我想做一些非常类似于IBM Tivoli Access Manager的事情:WebSEAL Kerberos Junctions,如图所示
here (图1) 。是否有可能用WIF做,你有任何指针......?
Basically, I would like to do something very similar to IBM Tivoli Access Manager: WebSEAL Kerberos Junctions, as shown here in the sequence diagram (figure 1). Is it possible to do that with WIF, do you have any pointer...?
提前谢谢,
推荐答案
但是在另一个页面上它说:<<没有WriteToken方法>>
But on another page it says: <<There is no WriteToken method>>
KerberosSecurityTokenHandler 验证
类型的标记
KerberosReceiverSecurityToken 。此标记类型由WCF在Kerberos身份验证期间使用,它包装Windows标识,并基于SOAP消息中接收的Kerberos票证。此标记类型不是SPNego或SSPI身份验证中使用的
。
KerberosSecurityTokenHandler validates tokens of type KerberosReceiverSecurityToken. This token type, which is used by WCF during Kerberos authentication, wraps a Windows identity and is based on a Kerberos ticket that is received in a SOAP message. This token type is not used in SPNego or SSPI authentication.
此处理程序不实现任何其他标记处理程序方法,例如
ReadToken 或
WriteToken 。这是因为,与其他令牌类型(如SAML和X.509)不同,
KerberosReceiverSecurityToken 没有可串行化的形式。
This handler does not implement any other token handler methods, such as ReadToken or WriteToken. This is because, unlike other token types such as SAML and X.509, the KerberosReceiverSecurityToken has no wire-serializable form.
这篇关于使用STS(使用WIF?)发布Kerberos令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
